Information Security Best Practices: Annual Updates and Reporting

Don’t let all your hard work go to waste. The worst thing to do after investing time and resources into your information security program is to allow it to sit on the shelf and become obsolete. Threats and risks are changing daily and it is imperative that your policies stay up to date. Requiring an annual review, with results are reported to the Board of Directors and senior management, will help to ensure that your program remains current and can handle any future incidents.

Information Security Best Practices: Incident Response

Hands down, the worst time to create an incident response program is when you are actually having an incident. You can’t undo what has happened and you’re in crisis mode dealing with the after effects of the breach.

Not the time to be putting policy to paper.

Your reputation is severely at risk, and if you respond inadequately you risk making it worse with law enforcement as well as your customers. Act as if a breach is inevitable and take the time to develop the language and procedures you will use in the event of an incident to ensure you’re prepared when the time comes.

Information Security Best Practices: Employee Awareness Training

How well informed are your employees to identify or prevent a security incident? Each and every one of your employees can act as a member of your own security army with some simple training. The first step in recruiting them for the cause is to set the expectations appropriately and communicate those expectations in your policy.

Information Security Best Practices: Wireless Networking

There is no doubt that the implementation of wireless networks has saved many organizations both time and money in comparison with traditional cabling. As you decide what type of network connectivity to adopt, understand that with increased flexibility allowed by wireless, a stronger encryption standard is required to ensure there is no abuse.

Information Security Best Practices: Password Requirements and Guidelines

Your employees dread having another password to remember. The more complicated the requirements you make to ensure security, the more they decide to write them down and expose them to others. Establish a strong password policy but stay within reason for your employees. Sometimes, a little additional training as to why the policy is the way it is can be all you need to gain acceptance.

Information Security Best Practices: Data Classification and Retention

Lessen your liability by classifying exactly what type of data you need and how long you need it. A breach is bad enough, what’s worse is if data is stolen that you didn’t need to keep or shouldn’t have had to begin with. In the case of TJX (“PCI DSS auditors see lessons in TJX data breach” TechTarget), many of the credit card numbers affected had no business purpose in being kept.

Information Security Best Practices: Data Classification and Retention

Lessen your liability by classifying exactly what type of data you need and how long you need it. A breach is bad enough, what’s worse is if data is stolen that you didn’t need to keep or shouldn’t have had to begin with. In the case of TJX  many of the credit card numbers affected had no business purpose in being kept.

Information Security Best Practices: Physical Security

Documents don’t walk out of the office on their own. Having strict rules about who can physically access your offices and how they gain entry can decrease the likelihood that an unauthorized individual is present to steal information. The next step is to ensure that your policy documents how physical information is stored and destroyed.

Information Security Best Practices: Vendor Management

You’re only as strong as your weakest link, and when you work with third-party providers their information security downfall can become your issue. Make sure you document which vendors receive confidential information and how this information is treated when in the custody of the vendor. The lack of strict vendor guidelines could increase the risk of releasing your customers’ private information.

Information Security Best Practices: Software Updates and Patches

What’s your stance when it comes to patch management? Do you require patches and upgrades to be implemented immediately? Are you sure you’re actually doing what your policy says?

Random checks to confirm you are following your own rules is the best way to monitor the activity.

If you’re scratching your head at my use of the phrase “patch management”, understand that if you don’t keep up to date on your system patches and upgrades, you leave yourself wide open for the most basic of hacks. If you never update, your vulnerabilities are exponentially increased. Your best practices Information Security Program should clearly document your patch management procedures and frequency of the updates.

Information Security Best Practices: End User Acceptable Use Guidelines

Your policy should contain specific language detailing what employees can do with “your” workstations. While we hope that all company property is used for company purposes, this just isn’t the case in real life. Instruct employees as to what is considered business use and explain the risks of downloading games or using tools like instant messaging.

Information Security Best Practices: The Information Security Officer

The first thing that any security program must do is establish the presence of the Information Security Officer. Depending on the size of your security environment, this could be a full-time position or a current employee who has the availability to take on further duties.

Besides the time element, the organization must clearly define the expectations of the Information Security Officer and determine if an individual is capable to fill the role. During a later post I will describe the attributes that ascertain “capability”, but the complete lack of someone in this role means that information security is not a priority in your organization.

