I recently took Jeff Frisk's MGT 525 course on project planning. This is a great class to take if you are going to be working on any large scale or long term project, such as a security awareness program. What I liked best about his course is it brings structure to planning such a program and includes examples of key documents. One of the documents I found most helpful, and I now integrate in any security awareness program is the Project Charter. For those of you already familiar with the structured PM processes you know what a Project Charter is. However if you are not, this is the very first document you work on to get a project officially started. It ensures your project has official approval, gives you access to organizational resources and sets general expectations. Some key things the Project Charter identifies include
- Who is the Project Manager, who is in charge or responsible of the awareness program?
- Estimated budget for your awareness program?
- When do expect to have your plan finalized, when do you expect to kick off the awareness training?
- What are your program goals and objectives?
- Why are we doing this, how are you justifying the awareness training?
- Key milestones
- Key assumption or constraints
To often security awareness programs have little structure or planning, with messages communicated in a add-hoc and infrequent manner. By starting with a Project Charter, you establish a solid planning foundation. You can download an example of a Project Charter for awareness programs, and other planning documents, with the SANS Securing The Human Security Awareness Planning Kit.