The effectiveness of an information security awareness program ultimately depends upon the behavior of people. Behavior, in turn, depends on what people know, how they feel, and what their instincts tell them to do. While a security awareness training program can impart information scurity knowledge it rarely has significant impact on people's feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of the people. It is the role of culture to close this gap.
It is the CISO's responsibility to provide the organizational leadership required to change how the organization perceives, thinks and feels in relation to information security problems, to embed the information security subculture into the dominant culture of the organization. Meeting this responsibility requires the CISO to evolve an information security learning organization to modify its behavior to reflect new information security knowledge and insights.
A HAPPY AND HEALTHY NEW YEAR TO ALL !!!!!!!!!!
Saturday, December 31, 2011
Wednesday, December 21, 2011
Ethical Persuasion: Changing Culture Means Building Relationships
Changing a culture requires changing people; changing how people perceive, think, and feel about information security problems. In effecting cultural change, the CISO must win everyone to the cause of information security. And to do that, as Lincoln reminds us, requires the CISO to be a sincere friend.
If the CISO is to change people, the CISO must engage in what is known as ethical persuasion, the honest attempt to induce people to change their behavior. To persuade ethically — to catch the heart which is the high road to reason — the mode of persuasion needs to be direct and honest, it needs to be respectful of people, and it must be without manipulation.
Recent work in the behavioral sciences has discovered six specific persuasion triggers that the CISO can use to influence the extent to which people will open themselves up to being persuaded.
• Reciprocity: People feel obliged to give to people who have given to them.
• Social Proof: People follow the lead of similar others.
• Authority: People defer to experts who provide shortcuts to decisions requiring specialized information.
• Consistency: People fulfill written, public and voluntary commitments.
• Scarcity: People value what’s scarce.
• Liking: People prefer to say “yes” to people they perceive like them.
It turns out that even more important than people liking us … is us liking them. People like, and are inclined to follow, leaders who they perceive as liking them. If people perceive the CISO likes them, they are more inclined to say yes to the CISO.
To influence people, win friends. An effective CISO will always be on the lookout for opportunities to establish goodwill and trustworthiness, to give praise, and to practice cooperation.
Thursday, December 15, 2011
Strategic Imperative: Evolve an Information Security Learning Organization
Real security lies not just in firewalls, passwords and awareness training but in the culture perceiving, thinking, and feeling correctly in relation to information security problems. This can only happen gradually, as the culture evolves an information security learning organization.
An information security learning organization is an organization skilled at creating, acquiring and transferring knowledge about information security, and at modifying its behavior to reflect new information security knowledge and insights.
In The Fifth Discipline, Peter Senge, one of the pioneers of learning organizations identified five key disciplines that are prerequisites to establishing a learning organization. These five disciplines are
Personal Mastery: We can only learn when we are unafraid. Consequently, the CISO has to create a trusting environment in which people are willing to open up to their information security inadequacies without fear of feeling stupid or otherwise inadequate.
Mental Models: This means providing people the intellectual tools needed to understand information security so that its principles come to be applied in every situation where people might put information at risk.
Shared Vision: The information security leader needs to connect information security to the very success or failure of the organization, helping people understand, for example, how an information breach could close the company and put people out of work.
Team Learning: Thus, the CISO must work with people so they come to train each other. A goal should be to make information security a common theme in discussions around the water cooler.
Systems Thinking: The CISO must understand the forces on the organization’s culture, the myriad of causes and effects that impact the culture’s evolution. To be effective, the change strategy, must amplify those cultural forces, like increased compliance and the organization’s need for information availability, that demand greater cultural change.
An information security learning organization is an organization skilled at creating, acquiring and transferring knowledge about information security, and at modifying its behavior to reflect new information security knowledge and insights.
In The Fifth Discipline, Peter Senge, one of the pioneers of learning organizations identified five key disciplines that are prerequisites to establishing a learning organization. These five disciplines are
Personal Mastery: We can only learn when we are unafraid. Consequently, the CISO has to create a trusting environment in which people are willing to open up to their information security inadequacies without fear of feeling stupid or otherwise inadequate.
Mental Models: This means providing people the intellectual tools needed to understand information security so that its principles come to be applied in every situation where people might put information at risk.
Shared Vision: The information security leader needs to connect information security to the very success or failure of the organization, helping people understand, for example, how an information breach could close the company and put people out of work.
Team Learning: Thus, the CISO must work with people so they come to train each other. A goal should be to make information security a common theme in discussions around the water cooler.
Systems Thinking: The CISO must understand the forces on the organization’s culture, the myriad of causes and effects that impact the culture’s evolution. To be effective, the change strategy, must amplify those cultural forces, like increased compliance and the organization’s need for information availability, that demand greater cultural change.
Wednesday, December 7, 2011
Leadership: The Force for Cultural Evolution
The challenge of leadership is to optimally affect the ongoing course of organizational evolution, to be the change agent directing this evolution. Culture and leadership are two sides of the same coin. If cultures become dysfunctional, it is the unique function of leadership to perceive the functional and dysfunctional elements of the existing culture and to manage cultural evolution and change in such a way that the group can survive in a changing environment.
