Information Security Awareness Guidelines

If you're looking for the business rationale to institute a full-blown Information Security Awareness Program, which almost always has a Security Awareness Newsletter as the primary medium of communication, this information will meet your needs.

The Information documented here is from an audit compliance, or auditors perspective. If you implement an Information Security Awareness Program, you will enable the great results that will follow from a fewer (maybe zero) information security incidents, to fewer (maybe zero) audit comments written during an IT audit.

DEFINITION:

Before we proceed we must give you our definition of Information Security from an auditors perspective so you comprehend the scope of everything that we suggest falls under the "greater umbrella" of Information Security.

It is based on the three sides of a triangle where the three triangle legs consist of: Information Security, Business Continuity, and IT Compliance. Each one of these legs / sides can be broken down / defined as follows:

The Information Security leg consists of confidentiality and integrity. Confidentiality ensures that company / customer information is not disclosed to anyone who is not authorized to access it. Linked to this concept is the idea of need-to-know, authorizing access only to those who can demonstrate a legitimate business need for the information. Integrity ensures that information cannot be accidentally or intentionally modified or destroyed.

The Business Continuity leg consists of mitigation, crisis management, and contingency management. Mitigation deals with reducing or eliminating risks. Crisis management deals with the planning and training of people for the survival of the business team and the business entity following a disaster. Contingency management deals with planning for the recovery and continuation of critical internal and customer business functions following a service interruption, and the testing of business recovery plans. This segment has also been known as availability in the past, but the scope is much broader today.

Finally, the IT Compliance leg consists of sound business practices that do not fall within the scope of the other two legs. Included in the scope of the IT Compliance leg is adherence to the laws and ethics that govern us, i.e., copyright infringement, software licensing, export compliance, etc. These are controls, laws, or ethics principles, and are exactly what auditors look for, which is why the leg is called IT Compliance (being able to pass a stringent audit because the business is controlled, information is adequately protected, and laws are not being violated).

BACKGROUND:

One of the primary corporate obligations is to protect Corporate Information, and Customer Information of which they are the custodians. Every employee must understand the corporation's concern with Information Security. It is management's responsibility to ensure that ALL personnel are made aware of pertinent practices, and the requirement to understand and heed them.

An effective Information Security Program cannot be solely defined in terms of trust. Rather, it must be based upon the same prudent business practices that applied to earlier manual systems; careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need-to-know".

An effective Information Security Program includes awareness, education, training,  policies, procedures, controls, reviews, and especially, separation of responsibilities. However, good Information Security Practices require more than correct practices to be effective. They must have real and continued management backing and involvement.

Management must be pro-active regarding Information Security Practices. They must let their people know it's important through example. They must take pride in their program. They must help bring about attitudinal changes in their people through; strongly administered security awareness programs; bringing about a clear understanding of the reasoning behind Information Security Practices; instilling real concern about Information Security; and instilling dissatisfaction with anything less than great Information Security.

Executive management must ensure that newly appointed management is apprised in detail of your Information Security Practices, and of your pride in them, and that existing management is refreshed, annually.

In addition, to be successful with Information Security Practices, management must also organize their team so there are clearly defined roles and responsibilities, with no conflicts of interest. Separation of responsibilities must be an integral part of Information Security. Training must be provided as required.

NOTE: Proof must be produced during an audit to substantiate ones practices. The minimum time for archiving audit documentation is six-months.

Further, management must also learn to manage "smarter". The multitude of Information Security Practices required to address the major concerns and issues, and the associated workload to do so, mandates that management be imaginative in administering the responsibilities to put Information Security Practices initially in place, and keep them in place on an ongoing basis.

Both federal and state regulations exist, which relate to control of, and authorized access to, information and computer resources:

  • The Foreign Corrupt Practices Act (FCPA) of 1977 made most corporate managers and directors personally liable for assuring that "transactions are properly authorized, transactions are properly recorded, and access to assets is properly controlled". The Act also requires management to provide shareholders with reasonable assurances that accurate books and records are properly maintained, and that the business is adequately controlled.
  • The Copyright Act of 1976 reaffirmed that computer programs and software are protected under the Federal Copyright Law. One must read and understand licensing agreements before attempting to make copies of programs or documentation.
  • All of the United States have enacted Computer Crime Laws which establish specific penalties for unauthorized persons attempting to access a computer system, or assisting someone in gaining unauthorized access to a computer system.

