Running Head: SECURITY AWARENESS

Security Awareness 2

Final Project Security Awareness

Terri Y. Hudson

Southern New Hampshire University – IT 552

December 20, 2016

Agency-wide security awareness Program Proposal

Introduction

For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.

Objective

This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).

Background

The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.

1. Technical infrastructure

The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.

2. Computing Environment

The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.

3. Security Posture of the Organization

The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical security in server rooms has rocks, network closets and the network cabinet is rocked always. The organization has a worry on its current security plan this is because of hackers, spammers and cybercrimes. Also the security plan of the organization has not proved to have the best controls after the current security gap analysis that was conducted.

Security Gaps Findings

From the findings one of the largest organization’s risks is not the weakness in the IT infrastructure but the action and reaction of the employees. This has happen through disclosure of sensitive information by the workers and social engineering attacks. After the gap analysis report, the organization found that confidential customer data and the some of the IT assets were at risk. From the gap analysis findings it is evident that loss of customer confidential information was very high. The risks in Information technology assets were classified as moderate. The top ten security findings were internet; this has become one of the greatest avenues for hackers. Others are data breaches, ransom ware, browser plug-ins, virus, worms, spyware, key loggers, rogue security software and pharming. Lastly some of the organization factors are contributing to unhealthy of IT assets. Example a poor plan by the organization CEO of the best IT personnel, identification of the critical assets of the organization, wrong mapping of the existing cyber security capabilities across the organization so as to identify organizational risks, poor assessment of the organization’s security maturity level and poor identification of the potential cyber security threats (Roper, 2006).

The best practices in the organizational security program

Assemble all the security awareness team. The team will be mandated in ensuring development, maintenance and delivery of the security awareness. The recommendation is for the team to be well-staffed. In addition to this all the employee dough to be trained on the ten securities gas findings. The security awareness program ought to have reference materials such as ISO 27002:2013 which outlines the code practices of the information security control, the NIST (National Institute of Standards and Technology) and COBIT 5 (Desman, 2002).

Tasks

Some of the roles to be performed include performing a general description of the security posture of the organization and a risk analysis, drafting security deliverable of the organization and outlining responsibilities of each and every member in the organization in ensuring the security of organizational assets.

Personnel

It is highly recommended that security training includes how social engineering happens and what are the consequences to the organization IT assets. One of the ways hackers are using social engineering is to acquire user’s credentials. The program should tailor this awareness to reflect the types of attacks that the organization is encountering and what the organization can encounter in long-run. As one of the findings from the security gap is confidentiality of customers’ data, it is highly recommended that different ways of how to safeguard customers’ information to be covered at the basic level for all the personnel. Example is protecting data in electronic and non-electronic form. Others that need to be included in the awareness program is organization’s security awareness policy, the impact of unauthorized access and the awareness of the CHD security requirements (Gardner, 2014).

Conclusion

This SOW document has highlighted the objective of SOW. The document has addressed four critical elements which must be addressed in the security program, these are; the security posture of the organization and the major findings from the security gap analysis, the human factors which undermine the security of the organization IT assets and organization factors that contribute to unhealthy of the organization. Lastly I have included what need to be done in the security awareness program.

Introduction

Information security involves keeping corporate records secured. Policies are used to address the necessities to protect data from unauthorized access, disclosure, loss, interferences and corruption and are appropriate to information in both physical and electronic formats. A security policy refers to a well-documented strategy with the purpose of protecting and maintaining accessibility to a person network and its resources. Enough security in an organization is the responsibility of the management. At this era that there is high risk of data threat, almost all organizations have taken the initiative to implement security policies in their companies. This paper will address the ten available security policies, and their importance, which are: access control policies, addressing remote access, encryption and hashing, auditing network accounts, configuration change management, segregation of duties, mandatory vacation, information breaches, media protection, and social engineering (Bowden, February 18, 2003).

1. Access control policies

Access control is concentrates in determining the authorized activities of rightful users, mediating each trial by a user to get entry to a resource in the system. In several systems, total access is given upon a successful verification of the user, although many systems need more complicated and compound control. Additionally, to the verification method like a password, access control concentrates with how verifications are designed. In several scenarios, authorization might reflect the organization’s structure, while in others it might rely on the sensitivity degree of a range of documents and the clearance degree of the user contacting those documents.

Organizations thinking of access control system implementation should look at three abstractions which are: access control policy, mechanisms and models. Access control policies mean high-level requirements that state how access is managed and the person who has the authority to access information and also under what circumstances. For example, policies might be appropriate to resource utilization in or over units of an organization or might be based on need-to-know, authority, competence, conflict-of-interest, or obligation factors. In a high level, access control policies are implemented over a mechanism that translate request of a user, regularly in terms of design that a system offers (NIST, May 6, 2015).