Leadership … is the ability to step outside the culture …and to start evolutionary change processes that are …adaptive. This ability to perceive the limitations of one’s own culture and to develop the culture adaptively is the essence and ultimate challenge of leadership.
This aspect of leadership—to change the larger culture in the direction of information security— must be part of any CISO’s job description. Until and unless “the information security way of seeing the world” becomes a part of the organization’s culture, the organization is dysfunctional. Every time there is an information security breach whose root cause is human, that’s evidence of the dysfunctionality.
With this in mind, the CISO, must step outside the culture and look at it from the outside, molding and shaping its evolution, so that, over time, people are doing the right thing: they’re being careful, they’re paying attention, and they are even training each other—all because an information security mindset has become embedded in the larger culture.
Leadership … is the ability to step outside the culture …and to start evolutionary change processes that are …adaptive. This ability to perceive the limitations of one’s own culture and to develop the culture adaptively is the essence and ultimate challenge of leadership.
This aspect of leadership—to change the larger culture in the direction of information security— must be part of any CISO’s job description. Until and unless “the information security way of seeing the world” becomes a part of the organization’s culture, the organization is dysfunctional. Every time there is an information security breach whose root cause is human, that’s evidence of the dysfunctionality.
With this in mind, the CISO, must step outside the culture and look at it from the outside, molding and shaping its evolution, so that, over time, people are doing the right thing: they’re being careful, they’re paying attention, and they are even training each other—all because an information security mindset has become embedded in the larger culture.
Monday, November 28, 2011
The Information Security Cultural Challenge
Given the cultural context in which the information security organization finds itself, the cultural realities of the situation are, to be honest, somewhat bleak.
• Information security is a new kid on the block. In most organizations the information security function is at most a few years old. The field itself dates only to 1970.
• Information security is nowhere near core to the organization. Even when there is a regulatory requirement for information security controls, these are ‘pushed’ by senior management only because they are legally required. Top level support for information security could dry up in an instant if the legal and regulatory landscape were to change.
• Even more challenging, the information security organization manages a set of concerns seemingly disconnected from those of the marketing, sales, operations, and financial organizations, with the result that the information security subculture is dramatically disconnected from these other, much more dominant, subcultures.
• Because “information security” contains the word “security,” the cultural expectation is that the information security group will take care of security just like the guards do, with no need for ‘me’ to get involved
• Except for the annual awareness training, the only time the information security culture “touches” the rest of the organization is when someone forgets his password or when the system won’t let someone “do her job.” Consequently, there are likely to be few ‘natural’ opportunities for cultural blending, with the result that the information security subculture will tend to evolve in isolation from the dominant culture.
It is against this backdrop that the information security organization must embed its culture into the culture of the larger organization, for this is the only way to transfer to the larger organization the correct way to perceive, think, and feel in relation to information security problems.
• Information security is a new kid on the block. In most organizations the information security function is at most a few years old. The field itself dates only to 1970.
• Information security is nowhere near core to the organization. Even when there is a regulatory requirement for information security controls, these are ‘pushed’ by senior management only because they are legally required. Top level support for information security could dry up in an instant if the legal and regulatory landscape were to change.
• Even more challenging, the information security organization manages a set of concerns seemingly disconnected from those of the marketing, sales, operations, and financial organizations, with the result that the information security subculture is dramatically disconnected from these other, much more dominant, subcultures.
• Because “information security” contains the word “security,” the cultural expectation is that the information security group will take care of security just like the guards do, with no need for ‘me’ to get involved
• Except for the annual awareness training, the only time the information security culture “touches” the rest of the organization is when someone forgets his password or when the system won’t let someone “do her job.” Consequently, there are likely to be few ‘natural’ opportunities for cultural blending, with the result that the information security subculture will tend to evolve in isolation from the dominant culture.
It is against this backdrop that the information security organization must embed its culture into the culture of the larger organization, for this is the only way to transfer to the larger organization the correct way to perceive, think, and feel in relation to information security problems.
Friday, November 18, 2011
Beyond Information Security Awareness Training: It’s Time to Change the Culture
The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While an awareness training program can impart information security knowledge it rarely has significant impact on people’s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
It’s the same issue every time an employee falls victim to social engineering. People’s instincts are to be helpful. We amplify this instinct every time we tell employees about the importance of customer service. And then we wonder why, in that moment of truth, after the social engineer has sounded so friendly and seemed so honest, that the employee disregards the awareness training program and gives up his password.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
It’s the same issue every time an employee falls victim to social engineering. People’s instincts are to be helpful. We amplify this instinct every time we tell employees about the importance of customer service. And then we wonder why, in that moment of truth, after the social engineer has sounded so friendly and seemed so honest, that the employee disregards the awareness training program and gives up his password.
