In today’s business environment, information security and protection of information assets are vital to the long-term success of all organizations. Information is the lifeblood of corporations and a vital business asset. IT systems connect every internal department of a company and connect the whole company to myriad suppliers, partners, customers, and others on the outside, too.
Still, problems with IT—from system failure to data breaches to improperly altered applications—happen almost every day. Security breaches in particular can be disastrous for a company. And most companies do not adequately address the primary cause of IT security breaches: human error. In this article, I explore how workforces should be educated about IT security and how to determine whether they “get it.”
Rating Your IT Security Program
How do you get started figuring out how well your company performs on information security? This checklist will get you started:
Has your organization implemented a comprehensive information security program?
Does your organization have robust and effective information security policies, procedures, and controls? Are they enforced?
Does management promote an ethical culture? Would you say your workforce follows management’s lead to create a strong ethical culture?
Does the information security program reflect the risks and complexity of the organization? Are risk assessments occurring?
Does the program actively identify new ways of protecting the organization from harm based on emerging threats?
Are the security measures and controls regularly tested for operational effectiveness, and are corrective actions occurring?
Are your information security and privacy training effectiveness measured throughout the entire training lifecycle?
Is performance being measured and reported to senior leadership and other key stakeholders?
How does the organization’s security compare with other well-run similar organizations?
Was your security program evaluated in the past 18 months?
If you answered “yes” to all the above questions, congratulations! You’re well on your way to an effective and sustainable information security program. Now, answer four more questions that will help move you to the head of the class:
Does your program include ongoing security awareness?
Do appropriate staff members get security education appropriate for the jobs they perform?
Do members of the management team and workforce understand what good security practices are? How do you know?
Are you assessing and measuring the results of your security education and awareness efforts?
The Role of Internal Auditors
An effective internal audit function improves the company’s ethical culture and control environment, both overtly through its audit work and in a more general sense by promoting good practices. Internal audits of information security awareness can provide valuable feedback to management and the board about where overall performance can be improved, which then also contributes to more effective information security program results—definitely a win-win.
Audit work should include evaluating the organization’s various security education and awareness efforts. If management and staff are not being regularly informed of emerging threats and risks, how can security be properly implemented on a sustainable basis?
An audit should compare good security practices to what is currently happening within the organization and review the results too. In other words, is quality training being provided, and is real learning happening?
Staff Involvement
Education is the formal training class that a system administrator might attend to learn how to better apply Microsoft Profiles to controlling changes to the desktop. Awareness is the program that a company puts in place to remind employees with repetitive procedures (and at least an annual update in person) of policy, procedures that support policy, and practices they must know to comply with company policy.
Awareness is both formal and informal. “Formal” is the 20-minute annual awareness session; “informal” are excerpts in company newsletters, security awareness e-mails, and reminders of special days such as Global Security Awareness Week.
A good method to deliver that security awareness message to the workforce is first to educate them on the actions they can take to protect themselves personally from the issues that face individuals today. These include such things as identity theft, phishing attacks, and proper precautions to take when sharing personal information online. Provide this information in the training sessions; make the process personal.
More security education and awareness practices are presented below; numerous others are available in the resource sidebar.
1. Regularly provide updated threat information to management and staff. Some common concerns today include: password theft, laptop theft, infected e-mails, “shoulder surfing,” and dumpster diving. With clear communication channels that allow everyone to be more informed on the latest threats, and changes in previous threats, it encourages the workforce to be better prepared and to consider new security measures where beneficial. Many times, an educated and motivated workforce is your best defense.
2. Explain the possible consequences of security incidents in business terms. Your company or its workers could endure identity theft, equipment theft, loss of productivity, loss of competitive advantage, increased staff turnover, penalties due to compliance fines, loss of reputation, loss of data, and eroded customer confidence. While the list is long, the workforce absolutely must know what the effects on the business could be. By making it “personal” and demonstrating the possible hit to operations, increased support for good information security practices can be “reinforced.”
3. Provide comprehensive, role-based courses to select management and staff who require the latest knowledge regarding good security practices. Here, the issue is ensuring that an investment in skills and staff competencies is happening on a regular basis. There is nothing worse than not knowing something you think you do know.
4. Regularly provide best-practice information for various IT security and IT management processes. Some important processes include: patch and change management, configuration management, security design and architecture, fraud prevention and detection, physical security—and there are many more. Explain not just the “how,” but the “why” of various security processes and procedures to staff. And a wise first step is to focus on educating “the influencers” of your management and staff ranks, and then let them set the example for the rest.
5. Complete periodic surveys of management and staff. This is to assess how well they understand the information security policy, procedures, and controls as well as to identify key opportunities for improvement. Communication is a two-way street, and if you never assess staff competency you’ll never know how well your staff development efforts are going. Surveys are a low-key method of finding out what’s on the minds of people and what training issues need to be addressed.
While these steps aren’t necessarily inexpensive and your company will always have limits to its education budget, over the long haul these are low-cost investments with a high-benefit payoff: peace of mind about your information security.
Regular Evaluations
Setting clear expectations and defining everyone’s responsibilities for IT security is half the battle. Being diligent in your efforts to be sure the workforce understands the organization’s expectations and their roles and responsibilities is the other half. To implement proper security, you need an articulate policy, it must be enforced, and violators must be investigated and punished when necessary. Management must understand that it has a responsibility to design and implement information security education and awareness activities, including the monitoring of those results.
Management and staff need to be assigned security responsibilities, and their compensation increases should include assessing their security “performance” as well as the more traditional criteria for setting pay. Holding management and staff accountable for their performance regarding information security is key to effective security. (It’s called ensuring “consequences” for people’s “actions.”)
Awareness should take multiple forms, such as company newsletters or impromptu forums. The effectiveness of any such effort also depends on the tone set by senior management.
The best defense against security incidents and failure is having a “motivated” and educated management and workforce to support your organization’s IT security standards. Many things can happen due to lack of awareness and education, from lost customer confidence to lost customers, as well as lower stock prices, lawsuits, bad publicity, and more. The list is endless. Building awareness of information security takes time, resources, and energy, but without question, it’s worth it.
Websites
We are not responsible for the content of external siteshttp://www.complianceweek.com/index.cfm?fuseaction=article.SavedSearch%0D%0AResults&search_ID=95
http://www.noticebored.com/html/rebecca.html
http://www.amazon.com/exec/obidos/tg/detail/-/0849301165/qid=1068832309/sr=8-2
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
http://www.noticebored.com/html/why_awareness_.html
http://www.giac.org/certified_professionals/practicals/gsec/1768.php
http://www.giac.org/practical/gsec/Robert_Held_GSEC.pdf
http://www.giac.org/practical/gsec/Kelly_Nichol_GSEC.pdf
http://www.realtime-itcompliance.com/itces.asp
http://www.informationshield.com/protectinginformation.html
No comments yet