2. Addressing remote access

The importance of this policy is to describe rules and requirements for connecting to a company’s network from any host. The reason these rules and requirements are designed is to increase the likelihood exposure to the company from damages which may be brought from unlawful use of the resources of the company. Damages consist of loss of sensitive or confidential data of the company, intellectual property, damage to critical internal systems of the company, damage to public image, and fines or other financial liabilities acquired from those losses.

Remote access policy applies to company’s staffs, contractors, vendors and agents company owned or personally-owned workstation or computer used to link to the network of the company. It applies to remote access links used to carry out tasks on behalf of the company, including sending or reading email and screening intranet web resources. Remote access policy covers each and all technical executions of remote access used to connect company’s networks. It is the duty of company staffs, contractors, vendors and agents with remote access rights to corporate network of a company to make sure that their remote access link is offered equal consideration as the user’s on-site link to the company (SANS Institute, 2014).

3. Encryption and hashing (to control data flow)

The main goal of encryption is to change data so as to keep it secret from others in order to control data flow. For example, sending somebody a secret letter, which only them that can be in a position to read or securely sending password in the internet. Instead of concentrating on usability, the objective is to make sure the data cannot be consumed by somebody else apart from the intended recipient. Encryption changes data into a different format in a way that only particular person can undo the transformation. It applies a key, which is kept secret, in combination with the plaintext and the algorithm, so as to carry out the encryption activity. Ciphertext, key, and algorithm are needed to undo to the plaintext.

Hashing acts the role of guaranteeing integrity that is, making it so that if something is transformed one will be able to know it. To be precise, hashing consumes arbitrary input and give a fixed-length string. It is implemented in combination with verification to give strong proof that a particular message has not been changed. This is achieved through taking a specific input, hashing it, and later signing the hash with the private key of the sender. Upon receiving the message, the recipient can confirm the signature of the hash with the public key of the sender, and later the hash the message itself and contrast it to the hash which the sender signed. If they are similar it is unchanged message, sent by the right person (Miessler, 1999-2016).

4. Auditing network accounts

Network auditing is the collective measure carried out to analyze, study, and collect data regarding a network with the aim of guaranteeing its health in line with the requirements of the organization or network. Primarily, network auditing offers insight into how helpful network practices and control are, that is, its fulfillment to internal and external network policies and regulations. When it comes to auditing network works it entails checking what user accounts and groups are on every machine and the shares are accessible and to whom.

Many auditing tools will deal more on the basic user account information that requires to be included in the audit. These main properties and settings are a good place to begin with the audit and will normally consist of the following properties: Workstations, LogonScript, last time password was set, password is needed, password expires, password time expires, account is disabled, and last logon time. From the fact that attacks are available through a user account that got one or several inaccurate and non-secured settings, it brings sense to concentrate on user account properties in time of audit. (Melber, August 4, 2005).

5. Configuration change management (to reduce unintentional threats)

Organizations have minimum visibility into the efficiency of their change management controls over their IT infrastructure. When there is no effective management and monitoring of change controls, the consequences of this can be distressing. At first, minimized availability over key corporate, customer, and financial systems can happen if unauthorized changes or updates of software are performed, even if their nature is non-malicious. These operations can impact main functionality, or a time brings breakdown the whole systems. As systems must later be taken offline to lessen a security problem or just withdraw the unauthorized change, this can result to dramatic revenue loss as capital expenditures are raised to resolve the problems, and clients are not able to access revenue-producing systems (Constellation Software Engineering, 2015).

6. Segregation of duties

Segregation of duties security policy manages conflict of interest, the manifestation of conflict of interest, and fraud. This policy is important since it makes sure that there is separation of various functions and explains authority and accountability over transactions. It is important to efficient internal control; it minimizes the danger of erroneous as well as inappropriate actions. This policy limits the power amount held by a person. It creates a boundary in place to keep away fraud, which might be committed by one person. There will still be occurrence of fraud when there is collusion. For one to be guaranteed that all segregation duties problems have been identified, one will first require to develop an information flow diagram for each function in each part of the organization.

Administrators who are responsible should consider the rule of segregation of duties when planning and describing job roles. They must use processes and control procedures that, to the degree practicable, segregate duties to the employees and that consist of effective oversight of operations and transactions. To the situation when it is not possible to separate these functions, for instance in small number of staffs, more reliance must be positioned on administrative scene (Lowa State University, 1995-2016).

7. Mandatory vacation (to mitigate intentional threats)

Mandatory vacation policy assists to detect when staffs get caught up in malicious action, like embezzlement or fraud. For embezzlement activity of any considerable size to be successful, a staff would require to be constantly available so as to stage-manage records and respond to various inquiries. Alternatively, if a staff is forced to be absent for a minimum of five consecutive workdays, the possibility of any illegal activity flourishing is minimized, because another person will be forced to respond to the queries in time of the staff’s absence.