Friday, October 28, 2011
Your Awareness Program
When it comes to security awareness, a common challenge I find is organizations have focused so much on getting management support, budget and materials that when they are ready to start they have not yet thought of how to begin. One of the best places to start is building your team, a steering committee if you like. The purpose of this team is to help guide your program in the years to come. Not only can members provide input, but they can also become owners and champions for your program. Keep the team simple, you are not required to regular meetings or even be physically together, perhaps something as simple as quarterly Skype conferences. Also, keep the team small, I suggest no more then 5-7 people. Anything larger and consensus building becomes almost impossible. Some key departments I recommend are
• Audit: to ensure you meet compliance requirements, especially in tracking your program.
• Human Resources: as they often control who is trained and when. In addition they are often responsible for many of the Acceptable Use policies. Finally, if your awareness program addresses any enforcement issues, HR is often where enforcement begins.
• Legal: for obvious reasons.
• Help Desk: These folks are often forgotten but can be very helpful for your program. They have the pulse of how the organization is operating. In addition, the Help Desk may be the first place people go to with any security related issues, questions or incident reports.
• Marketing: As security professionals we know security. We have a good understanding of what the greatest risks are to our organization and how to mitigate them. Where our profession sucks at (to put it bluntly) is communicating these issues. Your awareness program can have the greatest content in the world, but if you cannot engage your employees they simply will not listen. Get marketing on your team and listen to them, this is what they do for a living.
• Training: Obviously if you have a training or communications department, be sure to coordinate with them. For organizations over 10,000 people I often find you have specific branding requirements which dictate the what and how your materials are communicated.
• Audit: to ensure you meet compliance requirements, especially in tracking your program.
• Human Resources: as they often control who is trained and when. In addition they are often responsible for many of the Acceptable Use policies. Finally, if your awareness program addresses any enforcement issues, HR is often where enforcement begins.
• Legal: for obvious reasons.
• Help Desk: These folks are often forgotten but can be very helpful for your program. They have the pulse of how the organization is operating. In addition, the Help Desk may be the first place people go to with any security related issues, questions or incident reports.
• Marketing: As security professionals we know security. We have a good understanding of what the greatest risks are to our organization and how to mitigate them. Where our profession sucks at (to put it bluntly) is communicating these issues. Your awareness program can have the greatest content in the world, but if you cannot engage your employees they simply will not listen. Get marketing on your team and listen to them, this is what they do for a living.
• Training: Obviously if you have a training or communications department, be sure to coordinate with them. For organizations over 10,000 people I often find you have specific branding requirements which dictate the what and how your materials are communicated.
Wednesday, September 14, 2011
Unknown Employee Security Risks
Employees can unknowingly pose security risks to the organization they work for in a number of ways:
* Poorly designed passwords may increase the risk of network attack.
* Improper control of laptops or other mobile devices can lead to the loss of proprietary information.
* Failure to update virus software may lead to the infection of one or many computers.
* Surfing the web and downloading files from the Internet can reduce network bandwidth and loss of worker productivity.
* Falling prey to a social engineering attack may lead an employee to divulge confidential information.
However, with the right training, employees can become an organization’s strongest security asset.
A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level – from the top down – need a basic understanding of security policies as well as their respective responsibilities in protecting these assets.
Management personnel with security responsibilities require additional training. Without this understanding, organizations cannot hold employees accountable for protecting the organization’s resources and ultimately, its profitability.
To be effective, a security awareness program must be ongoing and include continuous training, communication and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
* Poorly designed passwords may increase the risk of network attack.
* Improper control of laptops or other mobile devices can lead to the loss of proprietary information.
* Failure to update virus software may lead to the infection of one or many computers.
* Surfing the web and downloading files from the Internet can reduce network bandwidth and loss of worker productivity.
* Falling prey to a social engineering attack may lead an employee to divulge confidential information.
However, with the right training, employees can become an organization’s strongest security asset.
A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level – from the top down – need a basic understanding of security policies as well as their respective responsibilities in protecting these assets.
Management personnel with security responsibilities require additional training. Without this understanding, organizations cannot hold employees accountable for protecting the organization’s resources and ultimately, its profitability.
To be effective, a security awareness program must be ongoing and include continuous training, communication and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
Wednesday, August 31, 2011
Turn your weakest link into your first line of defense
Most security risks are driven in practice by the lack of a well-defined and managed information security (IS) culture, with errors and breaches frequently caused by human error and a failure to follow procedure. Most analysts and information security officers agree that humans are the weakest links of any information security framework.
With adequate behavior change, you can turn your weakest link into your first line of defense. Easy to say… but in practice, it is quite a challenge!
How do we achieve it?
Many people think awareness and training are key elements. They are not far from the truth! In fact, awareness and training are only part of the solution. Let’s take a step back to understand the behavior change process and then, apply it to our first line of defense!
