For those of you putting together an information security awareness, training and education plan in the new year, I provide this to help you define and plan a successful implementation and operation to work towards the ultimate goal of a successful information security plan.
VISION - The ultimate goal of our information security awareness program is to incorporate security as a regular part of what we do. To give our employees an understanding that security is not something you can add at the end, is not something that technology or someone else can always do for you.
MISSION - The goal of the Security Awareness Program is the preservation of the confidentiality, integrity and availability of sensitive information, and of the integrity and availability of the systems that process and store that information. Information security is a triad of People, Process and Technology. Process and technology are driven by people and people are driven by their job responsibilities, their knowledge and experience. Security awareness is what we use to define these parameters.
STRATEGY - Security awareness, training and education will be based upon IT security roles and access rights to sensitive data. End users with minimal access to IT resources and/or sensitive data will require less security training requirements than would a data owner for administrative systems. Awareness will be broadly available through a variety of methods and media throughout the year for administration, faculty, staff and students. Specific training will be created and delivered through a combination of on-line delivery, classroom style instruction, special meeting topics, and one-on-one instruction.
PURPOSE - Security policies should be viewed as key enablers for the organization, not as a series of rules restricting the efficient conduct of business. The Security Awareness Program is a factor for the successful implementation of an organizational security policy. Ensuring that our organization's intellectual property, customer and patient data, and assets are protected from inadvertent disclosures or malicious Internet threats is the responsibility of every employee and contractor. This is done by defining and outlining the specific role of each employee in the effort to secure critical organization assets, as well as covering in detail the core elements of the security policy. Security Awareness achieves a long term shift in the attitude of employees towards security, while promoting a cultural and behavioral change within the organization.
SECURITY AWARENESS - People, information, operations, and systems are critical assets. Protecting the safety, confidentiality, integrity, and availability of these assets is essential to maintaining compliance, public image, regulatory and legal obligations. Organizations face threats to their employees, systems, operations, and information every day. These threats include information technology and information security, physical and other emergencies. Organizations implement tools and procedures to protect against these threats. Unfortunately, even the best technology and procedures can be defeated by a user who is unaware how to use them, or how important security is.
Thursday, December 31, 2009
Wednesday, November 4, 2009
Awareness and USB Drives
USB drives have become a commonplace method of transporting and storing data in the workplace environment. These devices can become infected with various forms of malware and then infect other PC's and networks with the user being unaware of what is happening. Unless they have been given proper security awareness training in the proper usage and protection of these devices.
Organizations and people need to be aware of the security issues with these devices and act accordingly. Proper policies and guidance along with solid security awareness education and training will go a long way towards averting infection, data loss and leakage.
Organizations and people need to be aware of the security issues with these devices and act accordingly. Proper policies and guidance along with solid security awareness education and training will go a long way towards averting infection, data loss and leakage.
Friday, October 16, 2009
Security Awareness and Job Titles
When a new employee is hired, they are given a specific job title that carries with it certain ACL roles. Many of these roles are not used or required, thus allowing for the possibility of inappropriate access to certain information and possible exposure. When these employees change job titles, rarely if ever, are the ACL's updated.
Not only is this a critical information security issue, it is a security awareness issue. With awareness of this and a proactive and supportive C-Suite and above we can reduce this vulnerability to the security of information.
Not only is this a critical information security issue, it is a security awareness issue. With awareness of this and a proactive and supportive C-Suite and above we can reduce this vulnerability to the security of information.
Tuesday, September 29, 2009
Security Awareness Training and Communication
Security Awareness is the tool most used to inform and educate users on policy and accepted practices and procedures that support the university. It is often the most important and, in many ways, the least expensive way to impact the overall security of an organization. An organization's staff is the most cost-effective countermeasure against security compromises and IT security depends on the cooperation of every user.
Security awareness is also the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within the organization's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the organization's (non-public personal information [NPPI]).
Security awareness is also the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within the organization's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the organization's (non-public personal information [NPPI]).
Friday, September 11, 2009
The Current Business Climate and Security Awareness
The protection and security of PII and corporate information needs to minimally be maintained in the current business climate. In fact I believe we must be even more vigilant to insure information security does not fall through the cracks. At times like these it is vitally important we maintain information security awareness, training and education programs.
These are tumultuous times, characterized by shot-gun mergers, acquisitions, and corporate restructurings resulting in mass lay-offs. This corporate churn forces companies to change employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for re-assigned employees, and terminate access for former employees and contractors.
