Managing an Information Security and Privacy Awareness and Training Program  book cover
2nd Edition

Managing an Information Security and Privacy Awareness and Training Program

ISBN 9780429131332
Published August 24, 2010 by CRC Press
568 Pages

FREE Standard Shipping

What are VitalSource eBooks?

Prices & shipping based on shipping country


Book Description

Starting with the inception of an education program and progressing through its development, implementation, delivery, and evaluation, Managing an Information Security and Privacy Awareness and Training Program, Second Edition provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies. Written by Rebecca Herold, a well-respected information security and privacy expert named one of the "Best Privacy Advisers in the World" multiple times by Computerworld magazine as well as a "Top 13 Influencer in IT Security" by IT Security Magazine, the text supplies a proven framework for creating an awareness and training program. It also:

  • Lists the laws and associated excerpts of the specific passages that require training and awareness
  • Contains a plethora of forms, examples, and samples in the book’s 22 appendices
  • Highlights common mistakes that many organizations make
  • Directs readers to additional resources for more specialized information
  • Includes 250 awareness activities ideas and 42 helpful tips for trainers

Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides the holistic and practical understanding needed to identify and implement the training and awareness methods best suited to, and most effective for, your organization.

Praise for:

The first edition was outstanding. The new second edition is even better ... the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly..

Table of Contents

Brief History of Corporate Information Security and Privacy Awareness and Training. Why Training and Awareness Are Important. Legal and Regulatory Requirements for Training and Awareness. Incorporating Training and Awareness into Job Responsibilities and Appraisals. Common Corporate Education Mistakes. Getting Started. Establish a Baseline. Get Executive Support and Sponsorship. Identify Training and Awareness Methods. Awareness and Training Topics and Audiences. Define Your Message. Prepare Budget and Obtain Funding. Training Design and Development. Awareness Materials Design and Development. Communications. Deliver In-Person Training. Launch Awareness Activities. Evaluate Education Effectiveness. Leading Practices. Appendices.

View More



Rebecca Herold, CIPP, CISM, CISA, CISSP, FLMI, is an information privacy, security, and compliance consultant, author, and instructor who has provided assistance, advice, services, tools, and products to organizations in a wide range of industries during the past two decades. Rebecca is a widely recognized and respected information security, privacy, and compliance expert. Some of her awards and recognitions include:

  • Being named one of the “Best Privacy Advisers in the World” multiple times in recent years by Computerworld magazine
  • Being named one of the “Top 59 Influencers in IT Security” for 2007 by IT Security magazine
  • Having her blog named one of the “Top 50 Internet Security Blogs” by the Daily Netizen in 2008
  • Having the information security program she created for the Principal Financial Group, where she worked for 12 years, receive the 1998 Computer Security Institute (CSI) Outstanding Information Security Program of the Year Award

Rebecca was one of the first, and possibly the very first, practitioners to be responsible for both information security and privacy within a large organization, in 1994 in a multinational insurance and financial organization. In 2008 Rebecca helped the European Network and Information Security Agency (ENISA) to create their well received “Obtaining Support and Funding from Senior Management,” which used much of her “Managing an Information Security and Privacy Awareness and Training Program” information. In 2009, Rebecca was asked to participate in the National Institute of Standards and Technology (NIST) Smart Grid standards committee, and to lead the Privacy Impact Assessment (PIA) activity, the very first performed in the electric utilities industry. Rebecca recently launched the Compliance Helper service ( to help healthcare organizations and their business associates meet their Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and other information security and privacy compliance and risk mitigation requirements.

Rebecca assists organizations of all sizes and industries throughout the world with their information privacy, security, and regulatory compliance programs, content development, and strategy development and implementation through a large variety of tools and services. She offers a range of standard and customized 1- and 2-day workshops including one addressing how individuals across disciplines can work together to most effectively ensure privacy and regulatory compliance while efficiently implementing security controls. Rebecca is also an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program.

Rebecca has written 14 books to date, over 20 chapters for other books, has published over 200 articles in a wide range of publications, and has released over a dozen podcasts. Rebecca has created customized 1- and 2-day training for the specific needs of many different organizations. Rebecca is the creator and editor of the “Protecting Information” multimedia security and awareness quarterly publication (, an effective training event (, and released a series of information security and privacy training modules in 2009.

