Skip to content

Latest commit

 

History

History
90 lines (64 loc) · 3.61 KB

660-INSTRUCTIONAL-SEQUENCES.md

File metadata and controls

90 lines (64 loc) · 3.61 KB
Raw

Contents | Previous | 6.6 Instructional Sequences | Next

6.6 Instructional Sequences

In order to address the two different sets of performance objectives, we introduce two instructional sequences below, targeted at two different audiences. The first sequence is dedicated to select IT specialists (10—100), while the second one concerns a very large group (50,000–100,000) including all employees and volunteers part of the organization.

The first sequence is planned for a typical learning period of 5 weeks, while the second sequence is expected to span several years.

None of these two learning sequences may require the specific development of e-learning modules. Depending on the number of IT specialists to train, the first sequence may be taught from peer to peer, with the support of reference cards and job aids. The second sequence may be supported by a tool distributing the test phishing and associated learning contents, provided by a third-party vendor, probably completed with customized printable materials.

Module 1: How to Prevent Access to Sensitive Information of Donors

1–2 hours per week over 5 weeks.

Week 1: What is PII?

  • what is not PII
  • how PII identifies individuals
  • the gray areas: what becomes PII when cross-referenced

Week 2: Keeping Payments Confidential

  • the role of payment processors
  • PCI compliance
  • How not to store payment details
  • Legal obligations with regards to financial records

Week 3: Workshop with Invited Speaker

1 hour of workshop with a guest, e.g. a data analyst from the military or an IT specialist from another NGO, sharing tips and experience against digital threats.

45 minutes of interview followed with 15 minutes of questions from the audience.

Week 4: Managing Access to Files and Databases

  • granting and revoking access to files
  • granting and revoking access to databases
  • creating partial views of tables

Week 5: Masking and Aggregating Data

  • how aggregating data can make sensitive data anonymous
  • and when it doesn't
  • how to replace sensitive information with fake equivalents

Module 2: Gone Phishing

Each learner will receive 1 email every 5 to 10 days, at random intervals. The roll-out will be progressive starting with a few hundred learners, including all the learning champions in the first month, and adding several thousand employees and volunteers each month. The progress of each learner will be tracked individually to adjust the level of the challenges accordingly, across the 3 levels of difficulty.

Level 1: Each email contains several obvious signs of scam

  • phishing for credentials through visibly fake URL
  • phishing through attached executable program
  • obvious scam scheme requesting an urgent payment from the learner

Level 2: Each email contains only one obvious sign of scam

  • phishing for credentials through masked URL
  • phishing through attached spreadsheet with macros
  • scam scheme requesting an urgent payment to a unknown organization, from a known contact but sent from a free email provider

Level 3: Each email is suspicious without any obvious sign of scam

  • phishing for credentials through a page which loads a login page only once hidden
  • phishing through an email pretending to contain instructions from Horizon IT to download a zip archive and install a new program on the computer
  • scam scheme requesting a list of donor emails for fundraising purpose, sent from the email address of an existing employee

Contents | Previous | 6.6 Instructional Sequences | Next