Organizations that are "identity aware" can successfully - and proactively - manage the IT risk associated with changing user access to applications and systems.
These are tumultuous times, characterized by shot-gun mergers, acquisitions, and corporate restructurings resulting in mass lay-offs. This corporate churn forces companies to change employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for re-assigned employees, and terminate access for former employees and contractors.
Organizations that are "identity aware" can successfully - and proactively - manage the IT risk associated with changing user access to applications and systems.
Wednesday, August 12, 2009
2008 Information Security Breaches Survey
Companies are becoming increasingly aware of the need to have information security policies in place - with seven out of eight large businesses now claiming to have one. However, experts warn that the high priority given to information security by companies does not necessarily translate into improved security awareness among employees. Increasingly, companies are realizing that to tighten up further on information security, they have to change their people's behavior.
These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by Pricewaterhouse Coopers. The survey shows that companies are placing greater trust in their staff and they want them to use technology to improve their effectiveness.
At the same time, the survey shows that employees increasingly targeted by social engineering attacks, where outsiders try to obtain confidential information from employees. Businesses are becoming increasingly concerned about what is being said about them on social networking sites as some employees have posted confidential information on these sites.
Key to making sure that staff remain the organization’s greatest asset is to ensure they behave in a security conscious way. Increasingly, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behavior to ensure that it is in line with those policies.
The report also says that there is some correlation between how clearly senior management understands security issues and whether a security policy is in place. Security awareness is not just an issue for a company's staff. Nearly two-thirds of very large companies would welcome more education for the general public about information security risks. Having a security policy alone does not magically improve security awareness among staff.
The overwhelming majority of companies take steps to raise awareness. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organization. What companies are realizing is that increasing security awareness is only part of the answer. The critical issue is changing the behavior of their people.
A 'click mentality' has grown up - users do what expedites their activity rather than what they know they ought to. It is a bit like the road speed limit - everyone knows what they ought to do, but only a few actually do it. Only when behavior changes do businesses realize the benefits of a security-aware culture.
Traditionally, where organizations have attempted to improve employee awareness they have used a combination of computer-based training and face-to-face presentations to get security messages across. But these methods are somewhat transient - much more collaborative and longer-lasting programs are needed. Genuine behavior change is essential, and this takes time and effort.
These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by Pricewaterhouse Coopers. The survey shows that companies are placing greater trust in their staff and they want them to use technology to improve their effectiveness.
At the same time, the survey shows that employees increasingly targeted by social engineering attacks, where outsiders try to obtain confidential information from employees. Businesses are becoming increasingly concerned about what is being said about them on social networking sites as some employees have posted confidential information on these sites.
Key to making sure that staff remain the organization’s greatest asset is to ensure they behave in a security conscious way. Increasingly, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behavior to ensure that it is in line with those policies.
The report also says that there is some correlation between how clearly senior management understands security issues and whether a security policy is in place. Security awareness is not just an issue for a company's staff. Nearly two-thirds of very large companies would welcome more education for the general public about information security risks. Having a security policy alone does not magically improve security awareness among staff.
The overwhelming majority of companies take steps to raise awareness. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organization. What companies are realizing is that increasing security awareness is only part of the answer. The critical issue is changing the behavior of their people.
A 'click mentality' has grown up - users do what expedites their activity rather than what they know they ought to. It is a bit like the road speed limit - everyone knows what they ought to do, but only a few actually do it. Only when behavior changes do businesses realize the benefits of a security-aware culture.
Traditionally, where organizations have attempted to improve employee awareness they have used a combination of computer-based training and face-to-face presentations to get security messages across. But these methods are somewhat transient - much more collaborative and longer-lasting programs are needed. Genuine behavior change is essential, and this takes time and effort.
Tuesday, July 7, 2009
Essentials in creating an information security mindset
Amidst corporate initiatives to improve profitability, cut costs, improve cash flow, and rationalize investments, C-suite executives still need to spend a chunk of management time on corporate governance. An important aspect of this is information security governance, since information security cuts across all organizational processes.
Key to the success for governing information security is proper, organization-wide awareness. One crucial point is that information security is not just IT security. Since all departments in an organization are affected, information security is everyone's concern. Start with the right security organization.
The security leader must have endorsement and support from the highest levels of management, no less than the CEO if possible. The CEO, as the executive sponsor of the CISO or CSO, demonstrates in no uncertain terms that information security initiatives are organization-wide. The security leader should be supported by a team of self-starters coming from all major departments within the organization.