Rebecca serves on the advisory boards for Alvenda (an ecommerce technology company), Subroshare (a subrogation technology tools company), and Wombat Security Technologies (an online information security training company), was invited to be on the prestigious Institute of Electrical and Electronics Engineers (IEEE) ISTAS10 Program Committee, and is on the Norwich University Journal of Information Assurance Board of Review. Rebecca has served as a board and council member of various other organizations, such as MaxMD and I’dCheck. She is also currently participating in the NIST standards committee to help create information security and privacy standards and practices for the U.S. Smart Grid. Rebecca also is often invited to participate in unique activities, such as serving as a preliminary judge for the 2009 American Business Awards.

Rebecca is frequently interviewed and quoted in diverse publications such as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired, Popular Science, CUinfosecurity, Bankinfosecurity, SearchWinIT, Consumer Financial Services Law Report, Computerworld, hcPro Briefings on HIPAA, SC Magazine, SearchSecurity,Information Security, Business 2.0, Disaster Resource Guide, The Boston Herald, Pharmaceutical Formulation and Quality, IT Business Edge, Fortifying Network Security, IT Architect, CIO Strategy Center, Physicians Weekly, IEEE’s Intelligent Systems, Cutter IT Journal, Health Information Compliance Insider, Baseline, Western Michigan Business Review, and others, including several radio interviews and broadcasts including on, the “Privacy Piracy” California radio broadcast, and the “Michigan Technology News” radio broadcast.

Prior to owning her own business, Rebecca was Vice President–Privacy Services and internal Chief Privacy Officer at DelCreo, Inc. for two years. Prior to DelCreo, she served as Chief Privacy Officer and Senior Security Architect, QinetiQ Trusted Information Management, Inc. (Q-TIM), where she worked since the inception of the company as Securus in November 2001. Prior to joining Q-TIM, Rebecca was the Global Security Practice Central Region Security Subject Matter Expert for 2 years at Netigy (which became ThruPoint in September 2001). Prior to joining Netigy, Rebecca was Senior Systems Security Consultant at Principal Financial Group (PFG).

Ms. Herold began her career at PFG as a Customer Information Control System (CICS) systems analyst, and moved into an IT auditor position. It was at the recommendation of one of her audits that the information protection department was created, and she was asked to help build the department and functions. Her efforts helped PFG to be awarded the CSI Outstanding Information Security Program of the Year Award in 1998. Prior to working for PFG, Rebecca taught secondary school math and computer education in Missouri.

Rebecca has a BS in math and computer science from Central Missouri State University in Warrensburg, and an MA in computer science and education from the University of Northern Iowa in Cedar Falls. Rebecca is a certified information systems security professional (CISSP), a certified information systems auditor (CISA), a certified information systems manager (CISM), a certified information privacy professional (CIPP), and a fellow of the Life Management Institute (FLMI). Rebecca has been a member of the Information Systems Audit and Control Association (ISACA) since 1990 and has held all board positions throughout her membership in the Iowa chapter. Rebecca is a charter member of the Iowa Infragard chapter that was formed in 2000, and a member of the International Association of Privacy Professionals (IAPP). She is also a member of ACM and of IEEE. Rebecca is currently on the Review Board for the Norwich University Journal of Information Assurance and serves on the Advisory Boards of Alvenda, Inc; Wombat Security Technologies; and Claim Catcher. In the past, Rebecca served as a member of the Advisory Board for I’dCheck, LLC and the Advisory Board for MaxMD.

Rebecca is frequently invited to speak at conferences and seminars, and has created and delivered training workshops on behalf of CSI, ISACA, the Information Systems Security Association (ISSA), IAPP, Carnegie Melon, and the University of California, Berkeley, and customized training for a wide range of organizations. Rebecca has given presentations at internationally attended conferences and seminars since the early 1990s.


The first edition was outstanding. The new second edition is even better - an excellent textbook packed with sound advice and loads of tips to make your security awareness program pull its weight.… engaging and stimulating, easy to read yet at the same time thought-provoking. … chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. …an excellent reference text. Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references. This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly.

This book is remarkable because it covers in detail all the facets of providing effective security awareness training…I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner.
—Hal Tipton, from the Foreword

Rebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways … She demonstrates that security must become a part of job performance rather than being in conflict with job performance… The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training … After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation.
—Donn B. Parker, CISSP, from the Preface

Rebecca Herold, an independent computer security advisor, knows privacy. Not all security consultants do. In her latest book, Managing an Information Security and Privacy Awareness and Training Program, Herold has collected her best advice.
—Privacy Journal

… perfect for lay and professional audiences, this is a guide not for implementing technical necessities but for getting everybody in an organization on board.
—Journal of Productive Innovation