The Need for an Awareness Program

In view of regulations such as Sarbanes-Oxley (SOX), Gramm Leach Bliley (GLBA), the Health Information Protection Portability Act (HIPPA), and ISO27000 (International Organization for Standardization), it is very important to determine what needs to be covered in an information security program and who takes responsibility for various program components. These regulations require organizations to implement policies, procedures and technologies to protect sensitive information assets.

The demands of new regulations such as SOX, HIPPA, PCI-DSS, and GLBA, along with statutes that require disclosure to consumers of security breaches, force businesses to implement security measures. Corporate executives are now held liable, and can face jail and fines, when security lapses occur. Most security breaches occur due to a weak link in the information security chain; that is, human rather than technological failure. In view of this, the security landscape is changing.

As cited in audit reports, periodicals, and conference presentations, the IT security professional community understands that people are one of the weakest links in attempts to secure systems and networks. The people factor not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. A robust and enterprise-wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, and properly use and protect the IT resources entrusted to them.

An effective IT security awareness and training program explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Through awareness and training, users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.