4 Steps to Behavior Change
1. Awareness - Target Group knows WHAT is needed and When it is needed
2. Understanding - Target Group knows WHY and HOW action is needed
3. Action - Target Group is ready to be involved into specific activities
4. Commitment - Target Group is responsibly committed to and supports initiative
Following this model, by reaching the ‘’commitment level’’, chances are that the weakest link will be the best line of defense. Awareness is not training. Awareness is about reaching a mass audience with very attractive packaging that reaches the emotion, to deliver a short and strong message. Awareness allows the audience to recognize situations. It is the first step to a behavior change.Training teaches what to do in situations. Training is about the acquisition of knowledge, skills, and competencies.Awareness and training, when well combined are powerful behavior change tools.
With adequate behavior change, you can turn your weakest link into your first line of defense. Easy to say… but in practice, it is quite a challenge!
How do we achieve it?
Many people think awareness and training are key elements. They are not far from the truth! In fact, awareness and training are only part of the solution. Let’s take a step back to understand the behavior change process and then, apply it to our first line of defense!
4 Steps to Behavior Change
1. Awareness - Target Group knows WHAT is needed and When it is needed
2. Understanding - Target Group knows WHY and HOW action is needed
3. Action - Target Group is ready to be involved into specific activities
4. Commitment - Target Group is responsibly committed to and supports initiative
Following this model, by reaching the ‘’commitment level’’, chances are that the weakest link will be the best line of defense. Awareness is not training. Awareness is about reaching a mass audience with very attractive packaging that reaches the emotion, to deliver a short and strong message. Awareness allows the audience to recognize situations. It is the first step to a behavior change.Training teaches what to do in situations. Training is about the acquisition of knowledge, skills, and competencies.Awareness and training, when well combined are powerful behavior change tools.
Friday, August 19, 2011
Train employees – your best defense – for security awareness
With so many security threats on the horizon, it may be comforting to know the strongest security asset is already inside the company employees.
New security threats and identity theft schemes are being developed every day, and large corporations continually invest millions of dollars and thousands of man-hours to keep their information and identity safe and their network secure.
But investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan.
Even when an organization has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organizations are not as secure as they could be. In fact, a recent survey showed 40 percent of IT managers surveyed reported that their organization had experienced at least one security breach in the last year.
New security threats and identity theft schemes are being developed every day, and large corporations continually invest millions of dollars and thousands of man-hours to keep their information and identity safe and their network secure.
But investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan.
Even when an organization has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organizations are not as secure as they could be. In fact, a recent survey showed 40 percent of IT managers surveyed reported that their organization had experienced at least one security breach in the last year.
Wednesday, July 20, 2011
Federal Information Security Management Act (FISMA)
§3544.(b).(4).(A),(B) - Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
Training: The requirement for the agency to ensure that there are sufficient trained personnel available for the information security program falls under the purview of the CISO who manages the program, and supporting functions. This extends to the CISO's management of the staffing of dedicated security personnel for his office, as well as overseeing the designation and training and performance of personnel assigned to other established information security roles, including authorizing officials, system owners, and information system security officers. The CISO fulfills this requirement through the use of staffing plans in concert with human resources personnel, and by means of agency-level performance measurement plans and processes.
Security Awareness Training: The agency program must address requirements for training of all users on risks associated with their activities and on their responsibilities for complying with agency information security policies and procedures. In response to this requirement, agencies provide user-level security awareness information (often computer based) to employees and contractors at least annually, and on an occasional, as-needed basis, through e-mail messages, announcements, newsletters, etc.
Training: The requirement for the agency to ensure that there are sufficient trained personnel available for the information security program falls under the purview of the CISO who manages the program, and supporting functions. This extends to the CISO's management of the staffing of dedicated security personnel for his office, as well as overseeing the designation and training and performance of personnel assigned to other established information security roles, including authorizing officials, system owners, and information system security officers. The CISO fulfills this requirement through the use of staffing plans in concert with human resources personnel, and by means of agency-level performance measurement plans and processes.
Security Awareness Training: The agency program must address requirements for training of all users on risks associated with their activities and on their responsibilities for complying with agency information security policies and procedures. In response to this requirement, agencies provide user-level security awareness information (often computer based) to employees and contractors at least annually, and on an occasional, as-needed basis, through e-mail messages, announcements, newsletters, etc.
Thursday, July 7, 2011
Gramm-Leach-Bliley Act (GLBA) and Security Awareness Training
The Gramm-Leach-Bliley Act of 1999 (also known as the Gramm-Leach-Bliley Financial Services Modernization Act or "GLBA") was designed to open up competition in the financial services industry. It applies to all "Financial Service Providers" which includes obvious groups such as insurance agencies, tax preparers and financial adviser's, as well as less obvious groups such as universities and educational establishments (since they handle financial information relating to student loans).
The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all "Financial Service Providers" to develop a written information security plan including:
• assigning at least one employee to manage the program,
• conducting risk assessments, and
• developing, implementing and monitoring a program to secure the information.
In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.
The FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:
1. Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
2. Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle and post reminders about their responsibility for security in areas where such information is stored.