This policy is not restricted to financial institutions only. Numerous organizations need same policies for administrators. For instance, an administrator might be the only individual needed to carry out sensitive actions like reviewing logs. An administrator who is malicious may overlook or cover up some actions revealed in the logs. But, a mandatory vacation policy would call for somebody else to carry out these activities and raise the likelihood of discovery (Darril, 2015).

8. Personally identifiable information breaches

Personally identifiable information (PII) means any data that could possible identify a particular person. Any information which can be used to differentiate an individual from the other can be applied for de-anonymizing anonymous data can be said as PII. PII can be grouped into two: sensitive and non-sensitive. Sensitive PII refers to that information, when exposed, could cause harm to the person whose privacy has been violated or breached.

Therefore, sensitive PII should be encrypted in transit and when data is at rest. Examples of such kind of information are: biometric information, personally identifiable financial information (PIFI), medical information, as well as unique identifiers like passport or Social Security numbers. Non-sensitive PII is information which can be sent in an unencrypted format without causing any harm to the person. It can also be gathered with ease from public records, corporate directories, and phonebooks (Rouse, January, 2014).

9. Information breaches

The importance of information breach procedure is to offer general guidance to employees who manage IT resources in an organization, to facilitate quick and effective recovery from security events; react in an orderly manner to events and perform all required steps to rightfully take on an event; minimize or prevent interference of critical computing services, as well as reduce theft or loss of sensitive or mission important information. The IT security breach notification also is used to breaches regarding all organization’s Health Insurance Portability and Accountability Act (HIPAA) and all organization’s business associates incorporated under HIPAA. The Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as their implementing regulations increase the privacy and security features of HIPAA.

10. Media protection and Social engineering

Information security media protection policy creates the enterprise media protection policy, for managing risks rooting from media access, media transport, media storage, as well as media protection by the establishment of an efficient media protection program. The media protection program assists an organization to implement security best practices in relation to enterprise media usage, storage, and clearance.

Social engineering simply means the act of manipulating people so as confidential information is given. The kind of information that criminals look upon may be different, though when peoples are aimed the criminals are normally attempting to trick the individual into giving them their passwords or information about their bank, or access a user’s computer to secretly install malicious software that will offer them access to user’s passwords and bank information and providing them control over one’s personal computer. Security entails identifying the person and what to trust. Knowing when and when not to take an individual at their word, when to rely the person one is talking to is actually the person one thinks he or she is talking with; when to rely on a website; when to trust that person on a phone; when giving information is or is not a good idea (Criddle, n.d.).

Introduction

Purpose

Continuous monitoring is one of six stages in the Risk Management Framework portrayed in NIST Special Publication 800‐137. The motivation behind a Continuous monitoring project is to figure out whether the entire arrangement of planned, required, and conveyed security controls inside a data framework or acquired by the framework keep on being compelling after some time in light of the inescapable changes that might happen. Nonstop checking is a vital action in surveying the security impacts on a data framework coming about because of arranged and spontaneous changes to firmware, the programming, or environment of operation (Whitman & Mattord, 11 May 2016).

Overall security posture

To see any organizations' security pose, group significant discoveries were classes of digital security that is affected: security knowledge, application, information, business accomplices and outsourcing, and risk insight. These subjects serve as an extraordinary beginning stage for critical talks encompassing an association's security hone, with basic security address including: What is association's greatest security concern and is its security spends and ability legitimately apportioned to address that hazard? There's no specific business needs, business hazard, most important resources, and so on. Security pose that doesn't attach specifically to an organization goal can lead security vanity appeal, however, doesn't offer a genuine assessment of where an association stands (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

Human factors

Human elements that antagonistically influence the security atmosphere specifically, human qualities conduct impacts data security and at last related dangers. searching into employments constraint field investigation comprehends driving and limiting strengths of human issues and consider these powers as objectives and snags of data security. The examination will demonstrate the human variables while endeavoring to comprehend the present Information Security Management System circumstance of an association and its change considering perfect circumstance. It will give measures to interest in elements that satisfy the objectives of ISMS since the association is powerless against both unintentional and intentional security dangers.

Proposal

Setting and keeping up a safe processing environment is progressively more troublesome as systems turn out to be progressively interconnected and information streams perpetually openly. In the business world, the network is no more drawn out discretionary, and the conceivable dangers of availability don't exceed the advantages. Subsequently, it is imperative to empower systems to bolster security benefits that give satisfactory assurance to organizations that lead a business in a moderately open environment (Solms & Solms, 26 Nov. 2008). To give satisfactory security of system assets, the strategies, and advances that individual send needs to ensure three things:

Privacy: Providing classification of information ensures that exclusively approved clients can see delicate data.