Once your program and practices have been established, permission to deviate from established security procedures should require a business case to be submitted to a divisional manager or higher authority for approval.

RATIONALE:

I. TYPICAL CURRENT SITUATION ASSESSMENT:

  • Audits consistently turn up fundamental Information Security violations.
  • Managers do not consistently promote or enforce good Information Security practices in their work groups.
  • Employees do not view software copyright violations as serious offenses.
  • Employees are not aware of the Information Security issues related to networks.
  • Viruses are an increasing threat to company computing systems.
  • Employees do not consistently backup and place offsite their work to facilitate recovery in the event of a disaster.
  • Crisis and Contingency Management plans are not consistently in place across the entire company.
  • Employees do not view telecommunication fraud or misuse as serious offenses.
  • Distributed processing lacks the same level of controls that exist in mainframe environments.
  • Increased "hacking".
  • Increased theft of laptops.
  • Increase of widespread disasters such as earthquakes, floods, fires.
  • No consistency of Contingency Management plans across all platforms.
  • No consistent Information Security Awareness Program across the Company's Business Entities.

II. HIGH-LEVEL NEEDS DETERMINATION:

A robust Information Security Awareness Program will always support Corporate IT Policy and organizational goals and objectives:

  • Corporate IT Policy will state the need for Information Security Awareness, and if it doesn't, it should.
  • In general, most Corporate Audit Staff's will look at an Information Security Awareness Program as being visible surface proof that management is concerned, the business is controlled, information is adequately protected, and laws are not being violated, which usually leads to a less stringent IT audit.
  • The value can be articulated to leadership in terms of their objectives.
  • The results can anticipate and satisfy company and customer unspoken needs.

III. ORGANIZATIONAL NEEDS IDENTIFICATION:

Personal Computer User Issues:

  • Corporate policy
  • Individual responsibility
  • Software usage / licensing concerns
  • Unauthorized software
  • Back-ups
  • CD / Floppy disk security
  • Practice and risks of exchanging diskettes between work and home
  • Virus protection
  • Business / non-business use
  • Housekeeping
  • Physical protection
  • Failing to logoff
  • Risks to system

Manager's Responsibility Issues:

  • Corporate policy
  • Protection and integrity of assets under their control
  • Promotion of Information Security
  • Review and resolve unauthorized access violations
  • Investigate and correct exposures
  • Notification of personnel transfers and terminations
  • Material disposal
  • Segregation of duties
  • Secure the environment
  • Provide customer support
  • Perform random reviews of employee activity
  • Control of corporate resources
  • Ensure compliance to corporate policy
  • Authorize access and review privileges
  • Compliance with security policy
  • Compliance with business continuity policy
  • Compliance with network access policy

Employee Responsibility Issues:

  • Corporate policy
  • Individual responsibility
  • Ethical responsibility
  • Compliance with corporate and local policies
  • Material disposal
  • Protection and integrity of assets under their control
  • Passwords; sharing; writing down
  • Secure environment
  • Business continuity
  • Physical security
  • Knowledge of customer information
  • Clean desk practice

Contingency Management Issues:

  • Corporate policy
  • Individual responsibility
  • Customer service level requirements
  • Prevention procedures
  • Backup, off-site storage, and recovery
  • Alternate processing strategy
  • Network recovery strategy
  • Documenting disaster recovery plans
  • Customer reaction plan
  • Disaster recovery plan testing
  • Continuous improvement process

Crisis Management Issues:

  • Corporate policy
  • Individual responsibility
  • Evacuation
  • Severe weather actions
  • Bomb threats
  • What to do; where to go; who to contact

Retention, Disposal, and Handling Issues:

  • Corporate policy
  • Individual responsibility
  • Identifying sensitive information
  • Classifying sensitive information - company
  • Classifying sensitive information - customer
  • Printing sensitive information
  • Faxing sensitive information
  • Voice transmissions
  • Distribution of sensitive information
  • Inquiries from outside of company
  • Retention and storage of sensitive information
  • Reproduction of sensitive information
  • Disposal of sensitive information

Telecommunication Issues:

  • Corporate policy
  • Individual responsibility
  • Disaster recovery
  • Modems
  • Encryption
  • Networks
  • PBX toll fraud
  • Cellular phones
  • Travel call cards
  • Awareness
  • Voice mail protection

LAN / WAN Issues:

  • Corporate policy
  • Individual responsibility
  • Virus protection
  • Backup and recovery
  • Theft prevention
  • Copyrights and licensing
  • Secure data
  • Password standards
  • Housekeeping practices
  • Policy and procedures
  • Client server risks
  • Dialup access controls
  • Modems

IV. RISK IDENTIFICATION:

Potential risks to your business and your customers' business exist if no formal Information Security Awareness Program exists. You may not know about or be able to comply with Corporate Policies, procedures, and sound business practices, potentially resulting in the following:

  • Poor audit compliance reports; in addition to loose security, this is usually a career limiting event
  • Loss of customer confidence in your business
  • Increased risk of loss of customer information
  • Risk to information integrity
  • Risk to information confidentiality
  • Risk to information availability
  • Increased vulnerability to theft
  • Increased vulnerability to unauthorized access
  • Increased risk to personal / physical safety
  • Unpreparedness for a disaster

Some areas of vulnerability or risk associated with Information Security are:

  • Ethical practices
  • Computer viruses
  • Personal safety
  • Software piracy
  • Handling of sensitive information
  • PC security practices
  • Building access
  • Telecommunications fraud
  • Leadership example / practices
  • Crisis management
  • Contingency management

V. VALUE DETERMINATION:

An Information Security Awareness Program will enable your business to accomplish the following:

  • Improve the morale of employees by providing them with information they need to perform their jobs effectively.
  • Present Information Security issues to the company leadership on a consistent basis so that Information Security is identified as important and integral to the way you do business.
  • Help to ensure good audit reports by providing employees with knowledge on Information Security issues.
  • Strengthen the relationship with your customer by reinforcing good Information Security practices.
  • Make employees aware of their responsibilities.
  • Help to ensure the protection of information / assets.
  • Help to ensure timely recovery in the event of a disaster.

VI. LEGAL & OTHER REQUIREMENTS:

FEDERAL:

  • ANTITRUST LAWS - May not share competitively sensitive information with competitors about prices, future product plans, marketing strategies, etc.
  • FOREIGN CORRUPT PRACTICES ACT (FCPA) - Makes all managers and directors personally liable for the protection of company assets under their control, specifically information.
  • COPYRIGHT LAWS - Copying of copyrighted software must be in strict compliance with all appropriate licensing agreements.

STATE:

Generally speaking, these laws make it illegal to attempt an unauthorized access or assist in an unauthorized access of a computer system.

CORPORATE REQUIREMENTS:

Employees must understand the requirements of the Corporate IT Policy.

MANAGER REQUIREMENTS:

Managers need to know:

  • corporate policy - company and customer
  • individual responsibility / liability
  • responsibility for the protection and integrity of assets under their control
  • responsibility to promote Information Security Awareness
  • obligation to see that unauthorized access violation reports are reviewed and resolved
  • obligation to investigate and correct known exposures
  • responsibility to ensure that information security personnel are expeditiously informed of all personnel transfers and terminations in order to remove system access privileges
  • responsibility to ensure that material is disposed of properly
  • responsibility to incorporate the segregation of duties concept where it makes good business sense
  • responsibility to ensure that the overall work environment is secure, and that information is protected during all phases of testing, and that the test and production environments are kept separate
  • perform periodic random reviews of employee activities and datasets to act as a deterrent against non-business use of company resources
  • responsible for compliance with all corporate policy, especially Information Security and Business Continuity
  • responsibility to ensure each users access is limited to the minimum transaction and command sets necessary to accomplish assigned tasks

EMPLOYEE REQUIREMENTS:

Employees need to know:

  • Sensitive information handling practices
  • Ethical responsibility
  • Individual responsibility
  • Evacuation plans
  • Severe weather actions
  • Off-site usage of computer resources
  • Proper PC backup procedures
  • Voice mail protection
  • Etc.

CUSTOMER REQUIREMENTS:

Employees must be aware of customer policies and requirements for handling of customer data.

AUDIT REQUIREMENTS:

Employees must be aware of and exercise proper information handling procedures, as well as generally accepted sound business practices.

All of the issues surfaced here are addressable through a robust Information Security Awareness Program. These are all real business issues that any legitimate business would take action to address - action begins with AWARENESS.

Hopefully, we have given you enough ammunition to justify your Program! And... if you want to do something to "close-the-gap" in your organization, we have a Business Model to make IT happen.



There is no better hosting... anywhere!

Namecheap.com - Cheap domain name registration, renewal and transfers - Free SSL Certificates - Web Hosting