The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all "Financial Service Providers" to develop a written information security plan including:
• assigning at least one employee to manage the program,
• conducting risk assessments, and
• developing, implementing and monitoring a program to secure the information.
In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.
The FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:
1. Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
2. Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle and post reminders about their responsibility for security in areas where such information is stored.
Thursday, June 30, 2011
Sarbanes Oxley (SOX) and Security Awareness Training
The Sarbanes Oxley Act became law in 2002 in the wake of the Enron financial scandal. Its focus is setting rules for the ways that public organizations and accounting firms should handle corporate governance and financial disclosures – it is not specifically concerned with information security.
However, there are a number of sections of the act which impact information security management including:
1. Section 302 which requires the CEO and CFO to certify that the organization’s financial reports are true and accurate, and that the organization has put in place adequate controls over financial reporting and disclosure.
2. Section 404 which describes the required controls, and requires outside auditors to certify that the controls exist and are adequate.
3. Section 409 which requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors which might (potentially) include, an information security problem.
4. Section 802 which requires organizations and their auditors to retain accounting documents and work papers (both paper and electronic) for a minimum of seven years.
Since a problem that results from improperly secured financial data would be as much a violation of the law as any other kind of event, there is an implied requirement that organizations implement sound information security practices.
Compliance with the law from the point of view of information security is often demonstrated by developing management systems that follow one of the well-established security and/or IT management frameworks such as ISO 17799 or COBIT – all of which include security awareness training as a fundamental component.
However, there are a number of sections of the act which impact information security management including:
1. Section 302 which requires the CEO and CFO to certify that the organization’s financial reports are true and accurate, and that the organization has put in place adequate controls over financial reporting and disclosure.
2. Section 404 which describes the required controls, and requires outside auditors to certify that the controls exist and are adequate.
3. Section 409 which requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors which might (potentially) include, an information security problem.
4. Section 802 which requires organizations and their auditors to retain accounting documents and work papers (both paper and electronic) for a minimum of seven years.
Since a problem that results from improperly secured financial data would be as much a violation of the law as any other kind of event, there is an implied requirement that organizations implement sound information security practices.
Compliance with the law from the point of view of information security is often demonstrated by developing management systems that follow one of the well-established security and/or IT management frameworks such as ISO 17799 or COBIT – all of which include security awareness training as a fundamental component.
Wednesday, June 22, 2011
ISO 27002 and Security Awareness Training
ISO/IEC 27002:2005(E) ("Information technology – Security techniques – Code of practice for information security management") is a widely-used guide to information security management that reflects accepted best practice, and which is used in businesses and government organizations around the world.
Security awareness training is a key component of the ISO 27002 overall management system. It’s listed as one of the 7 "common practices for information security", and it’s also one of 10 factors that are highlighted as "critical" for the successful implementation of information security processes within an organization.
The core recommendations that relate to information security awareness and training are encapsulated in §8.2.2 of the standard where it says:
Control
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Implementation Guidance
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
Other Information
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents (see also 13.1).
In addition to this section, security awareness is also referenced in the standard in §0.6, §0.7, §5.1.1, §6.1.1, §6.1.2, and §6.2.3. The special cases of training related to mobile computing and business continuity are referenced in §11.7.1 and §14.1.4.
Security awareness training is a key component of the ISO 27002 overall management system. It’s listed as one of the 7 "common practices for information security", and it’s also one of 10 factors that are highlighted as "critical" for the successful implementation of information security processes within an organization.
The core recommendations that relate to information security awareness and training are encapsulated in §8.2.2 of the standard where it says:
Control
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Implementation Guidance
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
Other Information
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents (see also 13.1).
In addition to this section, security awareness is also referenced in the standard in §0.6, §0.7, §5.1.1, §6.1.1, §6.1.2, and §6.2.3. The special cases of training related to mobile computing and business continuity are referenced in §11.7.1 and §14.1.4.
Thursday, June 16, 2011
COBIT and Security Awareness Training
COBIT (Control Objectives for Information and Related Technology) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It’s a much broader standard than ISO 27000 since it applies to the entire IT structure of an organization (rather than just information security) and provides a mechanism for assessing the maturity of an organization’s IT processes in 34 areas.
COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:
PO6 Communicate management aims and direction
PO7 Manage IT human resources
DS5 Ensure systems security
DS7 Educate and train users
Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:
Level Definition Requirement
0 Non-Existent - There is a complete lack of any training and education program.
1 Initial/Ad Hoc - Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.
2 Repeatable but Intuitive - Informal training and education classes are taught that address the issues of ethical conduct and system security awareness and practices.
3 Defined Process - Formal classes are given to employees in ethical conduct and in system security awareness and practices, training and education processes are monitored.
4 Managed and Measurable - All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance.
5 Optimized - Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles.
COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:
PO6 Communicate management aims and direction
PO7 Manage IT human resources
DS5 Ensure systems security
DS7 Educate and train users
Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:
Level Definition Requirement
0 Non-Existent - There is a complete lack of any training and education program.
1 Initial/Ad Hoc - Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.
2 Repeatable but Intuitive - Informal training and education classes are taught that address the issues of ethical conduct and system security awareness and practices.