This team acts as the security champions from the various groups and reinforces information security awareness at the department level. The security leader must communicate the right mindset in safeguarding an organization's information assets. They must articulate this message across a broad audience that may or may not be security-savvy.
Employees may view information security as a hindrance to the smooth performance of their daily duties. It is the job of the security leader to make them appreciate the value to the organization and to themselves of protecting information assets, and the consequences should these information assets be compromised.
The security leader should issue new policies or reminders to articulate the importance of compliance. While written messages are important, these are not effective when used alone. The security leader should make themselves available and visible.
They should tour the office premises from time to time to remind employees of information security policies or seek feedback on the company's security initiatives. One organization I know calls this initiative "One Minute for Information Security." From what I have seen, employees are willing to take even several minutes of their time to dialogue with the security leader.
Another useful tool to strengthen security communications is the use of security awareness seminars for all employees. Videos are an excellent tool to drive home the message. Also, flash videos upon network log-on have proven to be effective reminders. Strategic placement of posters carrying visuals on information security are also good communication channels. Employees especially like corporate giveaways such as pens or memo pads that have security-related reminders.
Regardless of the communications medium or the message, it is important to deliver it in bite-size chunks to avoid confusion and information overload.
Compliance is difficult to enforce, especially if security awareness is not yet mature. One way is to enforce security with penalties for non-compliance (i.e., the "stick" approach).
This has its good and bad points. The penalties can serve as a deterrent, but employees will tend to view information security as a series of don'ts with stiff consequences. Consequently, the right mindset may not be formed.
A simple system of rewards through positive enforcement (i.e., "carrot" approach) is certainly another way to enforce compliance. Let's take clear desk as an example. To encourage clear desks, those in charge of enforcing it can tour the office premises unannounced (e.g., during the lunch break), and place a small token or chocolate, plus a note of appreciation, on compliant desks. The owners of these desks will thus be encouraged to maintain clear desks.
Another approach to implement clear desk is to periodically publish pictures of both compliant and non-compliant desks. You may or may not identify the owners of these desks, depending on the culture in your organization. In this way, employees will get motivated to achieve clear desks themselves if they see that their colleagues and even bosses are doing so.
This leads us to the question of which approach is better: carrot or stick. We can use both, since one complements the other. You can start with the carrot at the early stages of security awareness. Once established, you can use the stick. However, for non-compliance that gives rise to unacceptable risks to the organization, we can use the stick at the outset.
Nothing will drive home the point better than having information security reminders and policies apply to all levels in the organization, from rank-and-file all the way to the CEO. If the security leader or any company executive is not complying with any of the policies, they should be prepared to rectify the situation or suffer the consequences, as prescribed by policy. All employees will thus realize that information security policies are applied fairly to everyone, and that the organization is serious about information security.
Information security awareness tends to be at its peak during periods of audit or certification/recertification (in the case of standards-based information security management systems). The security leader and their team should send clear messages that the security initiatives are not for the audit or certification alone, but should be normal practice at all times.
A good test if an organization has the right level of security awareness is the need for only occasional reminders from the security organization and the self-policing mindset that is adopted by everyone. If you pick any employee at random, from the rank-and-file up to the CEO, and ask what their role for information security is, they should be able to articulate right away how information security depends on them. In other words, the goal is to make information security second-nature to everyone.
Key to the success for governing information security is proper, organization-wide awareness. One crucial point is that information security is not just IT security. Since all departments in an organization are affected, information security is everyone's concern. Start with the right security organization.
The security leader must have endorsement and support from the highest levels of management, no less than the CEO if possible. The CEO, as the executive sponsor of the CISO or CSO, demonstrates in no uncertain terms that information security initiatives are organization-wide. The security leader should be supported by a team of self-starters coming from all major departments within the organization.
This team acts as the security champions from the various groups and reinforces information security awareness at the department level. The security leader must communicate the right mindset in safeguarding an organization's information assets. They must articulate this message across a broad audience that may or may not be security-savvy.
Employees may view information security as a hindrance to the smooth performance of their daily duties. It is the job of the security leader to make them appreciate the value to the organization and to themselves of protecting information assets, and the consequences should these information assets be compromised.
The security leader should issue new policies or reminders to articulate the importance of compliance. While written messages are important, these are not effective when used alone. The security leader should make themselves available and visible.
They should tour the office premises from time to time to remind employees of information security policies or seek feedback on the company's security initiatives. One organization I know calls this initiative "One Minute for Information Security." From what I have seen, employees are willing to take even several minutes of their time to dialogue with the security leader.
