"TWISK has strongly increased the efficiency and sustainability of our training and awareness campaigns. ”
FRANZISKA DE ROSA, SWISSCOM, SECURITY MANAGER
Solutions and Services
Information security culture assessment with TWISK®
E-learning on information security with film clips and test
E-learning on data protection with test
E-learning on evacuation
E-learning on the company medical service
Regular assessment of information security culture for ISO 27001 compliance
People: 12‘000 – 20‘000
Assessment questions: 38
Assessment target groups: 28
Awareness topics for IS e-learning: 12
Information Security Culture Assessment
The information security culture was assessed by means of a quantitative staff survey one year after a large-scale awareness campaign. The goal of the assessment was to get an initial status quo measurement and also to measure the reception of the previous awareness campaign.
The survey was rolled out Switzerland wide in four different languages and addressed all employees from staff to senior management.
TreeSolution‘s TWISK®was used for this assessment. A significant part of our knowledge is encapsulated in this comprehensive set of "smart“ tools.
Our TWISK®methodology allowed us to make accurate, in-depth diagnostics of Swisscom’s situation and to pinpoint possibilities for improvement.
The information security culture profiles of the 28 defined target groups were computed and recommendations for target group specific improvement measures were given.
Swiss leading telecom provider – Information Security Culture Assessment & Awareness Program
Swisscom is Switzerland's leading telecom provider. Swisscom has a presence throughout Switzerland and offers a full range of products and services for mobile, landline and IP-based voice and data communication.
Information security is an important aspect in Swisscom’s daily business. Several steps have already been taken to improve the information security for Swisscom and its customers. However, security is an ongoing process, which demands continuous attention.
The management of Swisscom (Schweiz) AG has requested suggestions on steps that can be taken to implement a security awareness program and has sought assistance in a company wide rollout of this program.
Target Group Specific E-Learning Programs
Based on the assessment and a workshop, different information security topics were identified which Swisscom wanted to address with an e-learning course.
An e-learning course covering the twelve most important information security topics was developed. To make it more exciting, some topics have been supplemented with business film clips, showing risks and countermeasures in a motivating and understandable way.
Four topics plus a test have been declared mandatory for every new employee. For existing employees, two topics have been defined as mandatory. Additionally, the different organizational units have had the freedom to choose two additional topics which are important for them. Existing employees have had to work through these four topics and pass the test.
In the following years, the organizational units must choose two additional topics each year which must be worked through.
The information security e-learning course has been favorably received by Swisscom’s employees. Subsequently additional e-learning courses have been implemented during the last years, targeting
company medical service,
The e-learning courses have been developed directly on the e-learning platform of Swisscom, which has allowed tight integration into Swisscom’s infrastructure and learning processes.
Yearly Assessment for ISO 27001 Certification
Swisscom (Schweiz) AG is ISO 27001 certified.
To track the efforts taken for improving security awareness and the success, every two to three years a large-scale security culture survey is conducted, covering all TWISK®topics and all employees of Swisscom.
For the surveys our TWISK®system is used. TWISK®supports the automated and continuous monitoring of the information security culture. Following this structured approach allows Swisscom to see how its investments are being justified.
TreeSolution Consulting GmbH
At TreeSolution, we know that organization-wide implementation of truly effective information security has to be centered on people. So that you can get your information security to where you need it to be, our actions encompass not just technology, but also people, processes and policies — because the best technical procedures in the world will only work if all the people using them have the right information security awareness, behavior and culture.
Our solutions are based on real information, hard facts and years of painstaking research. We've tested and certified every part of the solutions in our catalogue so that you can have complete confidence in what we do. We have a unique focus on the combination of people and technology in information security that sets us apart.
TreeSolution Consulting GmbH is a spin-off of the international institute of management in technology (iimt) of the University of Fribourg in which Dr. Thomas Schlienger specialized in research in information security culture and awareness.