Respectability: Providing uprightness of information ensures that exclusively approved clients can change touchy data and gives an approach to identify whether information has been messed with amid transmission; this may likewise ensure the credibility of information.

Accessibility of frameworks and information: System and information accessibility gives continuous access by approved clients to essential figuring assets and information.

The unintentional risk that the association is probably going to face is that the approved client may erase delicate information by oversight or unintentionally. The information may likewise be undermined or erased because of: the specialized disappointment of equipment, disappointment of some program running on the PC, the sudden breakdown of electric supply as well as viruses. The solutions for inadvertent danger actualized are: Backing up of information will be taken frequently. The reinforcement of information can be utilized to recoup the erased information. Most recent antivirus programming will be utilized to output all information coming into the PC (Sutton, 26 Nov. 2014).

While the Intentional threat, the unapproved (or approved) client may erase delicate information purposefully. The client might be an irate representative of an association or whatever another unapproved individual. For the most part, programmers can erase the delicate information. A programmer can break the security of the PC framework for erasing or changing information. He accesses information through PC network utilizing PC programming or devices or different procedures.

The solution for deliberate risk:

Just the approved staffs that have rights to get to information might be permitted to erase or adjust information subsequent to taking after a well-ordered process. An appropriate secret word assurance ought to be utilized. A log record ought to likewise be kept up to monitor every one of the exercises performed on the information/documents. Approved clients ought to change their passwords intermittently. Some solid encryption calculation ought to be utilized where useful information is encoded before its stockpiling or transmission over a system. On the off chance that anybody (unapproved individual) accesses the information; he will most likely be unable to comprehend it. PCs and all sponsorship stockpiling gadgets ought to be put in bolted rooms. Just approved clients ought to get to these assets (Solms & Solms, 26 Nov. 2008).

Work Settings

At the point when people feel that they can't act naturally at work, they won't connect with completely as a major aspect of the group or in allocated work. Hierarchical pioneers will assume an imperative part in setting the tone for the move towards expanded differing qualities and comprehensiveness in an association. An instructive approach can discredit many feelings of trepidation that individuals have with regards to tending to assorted qualities. Representatives need to realize that differing qualities and incorporation are best supported in an open working environment where errors can be utilized for learning not for humiliating or disgracing people.

Work Planning and Control

Upkeep work administration is the center of support administration. It's the place where the capability of administrators, organizers and specialists are illustrated, and where the achievement and cost-adequacy of an upkeep administration framework are resolved. A compelling work plan and control processor framework will recognize and approve all the support work to be done (both strategic and non-strategic), matches it with the required assets through legitimate arranging, plans when it will be done, distributes the undertakings to skilled people and guarantees that it is done effectively and hesitantly. At long last, the work points of interest and expenses will catch for reporting and examination purposes (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

Correspondence Plan

A corporate security mindfulness program means to make every one of the representatives comprehend and acknowledge not just the estimation of the organization's data security resources additionally the outcomes on the off chance that these advantages are traded off. In principle, the procedure is clear and easy.

Informing procedures

Interpersonal Communication

A standout amongst the most critical if not the most imperative types of correspondence a supervisor will take part in consistently is interpersonal correspondence. The benefit of Interpersonal Communication aptitudes is that:

Detailed data: When managing an unpredictable issue, email misses the mark. There's a lot forward and backward that can bring about mistaken assumptions and deficient trades that prompt to botches. Better to get up from your work area, talk face to face, and clear up points of interest.

Significant tasks: Working on real activities, coordinate correspondence can maintain a strategic distance from issues and underscore key focuses. For instance, amid discussions, extra issues may emerge, which can be specifically tended to. You complete the discussion sure you have a grip on new data.

Better understanding: Face-to-face communication permits you to watch non-verbal communication and how somebody responds sincerely to your thoughts. Since quite a bit of correspondence is nonverbal upwards one will pick up a full comprehension of collaborators' viewpoint and point of view, something you can't get from a PC screen or cell phone.

Persuading Stakeholders

The most imperative will be to distinguish and comprehend partners' level of intrigue; it permits one to enroll them as a feature of the exertion. Utilizing Interpersonal Communication aptitudes will build the odds for the accomplishment of security collaboration. For the majority of the above reasons, recognizing partners and reacting to their worries makes it significantly more probable that collaborations will have both the partners' bolster it needs and the suitable concentration to be viable (Sutton, 26 Nov. 2014). Interpersonal Communication techniques will likewise make space for a question and answer session since it's a one on one style of correspondence, making it easy clarify further and demonstrate partner the advantage of putting resources into the proposed innovation.