Another useful tool to strengthen security communications is the use of security awareness seminars for all employees. Videos are an excellent tool to drive home the message. Also, flash videos upon network log-on have proven to be effective reminders. Strategic placement of posters carrying visuals on information security are also good communication channels. Employees especially like corporate giveaways such as pens or memo pads that have security-related reminders.
Regardless of the communications medium or the message, it is important to deliver it in bite-size chunks to avoid confusion and information overload.
Compliance is difficult to enforce, especially if security awareness is not yet mature. One way is to enforce security with penalties for non-compliance (i.e., the "stick" approach).
This has its good and bad points. The penalties can serve as a deterrent, but employees will tend to view information security as a series of don'ts with stiff consequences. Consequently, the right mindset may not be formed.
A simple system of rewards through positive enforcement (i.e., "carrot" approach) is certainly another way to enforce compliance. Let's take clear desk as an example. To encourage clear desks, those in charge of enforcing it can tour the office premises unannounced (e.g., during the lunch break), and place a small token or chocolate, plus a note of appreciation, on compliant desks. The owners of these desks will thus be encouraged to maintain clear desks.
Another approach to implement clear desk is to periodically publish pictures of both compliant and non-compliant desks. You may or may not identify the owners of these desks, depending on the culture in your organization. In this way, employees will get motivated to achieve clear desks themselves if they see that their colleagues and even bosses are doing so.
This leads us to the question of which approach is better: carrot or stick. We can use both, since one complements the other. You can start with the carrot at the early stages of security awareness. Once established, you can use the stick. However, for non-compliance that gives rise to unacceptable risks to the organization, we can use the stick at the outset.
Nothing will drive home the point better than having information security reminders and policies apply to all levels in the organization, from rank-and-file all the way to the CEO. If the security leader or any company executive is not complying with any of the policies, they should be prepared to rectify the situation or suffer the consequences, as prescribed by policy. All employees will thus realize that information security policies are applied fairly to everyone, and that the organization is serious about information security.
Information security awareness tends to be at its peak during periods of audit or certification/recertification (in the case of standards-based information security management systems). The security leader and their team should send clear messages that the security initiatives are not for the audit or certification alone, but should be normal practice at all times.
A good test if an organization has the right level of security awareness is the need for only occasional reminders from the security organization and the self-policing mindset that is adopted by everyone. If you pick any employee at random, from the rank-and-file up to the CEO, and ask what their role for information security is, they should be able to articulate right away how information security depends on them. In other words, the goal is to make information security second-nature to everyone.
Wednesday, June 10, 2009
Establishing an Information Security Culture
In today’s business world information is a valuable commodity and such needs to be protected. It affects all aspects of today’s businesses from top management right down to operational level. In order to avoid loss or damage to this valuable resource, companies need to be serious about protecting their information. This protection is typically implemented in the form of various security controls. However, it is very difficult to know exactly which controls would be required in order to guarantee a certain acceptable minimum level of security. Furthermore, managing these controls to see that they are always up to date and implemented uniformly throughout the organization is a constant headache to organizations.
There exist several internationally accepted standards and codes of practice to assist organizations in the implementation and management of an organizational information security strategy.
These standards and codes of practice provide organizations with guidelines specifying how the problem of managing information security should be approached. One of the key controls identified by all the major IT Security standards published to date is the introduction of a corporate information security awareness program. The purpose of such a program is to educate the users about Information Security or, more specifically, to educate users about the individual roles they play in the effectiveness of one type of control, namely, operational controls.
There exist several internationally accepted standards and codes of practice to assist organizations in the implementation and management of an organizational information security strategy.
These standards and codes of practice provide organizations with guidelines specifying how the problem of managing information security should be approached. One of the key controls identified by all the major IT Security standards published to date is the introduction of a corporate information security awareness program. The purpose of such a program is to educate the users about Information Security or, more specifically, to educate users about the individual roles they play in the effectiveness of one type of control, namely, operational controls.
Tuesday, May 26, 2009
Definitions for Awareness, Training and Education
Information Security Awareness Program
An Awareness program mixes Awareness training sessions with periodic reminders and promotional materials to bring the attention of information resource users to information security issues, and to increase their understanding of vulnerabilities and threats affecting the security of USAP information. An Awareness program is typically geared towards the non-technical user community, or technical users outside an organization’s Information Technology group. The Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-130 require all users of federal information resources to receive periodic Awareness training as part of an Awareness program.
