212 CHAPTER 8 Information security awareness training desk, in a drawer, and not looked at by most employees. That is why management is the key to a successful response to the QRG. With their support and endorsement, the QRG will be received by employees with enthusiasm and utilized often once they understand the content and its importance. This is a good way to engage managers into the process of information security. Practicing good physical security and infor- mation security is not an employee option. It is a company imperative. Making information security accessible I think the most important thing about an information security awareness program is that people know how to contact information security when they have a question or concern. I discovered that our division had an 800 number for managers to set up new employee access (add/change/delete) and for employees to have their access reset. There were several extensions on this number. Why not add an information security awareness extension? This idea of utilizing our 800 number transformed into a sticker that simply had our name, Corporate Information Security, the bank's color banner, the 800 number and extension, and our info@ email address on it. I had the sticker stitched into the Quick Reference Guide, with a note to associates to remove the sticker and place it on their monitor. We did not have a website developed at that time, but if we had, it would have been included on the sticker too. Today, affixing a sticker to a flat screen may not be ideal, but the idea is to get your division's contact information in front of your employees. So, do not be afraid to be creative. TIP When you plant the seeds for success in your program, one simple product can make a big difference. Associates had a universal way to communicate with us, ask questions and receive guidance. Over time, we created an index of the most frequently asked questions so that the 800 number operators could answer the question or direct the caller to the answer, which most often was answered in the Quick Reference Guide. If the question was not answered in the QRG and the operator could not answer the question, it was sent to me. You might think that you would become overwhelmed with many calls, but we didn't find that to be the case. This simple process opened additional doors to implementing the information security awareness program several years later when privacy became a group within the company. When privacy started their awareness program, guess who started receiving their calls from the employees? You got it, we did. Privacy did not have an 800 number. What we learned was that the employee saw information security and privacy as one. That event opened the door for information security and privacy to partner in developing the first web-based training program at the company. We also provided privacy with an extension on our 800 line. A lesson learned You will learn many lessons along the road to designing and implementing your information security awareness program. Sometimes, the lesson comes from a very unexpected source. I, along with my boss and CISO, thought we had a terrific