Raising information security awareness is not a one-off exercise. In the same manner, an awareness raising program cannot then be relied on indefinitely in an organization without further action or modification. To ensure that the program continues to correspond with the targets of a financial organization and that information security is incorporated in the organizational culture, awareness must be maintained or raised continuously. It is an ongoing process, a cycle of analysis and change, as we find it in many quality management systems, such as ISO 9001 or ISO/IEC 27001. Taking this change management approach to an awareness initiative is crucial as it helps close the gap between a particular issue and human responses to the need to change, even in the case of cultural change.
The first step is to analyze the actual information security awareness and culture and to identify the main business drivers. If the culture does not fit with the organization’s targets, the culture must be changed. If it fits, it should be reinforced. The necessary controls such as an information security training program or an awareness campaign must be chosen (planning and design) and realized (implementation). The success of the controls taken must then be evaluated and learning specified (measuring success and program improvement).
When planning an information security awareness program there are several factors which should be taken into account. In this section we will look at the most important issues, why they are important and how to deal with them.
The most critical success factor in any project with organization-wide focus is to obtain executive commitment. This is one of the most powerful levers inside any organization since executive support not only provides funding, but also provides an example to all levels of the organization. The board should appoint someone to formally sponsor the program across the organization. Doing so actively demonstrates to all employees that the program is part of the organization’s strategy and also guarantees an alignment at all levels of the business.
The main output of this activity is to understand exactly why the financial organization needs an awareness program. It is important to state the reasons behind a program, so that it can be made more effective. Among the most recent reasons for launching an awareness program for information security we have the related controls imposed by regulations for example as SOX, BASEL II and other country-specific privacy laws.
It can also be a part of the organization’s strategy - several organizations are pursuing certification objectives such as ISO/IEC 27001 for Information Security Management and BS25999 for Business Continuity Management, which ask for a high level of commitment from every employee. Some control frameworks, like CobiT, also emphasize the need for user training and awareness.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment