03/02/2010

Security Begins at Home – James Carnie CITP CISSP

Information Security Governance encompasses people, procedures and technology. It is very easy to be seduced by the latest technology promising to detect all threats and mitigate an attack on the fly, but if you fail to educate your people, you are wasting your money.  You may well be securing your front door (to the internet) but the back door and all the windows may still be open.

So how do you establish a security culture and ensure it continues?

This will not happen overnight, but if you follow these simple steps, Good security practices will start to become part of the way in which your employees operate.

1. Senior Management Sponsorship – A security awareness programme will take time to plan and execute. There must be a senior management message communicated to all employees about the programme and why it is important.  Departmental managers will be told of their role in the programme and must be allowed the time to train their staff.

2. HR involvement – The HR department must be part of the programme as the following things need to be established:

* General Security Policy: These are the rules and responsibilities that will apply to all employees regardless of their position and status in the company. This should include internet usage policy, password security, company property, home working, physical, logical and behavioural security.

* Job Specific Security Policy: Certain members of staff will have access to systems that hold sensitive information.  There should be a document drawn up for each groups of roles that determines capabilities of that particular role and its limitations.

* Good Practice Guides: There should be guidelines published to help employees comply with security policy.

3. Training and Awareness Programme –  Getting your employees to sign up to a policy that on the face of it seems to have little relevance to their job will not deliver the results you want to achieve as an organisation.  You must brief all of your staff about Information Security Best Practices and the importance of compliance.  You must explain in simple real world terms the risks of non-conformance both to the organisation, and the individual. You must instil a sense of personal responsibility into your employees and make sure they understand the consequences if they do not comply.

4. Include security training as part of a new employee induction process – Any new employees should be briefed on their Information Security obligations, and sign up to the General Security Policy and Job Specific Security Policy if applicable.

5. Reinforce via regular training – Periodic compulsory security training sessions should be established to make sure security remains a consideration across your workforce.

Information Security begins and ends with your workforce, if you spend some time establishing a security culture, the results will outstrip any single piece of technology, and the return on investment will be far greater.

sitemap