Is There Real Value in Having an Information Security Awareness Program?
Absolutely... Here's Why:• By creating and maintaining an Information Security Awareness Program as part of an overall Information Security Program, you can greatly increase employee participation in maintaining a safe and secure work environment.
• One of the primary corporate obligations is to protect Corporate Information, and Customer Information of which they are the custodians.
Every employee must understand corporate concern with Information Security, and it is management's responsibility to ensure that ALL personnel are made aware of pertinent practices, and the requirement to understand and heed them.
However, an effective Information Security Program cannot be solely defined in terms of trust. Rather, it must be based upon the same prudent business practices that applied to earlier manual systems; careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need-to-know".
An effective Information Security Program includes awareness, education, training, policies, procedures, controls, reviews, and especially, separation of responsibilities. However, good Information Security Practices require more than correct practices to be effective. They must have real and continued management backing and involvement. Management must be pro-active regarding Information Security Practices. They must let their people know it's important through example. They must take pride in their program. They must help bring about attitudinal changes in their people through; strongly administered security awareness programs; bringing about a clear understanding of the reasoning behind Information Security Practices; instilling real concern about Information Security; and instilling dissatisfaction with anything less than great Information Security.
In addition, to be successful with Information Security Practices, management must also organize their team so there are clearly defined roles and responsibilities, with no conflicts of interest. Separation of responsibilities must be an integral part of Information Security. Training must be provided as required.
Here are some suggestions on what your program should include:• Information handling requirements for classifying data
• Procedures for data / media handling, retention, and disposal
• Computer resource abuse, and virus protection, detection, and reporting
• Physical security requirements for data and equipment
• Data and equipment import / export requirements
• Frequency and need for reviewing invalid log-on and violation reports
• Business Continuity / Disaster Recovery Planning
• Adherence to the laws and ethics that govern us, i.e., copyright infringement, software licensing, export compliance, etc.
• Employee safety / emergency training (for example, evacuation routes, shelter locations, hazardous material training, fire training, blood-borne pathogen awareness)
Here is the Return On Investment (ROI):
If you implement a Program you will enable the great results that will follow from fewer (maybe zero) information security incidents (this is the ROI $), to fewer (maybe zero) audit comments written during an IT audit, and at a minimum you will have accomplished the following:• Improved the morale of employees by providing them with information they need to perform their jobs effectively.
• Presented Information Security issues to the company leadership team on a consistent basis so that Information Security is identified as important and integral to the way you do business.
• Helped to enable good audit reports by providing employees with knowledge on Information Security issues.
• Strengthened the relationship with your customer by reinforcing good Information Security practices.
• Made employees aware of their responsibilities.
• Helped to enable the protection of information / assets.
• Helped to enable timely recovery in the event of a disaster.