Chapter 1

Snow White Builds an Awareness Program

Snow White has just been promoted to GRC Analyst at Seven Dwarfs Mining, a 400-person mining and refining company headquartered in the Black Forest. Last quarter, Grumpy clicked a link in an email claiming to be from the Queen's Royal Bank, exposing payroll data for the entire mining crew. The CEO, Doc, has asked Snow White to stand up a formal security awareness program before the next audit.

Snow White's first task is to write the documentation that will govern the program. She knows the company already has a high-level board-approved statement saying "Seven Dwarfs Mining will protect customer and employee information." What it lacks are the mandatory rules, the step-by-step instructions for the help desk, and the recommended (but optional) tips for the dwarfs working remotely from the mine.

She also needs to pick the right metrics, choose a phishing simulation cadence, and decide which framework to align her control objectives against. The audit committee has signaled they care most about IT process maturity rather than ITSM service delivery.

Help Snow White complete her plan by selecting the correct option for each blank. Click Submit when you are done.

The board's high-level intent statement is a . The mandatory rule that all employees must complete annual training within 30 days of hire is a . The help desk's exact click-by-click steps for resetting a locked account belong in a , while the optional remote-work tips Snow White wants to publish on the intranet are best classified as a .

To measure whether awareness is improving, Snow White will track the on monthly simulated phishing campaigns. Because the audit committee cares about IT governance maturity, she will align her control objectives to rather than the alternative service-management framework. Finally, to make sure responsibility for incident response is unambiguous across Doc, Grumpy, and Snow White herself, she will document roles using a .