Information Security Training
Information Security training is typically considered technical training, and it focuses on improving the security skills and competencies of personnel managing, designing, developing, acquiring, and administering information resources. Technical training is intended for information security staff, and for information technology staff in positions with security related responsibilities, such as system administrators or network engineers. Technical training typically includes short courses, seminars, professional development workshops, conferences, and certificate programs. Technical training is provided to staff by the parent organization, to ensure the staff member is able to accomplish their duties.
Information Security Education
Information Security education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles, and strives to produce information security specialists and professionals capable of vision and pro-active response. Typically, education involves a long-term course of study at the university level, and is provided to staff at the discretion of the parent organization.
An Awareness program mixes Awareness training sessions with periodic reminders and promotional materials to bring the attention of information resource users to information security issues, and to increase their understanding of vulnerabilities and threats affecting the security of USAP information. An Awareness program is typically geared towards the non-technical user community, or technical users outside an organization’s Information Technology group. The Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-130 require all users of federal information resources to receive periodic Awareness training as part of an Awareness program.
Information Security Training
Information Security training is typically considered technical training, and it focuses on improving the security skills and competencies of personnel managing, designing, developing, acquiring, and administering information resources. Technical training is intended for information security staff, and for information technology staff in positions with security related responsibilities, such as system administrators or network engineers. Technical training typically includes short courses, seminars, professional development workshops, conferences, and certificate programs. Technical training is provided to staff by the parent organization, to ensure the staff member is able to accomplish their duties.
Information Security Education
Information Security education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles, and strives to produce information security specialists and professionals capable of vision and pro-active response. Typically, education involves a long-term course of study at the university level, and is provided to staff at the discretion of the parent organization.
Saturday, May 9, 2009
Security Education Program
Security education is one of the five major areas within a security program; the other four being information security, personnel security, physical security and automation security. The importance of a security education cannot be overemphasized, because it is this particular area that increases personal security awareness. From a personnel standpoint, security education directly contributes to the success of the other four areas. In the final analysis, regardless of how definitive and complete any set of security procedures might be, it will be people who execute or fail to execute those procedures.
The purpose of a security education program is to establish and maintain security awareness on the part of all personnel. Security awareness or consciousness is a state of mind, implying an understanding of security objectives, principles, and measures. It also denotes a willingness and desire on the part of the individual to assist, by fulfilling his/her security responsibilities, in achieving the objectives of a security program. This is done by helping the individual acquire an understanding of the basic principles of sound security practices and procedures as they pertain to their unit or job.
The purpose of a security education program is to establish and maintain security awareness on the part of all personnel. Security awareness or consciousness is a state of mind, implying an understanding of security objectives, principles, and measures. It also denotes a willingness and desire on the part of the individual to assist, by fulfilling his/her security responsibilities, in achieving the objectives of a security program. This is done by helping the individual acquire an understanding of the basic principles of sound security practices and procedures as they pertain to their unit or job.
Tuesday, April 28, 2009
Creating a compliance training program for end users
Compliance awareness training is a necessity in view of the laws, regulations and related policies and procedures that it is beholdent upon us to include such training as part of our information security awareness and data protection programs.
Over the past few years there has been a massive increase in security-and privacy-oriented compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA and Gramm-Leach-Bliley (GLBA), to name just a few. Several of these mandate that companies implement security awareness as part of their information security programs. As a result, this often-neglected area of infosec has had some new life breathed into it.
Security practitioners love to argue about the effectiveness of employee security awareness training. Opponents claim the proliferation of security incidents is proof that it doesn't work, whereas proponents claim that no system is perfect, but something is better then nothing. Various studies have been published to support both sides, but one thing is certain: Several compliance regulations exist that mandate employee training about the various security and privacy policies.
But what makes for a good security awareness and education program? Most user training misses the point completely and is as useless as its detractor’s say it is. That's because it focuses on what users should and shouldn't do, as opposed to why and how those actions can have serious consequences.
Over the past few years there has been a massive increase in security-and privacy-oriented compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA and Gramm-Leach-Bliley (GLBA), to name just a few. Several of these mandate that companies implement security awareness as part of their information security programs. As a result, this often-neglected area of infosec has had some new life breathed into it.
Security practitioners love to argue about the effectiveness of employee security awareness training. Opponents claim the proliferation of security incidents is proof that it doesn't work, whereas proponents claim that no system is perfect, but something is better then nothing. Various studies have been published to support both sides, but one thing is certain: Several compliance regulations exist that mandate employee training about the various security and privacy policies.
