An awareness program should begin with the support of senior management. Ideally the CEO launches the program by sending an e-mail. The CEO's message should briefly summarize threats and state that security is the responsibility of everyone in the organization.

The next step is to create or revise the organization's security policies and require employees to sign them. Job descriptions and performance reviews must also include security responsibilities. All employees should attend an annual security briefing and receive an awareness handbook.

Distribute security awareness tips by e-mail about once every two weeks. Tips should advise of best practices and reinforce policy. Here are a few topics to start off with:

• Viruses
• Passwords
• Workstation security
• Continuity
• Destruction of sensitive materials
• Photography
• Systematic removal of accesses
• Laptops
• Don't be afraid to say no
• Piggybacking and tailgating
• Social engineers
• Operations security
• Backup your data
• Security incidents

Additional training methods include luncheons, a security web site and awareness posters. Each site should have a security representative to assist in the awareness program and address security incidents. Information security day is another effective way to bring security to the forefront of everyone's mind.

Security audits also raise awareness. Consider implementing office space reviews and annual self-assessment surveys.

The key is to make security a part of everyone's day without being obnoxious or repetitive. An awareness program requires creativity and constant care and feeding.

An awareness program cannot be conducted in a vacuum. Ensure that security does not negatively impact productivity. Consider the current security culture and choose your battles. It takes time to make a change.