3 Defined Process - Formal classes are given to employees in ethical conduct and in system security awareness and practices, training and education processes are monitored.
4 Managed and Measurable - All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance.
5 Optimized - Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles.
Wednesday, June 8, 2011
HIPAA Privacy and Security Rules, and Security Awareness Training
HIPAA – the Health Insurance Portability and Accountability Act – is federal legislation passed in 1996 that addresses various elements of healthcare in the United States, including health insurance reforms and several other areas not related to privacy or security.
However, this law also includes a mandate for the US Department of Health and Human Services ("DHHS") to issue regulations that specify privacy and security protection for healthcare information about individuals.
HIPAA compliance requires training of almost all individuals who work for a healthcare organization – even those who may only be incidentally exposed to such information.
Examples of people who should be trained in the HIPAA regulations include:
physicians, chiropractors, nurses, technicians
administrators, clerks, order processing staff
staff employees such as custodians, transportation, security
volunteers, independent contractors, consultants and vendors
And the rules also require that these training programs are fully documented.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was finalized during the summer of 2002. Under this rule, healthcare organizations across the country must train all employees in the basics of patient privacy and confidentiality including concepts such as "Protected Health Information" (PHI) and the "Minimum Necessary" principle.
The HIPAA Security Rule
The final version of the HIPAA Security Rule was issued by the DHHS in February, 2003. This rule specifies a wide range of provisions to improve the way that patient information is secured against disclosure, modification or loss including security awareness training for all staff (including management) with access to patient information. These (addressable) measures include user training on:
malicious software (viruses & worms)
creating and managing passwords
monitoring for and responding to login failure
as well as the provision of periodic security reminders.
However, this law also includes a mandate for the US Department of Health and Human Services ("DHHS") to issue regulations that specify privacy and security protection for healthcare information about individuals.
HIPAA compliance requires training of almost all individuals who work for a healthcare organization – even those who may only be incidentally exposed to such information.
Examples of people who should be trained in the HIPAA regulations include:
physicians, chiropractors, nurses, technicians
administrators, clerks, order processing staff
staff employees such as custodians, transportation, security
volunteers, independent contractors, consultants and vendors
And the rules also require that these training programs are fully documented.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was finalized during the summer of 2002. Under this rule, healthcare organizations across the country must train all employees in the basics of patient privacy and confidentiality including concepts such as "Protected Health Information" (PHI) and the "Minimum Necessary" principle.
The HIPAA Security Rule
The final version of the HIPAA Security Rule was issued by the DHHS in February, 2003. This rule specifies a wide range of provisions to improve the way that patient information is secured against disclosure, modification or loss including security awareness training for all staff (including management) with access to patient information. These (addressable) measures include user training on:
malicious software (viruses & worms)
creating and managing passwords
monitoring for and responding to login failure
as well as the provision of periodic security reminders.
Wednesday, June 1, 2011
PCI Data Security Standard and Security Awareness Training
The Payment Card Industry (PCI) Data Security Standard is a set of comprehensive security requirements that applies to merchants and service providers who process and/or store payment card information. The standard was developed by Visa and MasterCard, and has now been adopted by the other major credit card issuing companies.
The part of the standard that relates to security awareness and training is section 12.6 which requires merchants and service providers to:
Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
The part of the standard that relates to security awareness and training is section 12.6 which requires merchants and service providers to:
Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
- Educate employees upon hire and at least annually.
- Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.
- Merchants and service providers are also required to provide appropriate training to staff with security breach response responsibilities.
Thursday, May 5, 2011
Embedding security awareness training in new hire orientation
A relatively easy way to start ensuring that your employees have a fundamental base of security awareness knowledge is to embed it in the orientation and new hire process. Having the new hire go through a security awareness training program that is linked to corporate policy knowledge ensures that the employee understands not only the policy itself but the risks and consequences of not adhering to that policy. Security awareness training during the orientation stage also makes the new employee more likely to recognize and detect potential breaches.
The challenge of course is ensuring that the HR department is in sync with the IT department or with the organization's CISO to ensure that this type of training gets included, the delivery method that is most effective and how to reinforce the behavior once initially learned. Does your organization include security awareness in its new hire training program? Is it effective?
The answers to these questions will be a very large determining factors in the success of your information security training program and the protection and security of your information.
The challenge of course is ensuring that the HR department is in sync with the IT department or with the organization's CISO to ensure that this type of training gets included, the delivery method that is most effective and how to reinforce the behavior once initially learned. Does your organization include security awareness in its new hire training program? Is it effective?
The answers to these questions will be a very large determining factors in the success of your information security training program and the protection and security of your information.
Monday, April 18, 2011
Engaging Your Staff in Security Requires Leadership
Over the years, much has been written about how important it is to ‘engage’ staff in information security, but very little about how to do this in practice. And what little advice I see seems to be limited to providing giveaways and trinkets. Surely, there has to be more than this? Researching further into the more general topic of employee engagement, I found what employee engagement actually means.
Here’s a definition that I like: “Engagement can be seen as a heightened level of ownership where each employee wants to do whatever they can for the benefit of the internal and external customers.” Note that there’s no mention of giving away coffee mugs with slogans, trinkets or pasting motivational posters to walls!
So how do we achieve this? We need to follow key elements that contribute to improving employee engagement of end-users in information security in a general business sense:
1. Connect
2. Clarity
3. Convey
4. Congratulate
5. Contribute
6. Confidence
1. Connect - Leaders must show that they value employees. Employee engagement is a direct reflection of how employees feel about their relationship with the boss.
2. Clarity - Leaders must communicate a clear vision. Success in life and organizations is, to a great extent, determined by how clear individuals are about their goals and what they really want to achieve. In sum, employees need to understand what the organization’s goals are, why they are important, and how the goals can best be attained. 3. Convey - Leaders clarify their expectations about employees and provide feedback on their functioning in the organization.
4. Congratulate - Exceptional leaders give recognition, and they do so a lot; they coach and convey.
5. Contribute - People want to know that their input matters and that they are contributing to the organization’s success in a meaningful way. In sum, good leaders help people see and feel how they are contributing to the organization’s success and future.
6. Confidence - Good leaders help create confidence in a company by being exemplars of high ethical and performance standards.
Note that there’s nothing in this list about giveaways to persuade people to attend training sessions, or posters to remind them about security every time they turn a corner, or Flash animations and games in web-based training courses. In fact, the root causes of employee engagement might be less about the employees, and more about effective leadership. And that means end-to-end leadership from the executive ranks to line management. As security educators, if we want to make a real difference to security (not just be compliant with regulations), we need to bear that in mind when putting together our training and communications programs. We need to include training and communications elements for managers and executives.
Here’s a definition that I like: “Engagement can be seen as a heightened level of ownership where each employee wants to do whatever they can for the benefit of the internal and external customers.” Note that there’s no mention of giving away coffee mugs with slogans, trinkets or pasting motivational posters to walls!
So how do we achieve this? We need to follow key elements that contribute to improving employee engagement of end-users in information security in a general business sense:
1. Connect
2. Clarity
3. Convey
4. Congratulate
5. Contribute
6. Confidence
1. Connect - Leaders must show that they value employees. Employee engagement is a direct reflection of how employees feel about their relationship with the boss.
2. Clarity - Leaders must communicate a clear vision. Success in life and organizations is, to a great extent, determined by how clear individuals are about their goals and what they really want to achieve. In sum, employees need to understand what the organization’s goals are, why they are important, and how the goals can best be attained. 3. Convey - Leaders clarify their expectations about employees and provide feedback on their functioning in the organization.
4. Congratulate - Exceptional leaders give recognition, and they do so a lot; they coach and convey.
5. Contribute - People want to know that their input matters and that they are contributing to the organization’s success in a meaningful way. In sum, good leaders help people see and feel how they are contributing to the organization’s success and future.
6. Confidence - Good leaders help create confidence in a company by being exemplars of high ethical and performance standards.
Note that there’s nothing in this list about giveaways to persuade people to attend training sessions, or posters to remind them about security every time they turn a corner, or Flash animations and games in web-based training courses. In fact, the root causes of employee engagement might be less about the employees, and more about effective leadership. And that means end-to-end leadership from the executive ranks to line management. As security educators, if we want to make a real difference to security (not just be compliant with regulations), we need to bear that in mind when putting together our training and communications programs. We need to include training and communications elements for managers and executives.
Thursday, March 24, 2011
Educate – Inform – Secure
Educate your employees about information security or all the security tokens in the world won’t save you.
A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.
Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.
Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation.
Do I not entertain you? – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.
Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.
Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe Internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.
Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.
Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.
A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.
Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.
Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation.
Do I not entertain you? – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.
Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.
Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe Internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.
Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.
Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.
Wednesday, March 9, 2011
Security Awareness and The Ponemon Institute Study
Security awareness once again appears to be a solution to data breaches. With negligence being the leading cause for data breaches, it only stands to reason that a robust and effective information security awareness program will go a long way towards the reduction and cost of data breaches. This why it is paramount for senior management to institute and maintain such a program. It should not be a cookie-cutter program given to employees just to meet legal and regulatory requirements. It should be relevant to the industry and company along with security culture changing to the employee.
The average cost of a data breach increased 5 percent in 2010 to $214 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute.
Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.
"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.
Breach Causes
Among the reports other key findings:
• The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.
• Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches.
• For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare.
• Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.
• Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.
The average cost of a data breach increased 5 percent in 2010 to $214 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute.
Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.
"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.
Breach Causes
Among the reports other key findings:
• The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.
• Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches.
• For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare.
• Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.
• Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.