But what makes for a good security awareness and education program? Most user training misses the point completely and is as useless as its detractor’s say it is. That's because it focuses on what users should and shouldn't do, as opposed to why and how those actions can have serious consequences.
Monday, April 6, 2009
Business Drivers for Information Security Awareness
Raising information security awareness is not a one-off exercise. In the same manner, an awareness raising program cannot then be relied on indefinitely in an organization without further action or modification. To ensure that the program continues to correspond with the targets of a financial organization and that information security is incorporated in the organizational culture, awareness must be maintained or raised continuously. It is an ongoing process, a cycle of analysis and change, as we find it in many quality management systems, such as ISO 9001 or ISO/IEC 27001. Taking this change management approach to an awareness initiative is crucial as it helps close the gap between a particular issue and human responses to the need to change, even in the case of cultural change.
The first step is to analyze the actual information security awareness and culture and to identify the main business drivers. If the culture does not fit with the organization’s targets, the culture must be changed. If it fits, it should be reinforced. The necessary controls such as an information security training program or an awareness campaign must be chosen (planning and design) and realized (implementation). The success of the controls taken must then be evaluated and learning specified (measuring success and program improvement).
When planning an information security awareness program there are several factors which should be taken into account. In this section we will look at the most important issues, why they are important and how to deal with them.
The most critical success factor in any project with organization-wide focus is to obtain executive commitment. This is one of the most powerful levers inside any organization since executive support not only provides funding, but also provides an example to all levels of the organization. The board should appoint someone to formally sponsor the program across the organization. Doing so actively demonstrates to all employees that the program is part of the organization’s strategy and also guarantees an alignment at all levels of the business.
The main output of this activity is to understand exactly why the financial organization needs an awareness program. It is important to state the reasons behind a program, so that it can be made more effective. Among the most recent reasons for launching an awareness program for information security we have the related controls imposed by regulations for example as SOX, BASEL II and other country-specific privacy laws.
It can also be a part of the organization’s strategy - several organizations are pursuing certification objectives such as ISO/IEC 27001 for Information Security Management and BS25999 for Business Continuity Management, which ask for a high level of commitment from every employee. Some control frameworks, like CobiT, also emphasize the need for user training and awareness.
The first step is to analyze the actual information security awareness and culture and to identify the main business drivers. If the culture does not fit with the organization’s targets, the culture must be changed. If it fits, it should be reinforced. The necessary controls such as an information security training program or an awareness campaign must be chosen (planning and design) and realized (implementation). The success of the controls taken must then be evaluated and learning specified (measuring success and program improvement).
When planning an information security awareness program there are several factors which should be taken into account. In this section we will look at the most important issues, why they are important and how to deal with them.
The most critical success factor in any project with organization-wide focus is to obtain executive commitment. This is one of the most powerful levers inside any organization since executive support not only provides funding, but also provides an example to all levels of the organization. The board should appoint someone to formally sponsor the program across the organization. Doing so actively demonstrates to all employees that the program is part of the organization’s strategy and also guarantees an alignment at all levels of the business.
The main output of this activity is to understand exactly why the financial organization needs an awareness program. It is important to state the reasons behind a program, so that it can be made more effective. Among the most recent reasons for launching an awareness program for information security we have the related controls imposed by regulations for example as SOX, BASEL II and other country-specific privacy laws.
It can also be a part of the organization’s strategy - several organizations are pursuing certification objectives such as ISO/IEC 27001 for Information Security Management and BS25999 for Business Continuity Management, which ask for a high level of commitment from every employee. Some control frameworks, like CobiT, also emphasize the need for user training and awareness.
Friday, March 13, 2009
Information Security – Where should it start from?
Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles).
Monday, March 2, 2009
Security Awareness and Training
Adequate training of all personnel is critical to the effective implementation of information security. Security awareness and training activities should be ongoing to further demonstrate management’s commitment to information security.
Information security policies and procedures are of little use unless they are understood and observed by the personnel who are affected by them. The agency must be proactive in communicating its expectations and requirements to its personnel, as well as in prescribing disciplinary action for non-compliance. ICT is not sufficient to publish policies and assume that personnel are aware of them, will read them and will adhere to them.
The agency must foster the development of a pervasive information security culture and personalize the issue so that all personnel are aware of their own responsibilities.
Personnel should be made aware of the importance of the information processes, the associated threats, vulnerabilities and risks and understand why controls are needed.
Personnel should be appropriately trained to perform their tasks, prior to access to systems and information being granted. Different levels of training may be required to match the requirements of their jobs. Security officers may require specialized security training or education.