Conclusion

The blend of preventive and analyst observing controls is essential in building a successful constant checking program. The fruitful usage of continuous monitoring project will require normal duty through initiative support, approving authority authorization, and framework proprietor obligation. A very much outlined and actualized consistent checking project can enhance the nature of organization data security programs by giving administration present, significant data on the security stance of their IT resources (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

References:

United States. & United States. (2000). Summary statement of work. Washington:

National Commission on Air Quality.

Desman, M. B. (2002). Building an information security awareness program.

Boca Raton: Auerbach Publications.

Gardner, B., & Thomas, V. (2014). Building an information security awareness

program: Defending against social engineering and technical threats.

Waltham, Massachusetts: Syngress.

Roper, C. A., Grau, J. J., & Fischer, L. F. (2006). Security education, awareness, and

training: From theory to practice. Burlington, MA: Elsevier Butterworth-Heinemann.

Bowden, J. S. (February 18, 2003). Security Policy: What it is and Why – The Basics. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/policyissues/security-policy-basics-488

Constellation Software Engineering. (2015). Minimize Risk and Downtime With Change Management Controls. CSE. Retrieved from https://www.cse-corp.com/cybersecurity-change-management/

Criddle, L. (n.d.). What is Social Engineering? WEBROOT. Retrieved from https://www.webroot.com/ie/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

Darril. (2015). Mandatory Vacations. Get Certified Get Ahead. Retrieved from http://blogs.getcertifiedgetahead.com/mandatory-vacations/

Lowa State University. (1995-2016). Segregation of Duties. Retrieved from http://www.policy.iastate.edu/policy/duties

Melber, D. (August 4, 2005). Auditing User Accounts. Windows Security. Retrieved from http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Auditing-user-accounts.html

Miessler, D. (1999-2016). Encoding vs. Encryption vs. Hashing vs. Obfuscation. Retrieved from https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/#gs.0kQuJwE

NIST. (May 6, 2015). Access Control Policy and Implementation Guides. Computer Security Division Security Resource Center. National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/projects/ac-policy-igs/index.html

Rouse, M. (January, 2014). Personally Identifiable Information (PII). TechTarget. Retrieved from http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information

SANS Institute. (2014). Remote Access Policy. Consensus Policy Resource Community. SANS. Retrieved from https://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy

Agarwal R. and Prasad J. 1998.A conceptual and operational definition of personal innovativeness in the domain of Information Technology, Information Systems Research,Vol. 9, no. 2:204-215.

Bandura, A. 1989 Social cognitive theory, In R. Vasta (Ed.), Annals of child development.Vol.6. Six theories of child development (pp. 1-60). Greenwich, CT: JAI Press.

Garson, B. 2005. Work addiction in the age of information technology: An analysis. IIMB Management Review, Vol. 15: 21

McCue, K. 2008. A comparison of employee benefits data from the MEPS-IC and form 5500. Working Papers 08-32, Center for Economic Studies, U.S. Census Bureau.

Murray, B. 1991. Running corporate and national security awareness programmers. Proceedings of the IFIP TC11 Seventh International Conference on IS security: 203-207.

IT 552 Executive Summary Rubric Executives in today’s business environment have limited time available to research and absorb information. In order to optimize their time, executive summaries are becoming increasingly important. They allow readers to speed read a report and gain the focus and insight needed. Your executive summary should:

 Cover the main points

 Provide a conclusion and/or make recommendations Prepare an executive summary presentation of your final project. It should summarize the final project so it can be presented to the board of a particular company. Use this guide to writing an effective executive summary as a resource to prepare your content and message for your presentation. The presentation should contain about 7–10 slides with either audio (voice over) or detailed speaker notes. Consider and apply the following principles of an effective presentation:

 You may utilize a product such as Microsoft’s PowerPoint, Prezi, or Google Slides to create your presentations.

 There are various template designs that you can find on the internet for your presentation. However, first consider your presentation from the audience’s perspective prior to selecting a specific style. Distracting backgrounds, large blocks of text, all uppercase fonts, elaborate font styles, grammatical errors, and misspellings are distracting. Be consistent with the style of text, bullets, and sub-points in order to support a powerful presentation that allows your content to be the focus.

 Each slide should include your key point(s). Do not place large blocks of text on the visual. Your presentation is not a means of presenting a short paper. In an actual presentation you would not read from your slides but use them as prompts.

 Any notes or narration you would use in delivering this presentation to a group should be listed in the notes section of the slide.

 References should be listed at the bottom of the slide in slightly smaller text.

 Use clip art, AutoShapes, pictures, charts, tables, and diagrams to enhance but not overwhelm your content.

 Be mindful of the intended audience and seek to assess the presentation’s effectiveness by gauging audience comprehension (when possible). The following links offer helpful tips and examples for developing presentations:

 Making PowerPoint Slides

 Really Bad PowerPoint (and How to Avoid It) Remember:

 Your feedback and comments should be constructive, featuring a discussion of the strengths of the presentation as well as areas that could be improved.