Monday, February 28, 2011
More effort and time needed for information security, training, and awareness activities
The weakest link in information security and privacy is people. Multiple studies show that most incidents and breaches occur because people simply didn’t know what they were doing, or they made a silly mistake because they were not told how to perform their job responsibilities while keeping information security in mind, or they maliciously did bad things because they knew that, with lack of awareness of their co-workers, they would likely not get caught. Informed and aware personnel are countermeasures against security incidents and privacy breaches.
Training and awareness needs to be a prime factor in an organization’s successful security and privacy compliance program. Many laws and regulations explicitly require formal, ongoing training and awareness. Not only HIPAA, HITECH, and GLBA, but also many other federal, state and local level laws, regulations and industry standards. Fines and penalties will become increasingly more significant for organizations that lack effective training and awareness activities.
A large number of the organizations do not have a formal training and awareness program. The training and awareness activities that are in place have often not been effective. In many other organizations absolutely no training and no awareness communications or events exist at all. Not only does this put information at risk of incidents resulting from lack of knowledge and having more mistakes, it is also significant noncompliance infraction. Most other regulations require ongoing training and awareness to be occurring right now. Organizations need to make training and awareness a priority in their information security, privacy and compliance programs.
Training and awareness are the least expensive, and most effective, control that can implement to prevent incidents and breaches. I’ve seen the direct and measurable benefits many times; those who try to tell you otherwise have not done it effectively, likely because they didn’t believe it would work in the first place. But, unless you want to have increasing incidents and breaches resulting from silly mistakes and simple lack of knowledge, you need to be more proactive in providing regular training and ongoing awareness communications and activities.
Training and awareness needs to be a prime factor in an organization’s successful security and privacy compliance program. Many laws and regulations explicitly require formal, ongoing training and awareness. Not only HIPAA, HITECH, and GLBA, but also many other federal, state and local level laws, regulations and industry standards. Fines and penalties will become increasingly more significant for organizations that lack effective training and awareness activities.
A large number of the organizations do not have a formal training and awareness program. The training and awareness activities that are in place have often not been effective. In many other organizations absolutely no training and no awareness communications or events exist at all. Not only does this put information at risk of incidents resulting from lack of knowledge and having more mistakes, it is also significant noncompliance infraction. Most other regulations require ongoing training and awareness to be occurring right now. Organizations need to make training and awareness a priority in their information security, privacy and compliance programs.
Training and awareness are the least expensive, and most effective, control that can implement to prevent incidents and breaches. I’ve seen the direct and measurable benefits many times; those who try to tell you otherwise have not done it effectively, likely because they didn’t believe it would work in the first place. But, unless you want to have increasing incidents and breaches resulting from silly mistakes and simple lack of knowledge, you need to be more proactive in providing regular training and ongoing awareness communications and activities.
Monday, January 31, 2011
End users can be educated
Security awareness trainers understand that most end users can’t really be “trained” in how to protect their systems and their corporate networks. However, if all systems are security protected and configured, security awareness training can assist in helping end users understand the security risks and know what mistakes to avoid making.
Information security is primarily focused on technological solutions and most organizations have implemented anti-virus, firewalls, IPS, monitoring and logging and a host of others to keep out the bad guys. However, despite all the technology to secure sensitive data, the weakest link is the end user. End users need to interact with sensitive data in order to get their jobs done. The legal and regulatory landscape recognizes this and outlines to organizations how to minimize risk by limiting the number of employees that have access to this data as well as clearly outlining that a security awareness program has to exist in the organization. It also outlines that employees need to attend at a MINIMUM, annual awareness training.
As an organization, are you just doing the minimum? Unfortunately, many organizations are. Maybe you provide a yearly lunch and learn reminder perhaps is what you doing? This is nice, but how about doing it on a monthly basis. Perhaps you do something to remind your employees that they need to be extra careful with information? Do you believe this is sufficient in being able to address the potential risk of sensitive data leakage? Think again. Security awareness needs to work in conjunction and partnership with technology solutions to be successful.
Information security is primarily focused on technological solutions and most organizations have implemented anti-virus, firewalls, IPS, monitoring and logging and a host of others to keep out the bad guys. However, despite all the technology to secure sensitive data, the weakest link is the end user. End users need to interact with sensitive data in order to get their jobs done. The legal and regulatory landscape recognizes this and outlines to organizations how to minimize risk by limiting the number of employees that have access to this data as well as clearly outlining that a security awareness program has to exist in the organization. It also outlines that employees need to attend at a MINIMUM, annual awareness training.
As an organization, are you just doing the minimum? Unfortunately, many organizations are. Maybe you provide a yearly lunch and learn reminder perhaps is what you doing? This is nice, but how about doing it on a monthly basis. Perhaps you do something to remind your employees that they need to be extra careful with information? Do you believe this is sufficient in being able to address the potential risk of sensitive data leakage? Think again. Security awareness needs to work in conjunction and partnership with technology solutions to be successful.
Subscribe to:
Comments (Atom)