Disciplinary measures that may be invoked for deliberate breaches of security should be publicized.
Periodic information security awareness seminars for all personnel should be conducted to advise of industry developments in information security and of new security initiatives within the agency, to present case studies, and to reinforce the need for security and for complying with the policies and procedures.
Information security policies and procedures are of little use unless they are understood and observed by the personnel who are affected by them. The agency must be proactive in communicating its expectations and requirements to its personnel, as well as in prescribing disciplinary action for non-compliance. ICT is not sufficient to publish policies and assume that personnel are aware of them, will read them and will adhere to them.
The agency must foster the development of a pervasive information security culture and personalize the issue so that all personnel are aware of their own responsibilities.
Personnel should be made aware of the importance of the information processes, the associated threats, vulnerabilities and risks and understand why controls are needed.
Personnel should be appropriately trained to perform their tasks, prior to access to systems and information being granted. Different levels of training may be required to match the requirements of their jobs. Security officers may require specialized security training or education.
Disciplinary measures that may be invoked for deliberate breaches of security should be publicized.
Periodic information security awareness seminars for all personnel should be conducted to advise of industry developments in information security and of new security initiatives within the agency, to present case studies, and to reinforce the need for security and for complying with the policies and procedures.
Tuesday, February 10, 2009
Why Are Most Organizations Still at Risk?
Security technology has helped make information much more secure. Organizations have invested in firewalls, antivirus hardware and software, SPAM filters, Smart Cards, and other such technologies. Additionally, most organizations now have sound data protection policies and procedures in place for dealing with sensitive and business critical information. But even though the technology works, and the data protection policies and procedures are in place, the number and severity of information security breaches are only getting worse.
The missing piece of the equation, as always, is people. In one form or another, human error - not technical malfunction or inadequate business policies - is the most significant risk to protecting data. Based on the 2007 study from the IT Policy Compliance Group, human error is responsible for almost 76% of all data loss.
The human element is typically one of the weakest links in the data protection triangle of technology, business policy, and user awareness and training. While there has been great attention given to protecting data from external threats, evidence shows that it’s the authorized – yet unaware and unversed user – that currently poses the greatest risk to data protection. An effective security awareness and training initiative will address one of the highest risks you face in data protection today – the human element.
Why has the human element become one of the biggest risk factors facing data protection today? The answer: the industry has just done a better job of implementing security technology and aggressively pursuing good data protection policies and practices. But we often neglect to remember that it’s humans who have to use technology, implement the policies, and carry out the procedures. It shouldn’t be a surprise that human behavior, one of the hardest issues to deal with, is now at the forefront of risk.
The missing piece of the equation, as always, is people. In one form or another, human error - not technical malfunction or inadequate business policies - is the most significant risk to protecting data. Based on the 2007 study from the IT Policy Compliance Group, human error is responsible for almost 76% of all data loss.
The human element is typically one of the weakest links in the data protection triangle of technology, business policy, and user awareness and training. While there has been great attention given to protecting data from external threats, evidence shows that it’s the authorized – yet unaware and unversed user – that currently poses the greatest risk to data protection. An effective security awareness and training initiative will address one of the highest risks you face in data protection today – the human element.
Why has the human element become one of the biggest risk factors facing data protection today? The answer: the industry has just done a better job of implementing security technology and aggressively pursuing good data protection policies and practices. But we often neglect to remember that it’s humans who have to use technology, implement the policies, and carry out the procedures. It shouldn’t be a surprise that human behavior, one of the hardest issues to deal with, is now at the forefront of risk.
Sunday, February 1, 2009
Information security awareness – a reminder flyer is not enough
We all know about the importance of the human factor in our information security processes. However, there is no common recipe on how to switch on information security awareness in a given company or organization.
Education and training is only part of the solution - Often the non-privileged IT users are referred to as the weakest link in the security chain. Security issues are:
-opening malicious attachments
-getting caught by phishing
-using weak passwords
-transferring confidential data over insecure channels
-saving company data on a medium without backup
-installing unapproved software
-losing mobile devices
The situation can be improved to some extent by repeatedly teaching the users a list of relevant Do's and Don'ts. But for the remaining part we need a better understanding of the psychological aspects.
Trying to understand human nature - While technology is in permanent development and progress, some components of human character have never changed:
-We rely on long-term experience.
-We estimate risks based on our intuition.
-We feel safe if potential enemies are far away.
-We are used to allowing exceptions.
These properties are obviously not in line with today's requirements for an effective risk-based security framework. We have to accept that human beings don't always think and act in a logical and reliable way. Soft factors play a role in the behavior of users as well as IT specialists; sometimes they even affect decisions in the management. So what are the good arguments for a better security understanding?
Business-focused security awareness - Some of the most effective human awareness sensors are money, law and personal responsibility. In our awareness raising activities we should try to focus on these values. The security goal to be communicated is not to reach a high security level or to reduce IT-related risks, but to ensure business success in a legal framework.
Information security culture - An isolated awareness campaign will usually not induce long-lasting changes in the attitude and behavior of the target groups. Security has to become an integrated part of the business processes. In order to establish and maintain a general culture of security, contributions of different roles are needed:
-Senior Management officially recognizes the importance of security.
-Superiors respect the security policy without any V.I.P exceptions.
-The helpdesk supports users with reliable and helpful services.
-IT architects take account of security throughout their projects.
-Developers consider usability aspects e.g. by compiling comprehensive configuration menus, security warnings and help texts.
-Users knowing what they are doing will cause less incidents.
Secure processing of information and data should be made as easy and normal as possible.
Conclusion - Instead of complaining about human error we should try to understand the reasons for insecure behavior. Information security is only given the appropriate attention if the business impact is visible. Rules and guidelines should always be based on the company strategy and supported by the management. Keep in mind that security awareness doesn't develop very quickly, so never give up!
Education and training is only part of the solution - Often the non-privileged IT users are referred to as the weakest link in the security chain. Security issues are:
-opening malicious attachments
-getting caught by phishing
-using weak passwords
-transferring confidential data over insecure channels
-saving company data on a medium without backup
-installing unapproved software
-losing mobile devices
The situation can be improved to some extent by repeatedly teaching the users a list of relevant Do's and Don'ts. But for the remaining part we need a better understanding of the psychological aspects.
Trying to understand human nature - While technology is in permanent development and progress, some components of human character have never changed:
-We rely on long-term experience.
-We estimate risks based on our intuition.
-We feel safe if potential enemies are far away.
-We are used to allowing exceptions.
These properties are obviously not in line with today's requirements for an effective risk-based security framework. We have to accept that human beings don't always think and act in a logical and reliable way. Soft factors play a role in the behavior of users as well as IT specialists; sometimes they even affect decisions in the management. So what are the good arguments for a better security understanding?
Business-focused security awareness - Some of the most effective human awareness sensors are money, law and personal responsibility. In our awareness raising activities we should try to focus on these values. The security goal to be communicated is not to reach a high security level or to reduce IT-related risks, but to ensure business success in a legal framework.
Information security culture - An isolated awareness campaign will usually not induce long-lasting changes in the attitude and behavior of the target groups. Security has to become an integrated part of the business processes. In order to establish and maintain a general culture of security, contributions of different roles are needed:
-Senior Management officially recognizes the importance of security.
-Superiors respect the security policy without any V.I.P exceptions.
-The helpdesk supports users with reliable and helpful services.
-IT architects take account of security throughout their projects.
-Developers consider usability aspects e.g. by compiling comprehensive configuration menus, security warnings and help texts.
-Users knowing what they are doing will cause less incidents.
Secure processing of information and data should be made as easy and normal as possible.
Conclusion - Instead of complaining about human error we should try to understand the reasons for insecure behavior. Information security is only given the appropriate attention if the business impact is visible. Rules and guidelines should always be based on the company strategy and supported by the management. Keep in mind that security awareness doesn't develop very quickly, so never give up!
Sunday, January 11, 2009
Awareness Training
In recent years, rapid progress in the use of the Internet has resulted in huge losses in many organizations due to lax security. As a result, information security awareness is becoming an important issue to anyone using the Internet. To reduce losses, organizations have made information security awareness a top priority. The three main barriers to information security awareness are: (1) general security awareness, (2) employees' computer skills, and (3) organizational budgets. Online learning appears a feasible alternative to providing information security awareness and countering these three barriers. Research has identified three levels of security awareness: perception, comprehension and projection. A study reports a laboratory experiment that investigates the impacts of hypermedia, multimedia and hypertext to increase information security awareness among the three awareness levels in an online training environment. The results indicate that: (1) learners who have the better understanding at the perception and comprehension levels can improve understanding at the projection level; (2) learners with text material perform better at the perception level; and (3) learners with multimedia material perform better at the comprehension level and projection level. The results should be used by educators and training designers to create meaningful information security awareness materials.
Subscribe to:
Comments (Atom)