 Keep the tone of your comments positive and constructive. You are reviewing the presentation, not the person. Follow-up should focus on receiving clarification on edits and feedback, or should lead to a discussion contrasting approaches. Constructive and friendly follow- up is optional, but encouraged.

Rubric Instructor Feedback: This activity uses an integrated rubric in Blackboard. Students can view instructor feedback in the Grade Center. For more information, review these instructions.

Critical Elements Exemplary (100%) Proficient (90%) Needs Improvement (70%) Not Evident (0%) Value

Executive Summary Meets “Proficient” criteria and provides very clear, succinct, and well-presented information

Provides an executive summary that identifies the main points of the report using appropriate detail

Provides an executive summary but does not clearly identify the main points of the report as there are gaps in organization and detail

Does not provide an executive summary

35

Presentation Format Meets “Proficient” criteria and presents the information in a clear and succinct manner

Provides a presentation that illustrates the main points of the report using appropriate detail

Provides a presentation that does not clearly illustrate the main points of the report as there are gaps in organization and detail

Does not provide a presentation

20

Peer Review: Suggestions

Meets “Proficient” criteria and provides highly relevant suggestions using specific examples

Provides meaningful, specific suggestions, asking relevant questions when appropriate

Provides insufficient suggestions, asking peers limited or vague questions

Does not contribute suggestions

25

Timeliness Submits initial post on time by Thursday at 11:59 p.m. EST

Submits initial post by Friday at 11:59 p.m. EST, one day late

Submits initial post by Saturday at 11:59 p.m. EST, two days late

Submits initial post by Sunday at 11:59 p.m. EST, three days late

10

Writing (Mechanics)

Meets “Proficient” criteria, and responses are concise using appropriate language and theory specific to the profession

Able to write respectful, clear, and coherent commentary that can be easily understood by peers

Able to write commentary that can be understood by peers

Does not provide coherent commentary

10

Earned Total 100%

Navy and Marine Corps Public Health Center • Environmental Programs

A Guide to Writing an Effective Executive Summary

Appendix E

Communicating health and environmental information can be challenging for any number of reasons. Occasionally, our audiences may lack a scientific understanding and have a general distrust of the government. Risk Communication theory provides guidance for developing and presenting scientific information in a way that non-technical audiences will better understand and are more likely to accept.

The Navy and Marine Corps Public Health Center’s (NMCPHC) Environmental Programs Department has been the Navy’s subject matter expert for Risk Communication since its inception in 1991. This booklet is one of several products developed by NMCPHC to help Navy scientists and engineers communicate effectively with non-technical audiences.

M I S S I O N Ensure Navy and Marine Corps readiness through leadership in prevention of disease and promotion of health.

A technical report is often the result of extensive research, testing, analysis and writing. The results are important and the conclusions or recommendations may affect an entire community, change the way we do things, or lead to further studies or investigations. It is up to you, the expert, to help others understand your technical report.

Public right-to-know legislation means that part of your job is to communicate important information to all of your stakeholders. For your report to be useful, it has to be accessible to many audiences. The Navy, Federal, State, and local Government-regulators, or the public may make important

decisions based on your report. Before that can happen, they need to be able to fully understand your methodology, conclusions and recommendations.

A simple and clear executive summary can help non-technical and technical audiences better understand your report. An effective executive summary should consider the audience and give readers a quick summary of the report’s content.

Your goal is to write an executive summary that is logical, clear and interesting, and helps build your trust and credibility with your audiences. The next few pages of this booklet will help you meet that goal.

Introduction

WHAT is an executive summary?

1A Guide to Writing an Effective Executive Summary

WH E N do I need an executive summary?

H OW does an executive summary look?

WHY do I need an executive summary?

Executive summaries are an important part of many documents. Ideally, an executive summary should be a part of any report or document that is lengthy, complicated or highly technical.

Executive summaries are usually the first section of many different documents including:

• Technical reports

• Research papers

• Academic articles

• Scientific reports

• Environmental studies

• Health risk assessments

Executive summaries are also great tools when complex reports need to be presented to a number of different audiences including:

• General public

• Governing agencies

• Regulators

• Media

• Managers • Other audiences who may

not have the expertise to understand all of the content of a highly technical report

In fact, some organizations send an executive summary instead of a complete report when there is a large audience interested in the report. The audience can read the executive summary and then request a copy of the complete report if they want more information.

This approach can save resources on photocopying and distribution, while providing important information to audiences that might not read a complex or lengthy report.

The purpose of an executive summary is to consolidate the principal points of a document in one place.

An executive summary should be written so that any reader, regardless of their technical knowledge, can understand the contents of the report and the relevance of the findings and recommendations.

Typically, the executive summary is a tool to give readers an overview of the document, its purpose and main conclusion.

Since important decisions are often made from these reports, the executive summary is a tool to provide relevant information for decision making to an audience that may not have the time or technical expertise to read and understand the entire report.

An executive summary can provide a quick read and enough information to understand the contents and relevance of the report.

There is a sample executive summary on the next page with a breakdown of some of the elements and an explanation of their purpose.

In the following sections, there are guidelines for writing an effective executive summary and some tips to keep in mind.

A Guide to Writing an Effective Executive Summary 2

Sample of an Executive Summary

3A Guide to Writing an Effective Executive Summary

Sample of an Executive Summary

A Guide to Writing an Effective Executive Summary 4

An effective executive summary should be written using language that the intended audience can understand and read independently from the report. It should briefly summarize every main section of the report and include references to the main document (i.e., appendices or page numbers) that direct readers if they require more detailed information.

The executive summary should begin with a concise summary of the conclusion reached within the report.

The executive summary does not report any of the data, but briefly

explains the methodology and results. References to the main document can be used to direct readers to data charts should they wish more information.

Summarize the purpose of the report, the problem addressed and the findings and recommendations in concise and plain language. Where technical language is necessary, be sure to include definitions and explanations.

After summarizing the entire report, end the executive summary with a short paragraph that explains any recommendations for action. This paragraph should provide a short analysis

or justification for the proposed action in terms the audience will consider important (i.e., health, monetary, or ethical).

An executive summary should be less technical in terminology than the complete report and include all of the relevant findings and information from the report. While it can be a daunting task to reduce a lengthy report to a compact form, there are tips to help determine the best approach:

• Use the report’s title and subheadings as a useful tool for organizing the summary and deciding what is most important.

• Look at the beginning and ending of paragraphs for key points. Scan for words that alert the reader to important elements, such as first, finally, therefore, and principal.

• Highlight key points within the body of the report that outline the purpose/central theme of the report.

• Prepare a bullet form outline of the summary. Then, edit the outline to eliminate secondary or minor points. Use your judgment as to what is important, but keep the summary concise.

• Write the executive summary in your own words, using a professional but plainspoken style.

Content1

Four major points to include in your executive summary:

1 2 3 4

A summary of the report’s main conclusions and justification for recommendations

An explanation of the problem studied

A summary of the process used to study the problem

An outline of the recommendations or decisions

How Do I Write an Executive Summary?

5A Guide to Writing an Effective Executive Summary

Style2 An effective executive summary should be written in plain language that the intended audience can understand.

Avoid industry/ technical jargon: Technical words and phrases that you use everyday can confuse and frustrate a non-technical audience. Avoid technical terms wherever possible. When they cannot be avoided, include a clear and simple definition in the executive summary. Or better yet, substitute the definition for the word.

Keep sentences short and to the point: Read over long and complicated sentences in the summary and determine the main idea. Rewrite the sentences by separating different ideas into shorter sentences. Your goal is to ensure

the main point is simple to understand and immediately apparent.

Replace complex words with simple, everyday words: Write your executive summary as if you were explaining your report to a student in 8th grade. You can replace words like ‘accomplish’, ‘optimum’ and ‘strategize’ with words like ‘do’, ‘best’ and ‘plan’ without oversimplifying the content. Most of the common word processing software, such as Microsoft Word and WordPerfect contain features that will evaluate the reading grade level of your document.

Use acronyms carefully and always define them: Although acronyms are common in the military and technical fields,

the public is usually unfamiliar with them and the concepts they define. Avoid using acronyms when possible, especially in the executive summary because they can confuse and intimidate your audience. When they are used, be sure to define acronyms the first time they are used in a document. Keep in mind that someone unfamiliar with the acronym is likely to forget it quickly, so only use it if it is found repeatedly throughout the document. Also, remember to be consistent with the style you use for acronyms throughout the entire document (i.e., D.O.D., DoD, DOD).

Use an appropriate tone: Avoid using vague or emotional language. Instead, stick to the facts and avoid confusing statements. See the examples of page 7.

How Do I Write an Executive Summary?

Questions to ask yourself as you write an executive summary: What is the report about?

Why is it important?

What is the main idea in each section?

What research was done to address the problem?

How does the research support the conclusion and recommendations?

A Guide to Writing an Effective Executive Summary 6

Real life examples Avoid industry jargon and keep sentences short and simple:

Instead of…”Baseline psychometric testing will be conducted prior to the administration of the medication, followed by a repeat assessment after drug administration, in order to determine whether there are any objectively measurable neuropsychiatric efforts associated with this drug.”

Consider...”The drug will be tested for side effects.”