The final word

Jumping directly to often mind-numbing, glassy-eye-causing, security training is not usually the best approach to changing employee behavior.  Employees have to understand why protection of information assets is important, and why they should care.  Awareness efforts, beginning with the first day of employment, and regularly reinforced, are the best way to get them interested in taking the next step.

Using post-presentation employee input, and actually using it to tailor the message to better fit the audience, is another great way to keep employees involved.

Evaluation

All efforts to enlighten employees must be evaluated.  Here we’ll look at participant evaluation forms.
 

Identifying the right content for awareness presentations, for preparing users for more focused training, is not easy.  The initial process for deciding what to include, and who should assist in the decision making, is covered in our previous planning discussion.  But we don’t always get it right the first time.  In addition, our audience might see benefit in adding, subtracting, or expanding content.  The delivery method might also need work. 
 

Use of evaluation forms is an excellent way to get participant feedback, of alerting us to ways to more effectively reach our awareness objectives.  The National Institute of Standards and Technology (NIST) Special Publication 800-16, Information Technology Training Requirements: A Role- and Performance-based Model, contains a great sample student questionnaire (Exhibit 5-2, p. 165).

Delivery method

There are three principle methods of delivery for the security awareness message: Web-based, offline, and instructor led. Web-based delivery is the best way for most distributed organizations to reach all employees. Multi-purpose authoring tools enable customized messages, delivered by PowerPoint and enhanced with audio. They also allow integration of quizzes and tracking of participation. Placing an awareness presentation on the company Intranet, with participation tracking enabled, is a good way to reach everyone. It’s also a good way of demonstrating awareness efforts to auditors.

Offline awareness presentations are provided for those employees without high speed access to the Intranet. However, special delivery packages are not usually needed if multi-purpose tools are used. For example, the training modules on my site are available for either online viewing or for download. I could also choose to distribute them via CD-ROM.



Instructor led training is typically not necessary for initial awareness delivery. The content should be high-level, easy to understand, and applicable to every participant. It’s usually appropriate to reserve classroom training for in-depth training of targeted audiences.


Regardless of the delivery method, it’s important to validate everyone participates. Leaving pockets of employees unaware of the importance of security and how their actions affect system assurance is like leaving one or more windows open on a locked house.

Raising Employee Awareness

Building employee awareness begins with the new hire orientation process. Make sure this is included in your ISATP. On their first day, employees should understand what is and is not considered safe behavior. This initial exposure to company expectations might consist of requiring each person to sit through a short awareness presentation, followed by their reading and signing the acceptable use and password management policies.

Break training into three different content groups, based on whether the target audience was management, IT staff, or business users. This is fine for training, but the awareness message is the same for all employees, regardless of role. Organizations which are just now implementing an ISATP should follow-up with existing employees to ensure the awareness message is consistently distributed throughout the entire workforce.

Awareness vs. Training

It’s a big temptation to jump right to how-to and policy training when implementing an Information Security Awareness Training Program (ISATP). However, you need to prepare your target audience first. Each person in your organization must understand why security is important. They must also realize management commitment to information asset assurance. Finally, each employee should understand the impact—both personal and organizational—if security best practices (as defined in policies, standards and guidelines) are not followed.


Once you have their attention, you can ask them to accept requests to sit through security training sessions, sessions that drag them away from their normal job of actually running or supporting business operations. A more important effect of awareness might be employee willingness to listen and learn.

Security begins with employee understanding and acceptance

Security awareness and training are typically covered under the single heading of Information Security Awareness Training. In fact, that’s the approach I took in the previous two posts on this topic, covering how to change employee behavior at a high level. This high-level approach is appropriate for many organizations, especially those with tenuous management commitment and a meager budget. However, awareness and training, when part of a formal methodology for employee behavior modification, are actually two different activities.

 In future posts I will look at creating secure behavior in our organizations with a process for preparing users for more focused training.

Information Security Awareness – Educate, Inform, Secure

Educate your employees about information security or all the security tokens in the world won’t save you.



A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.


Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.


Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and


Do I not entertain you? – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.


Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.


Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.


Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.


Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.