Raising security awareness is a role which needs to be played by everyone, but in the corporate world it’s a role which needs top performances of management and those who are responsible for security.
That’s because those are the people who are should be most concerned by the impact, financial, reputational or organizational of security incidents. If these key management people do not take action, security awareness will never be raised and the organization will keep on having a bigger than desired security exposure.
That’s of course easier said than done. So how should we go about ? Here’s a start (but by no means the only way, neither has it the pretention of being exhaustive).
Establishing direction and objectives
Every organization is different. It has different culture, different kind of users, other ways of doing business.
So there is no “one size fits all” approach in most cases. So before starting up a program we should look at the organization and identify areas of security improvement.
Some questions one might want to ask during such an analyses are :
■which security incidents occur frequently in our organization ?
■what is the impact of these security incidents (financial, reputational, organizational, …) ?
■what is already in the organization’s security policy and what is not ?
■how can the security policy be improved ?
From these questions one might decide some key areas for improvement, and one might even see that the current security policy is unclear on some topics and therefore could be improved.
After revising the security policy (if needed) one should have a clear indication, by means of a gap analyses between the security policy and the actual state of security in the organization, of the key priorities to focus on in a security awareness program.
It’s obvious that this kind of analyses might lead to other security projects as well, as there might be gaps identified which can not be resolved by increasing the awareness levels only.
Establishing a security awareness plan
According to the US National Institute of Standards and Technology (NIST), there are three major steps in the development of an IT security awareness and training program :
■designing the program (based upon the previously performed gap analyses)
■developing the awareness and training material
■implementing the program
NIST security awareness program stack
Even a small amount of IT security awareness and training can go a long way toward improving the IT security posture of, and vigilance within, an organization.
This program deserves support from senior management. If support is not there, and the awareness campaign is done from inside the IT department for example, it is obvious that the program will get less attention and might be qualified by users as some other IT “thing” they have to cope with.
Directions from senior management are most of the time perceived by our users as something to which they should pay closer attention to; and therefore it will be more effective.
Experience shows that a gap analyses executed on an organisation can reveal a longer list than expected of issues to tackle. It might be that you need to come to terms with the fact that you will not be able to solve everything at once.
Determining priorities in the communication you will convey are therefore probably needed. You should forget either that users also have a limited capacity to cope with too much information. cope with too much information. So it might be better to communicate about fewer topics instead of trying to communicate everything (at once).
So focus and prioritization comes into play. Here are some ideas as suggested by NIST :
■Password usage and management – including creation, frequency of changes, and protection
■Protection from viruses, worms, Trojan horses, and other malicious code – scanning, updating definitions
■Policy – implications of noncompliance
■Web usage – allowed versus prohibited; monitoring of user activity
■Data backup and storage – centralized or decentralized approach
■Incident response – contact whom? “What do I do?”
■Changes in system environment – increases in risks to systems and data (e.g., water, fire, dust or dirt, physical access)
■Inventory and property transfer – identify responsible organization and user responsibilities (e.g., media sanitization)
■Personal use and gain issues – systems at work and home
■Handheld device security issues – address both physical and wireless security issues
■Use of encryption and the transmission of sensitive/confidential information over the Internet – address agency policy, procedures, and technical contact for assistance
■Laptop security while on travel – address both physical and information security issues
■Personally owned systems and software at work – state whether allowed or not (e.g., copyrights)
■Timely application of system patches – part of configuration management
■Software license restriction issues – address when copies are allowed and not allowed
■Supported/allowed software on organization systems – part of configuration management
■Access control issues – address least privilege and separation of duties
■Individual accountability – explain what this means in the organization
■Use of acknowledgement statements – passwords, access to systems and data, personal use and gain
■Visitor control and physical access to spaces – discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity
■Desktop security – discuss use of screensavers, restricting visitors’ view of information on screen (preventing/limiting “shoulder surfing”), battery backup devices, allowed access to systems
■Protect information subject to confidentiality concerns – in systems, archived, on backup media, in hardcopy form, and until destroyed
■E-mail list etiquette – attached files and other rules
Some of these surely also apply to your organization …
Establishing the security culture
The most successfull security awareness programs are those which are repetitive and spanned in time.
Humans tend to forget quickly (especially if they have other work to do).
Therefore repetition over a longer period of time is the key to the success of your security awareness program.
Only this way you can achieve an organizational culture where users have a security aware culture and act accordingly. And that’s what we’re aiming for.
So it’s time to act and try to convey the message to your management !
Source : ITsecurity.be