Replace complex words with simple, everyday words:

Instead of…”Following revegetation, any disturbed areas will be reoccupied by a like assemblage of alien avian and mammalian species.”

Consider…”After the plants grow back, the birds and animals will return.”

Use an appropriate tone:

Instead of…”You cannot claim your expenses for outside accommodation or meals, unless you can prove you did not have access to quarters and rations on the base.”

Consider…”You can claim expenses if accommodations and meals are not available on base. Please keep your receipts.”

How Do I Write an Executive Summary?

7A Guide to Writing an Effective Executive Summary

Since an executive summary is usually the first section of a report, it should be formatted consistently with the document it summarizes. Here are some guidelines to help format an executive summary:

Length Ideally, an executive summary should be one or two pages long with a maximum of three pages. However, in some instances, a longer technical summary may be necessary. When necessary, the technical summary should be a maximum of 10% of the report it summarizes (a 100-page report may be summarized in 10 pages). The shorter, three page maximum, executive summary should still be included.

Titles Title your document EXECUTIVE SUMMARY and center the title two inches from the top of the page. Include the exact name of the report immediately below it.

Subheadings for each section in the executive summary will help enhance its readability. Use the same subheadings as the report and provide a brief explanation of the most important information from each section.

The elements included in an executive summary, and the amount of space dedicated to each element, will depend on the purpose and nature of the document.

The following is a list of elements that may be included in an executive summary.

1. Purpose and scope of report – Objective

2. Conclusion or Summary of

Findings

3. Background

4. Process

5. Recommendations

6. Other supporting information

Paragraphs Keep paragraphs short and summarize multiple ideas within a paragraph as bullet points or a numbered list. This will enhance the readability of the summary and allow readers to digest complex information.

Fonts and Spacing Because it is the first section, the executive summary should have the same general look as the rest of the report. Use the same font type for the body of the executive summary as in the report.

Make sure the font size is at least 12 pitch and that paragraphs are double-spaced between each section so that the document is easy to read.

Contact Information

In addition to the full name of the report at the top of the executive summary, be sure to include the date, name of the authors and their organization as well as the name of the organization that commissioned the report.

At the bottom of the executive summary, provide the following information:

• Contact name

• Phone number

• Mailing address

• E-mail address • Website address where the full

report may be available

The contact name can be the point of contact from the organization that commissioned the report or the authors of the report. This name should be included so that readers can follow up if they have any questions or want copies of the entire report. If the purpose of the report is to fulfill a legal requirement, include the names of the appropriate regulatory agencies (i.e., this report has been submitted to the Environmental Protection Agency).

Format3

How Do I Write an Executive Summary?

A Guide to Writing an Effective Executive Summary 8

Review and Edit4

Proof Read and Simplify Once the draft executive summary is finished, be sure to proof read and spell check the document. Read the summary over again carefully, keeping in mind the 8th grade reading level recommendation. Look for any complex terms or sentences that should be edited and unnecessary information that can be removed.

Double-check the Accuracy The authors of the report should always review the executive summary to ensure you have accurately captured the main points and correctly interpreted the conclusions and recommendations in the executive summary.

Test your Summary Keeping confidentiality and security issues in mind, ask someone who is not familiar with the report, and does not have a technical background, to review the executive summary. They can tell you if the executive summary is clear and understandable to an unfamiliar audience. This extra step will help ensure that the executive summary can communicate independently of the report.

How Do I Know When I am Finished?

9A Guide to Writing an Effective Executive Summary

Top Ten Tips

1 2 3

4

5

6

7 8

9 10

Keep it simple

Keep it short

Avoid technical language, jargon, and acronyms

Use subheadings and bullet points

Highlight main points

Provide conclusions and recommendations

Consider your audience

Avoid confusing or emotional language

Proof read and spell check

Be logical, clear and interesting

How Do I Know When I am Finished? Where Can I Get More Information?

Other risk communication publications and services available from N M C P H C

• Risk Communication Primer

• Guide to Hosting a Public Meeting

• Fact Sheet & Press release Preparation

• Development of Posters and Visual Media for Scientific Technical Information

• Correspondence Development/Review

• Health and Environmental Risk Communication Training Workshops

• Community Outreach Services (Technical Posters)

• Technical Posters Review and Development

• Verbal Communication Development and Facilitation Services

Please contact the Navy and Marine Corps Public Health Center for additional information or assistance.

Visit our website at:

http://www-nmcphc.med.navy.mil/Environmental_Health/

A Guide to Writing an Effective Executive Summary 10

Navy and Marine Corps Public Health Center

620 John Paul Jones Circle, Suite 1100 Portsmouth, VA 23708-2103

Phone: (757) 953-0932 Fax: (757) 953-0675

www-nmcphc.med.navy.mil

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com