1 Security Awareness: Looking Beyond Regulations Over the years, security experts have religiously advocated that people are the weakest link in information security. Although the importance of security awareness to address this weakest link is common knowledge, the result of our efforts thus far is not very encouraging. The seventh annual security research study, by the Computer Technology Industry Association (CompTIA) in , found that the primary cause of security breaches is unintentional human error. Security awareness efforts are failing royally for some reason. Naturally Aware of the Basics Human beings are naturally an aware species. We often teach our children to never speak to or accept anything from strangers. We teach them to lock the doors of our homes when we sleep, and to be careful and look both ways when crossing the street. Essentially, we teach our children everything they need to know to enhance their personal security. Human beings have a natural tendency towards practicing and advocating better awareness. And yet, moving this natural tendency from personal security awareness to information security awareness stands today as a significant challenge. The Culprit: Regulatory Pressures Regulatory compliance is seen as one of the major driving factors of information security 2 today. It is no surprise then that security awareness efforts often result in unsatisfactory results and increased skepticism about security awareness. Consequently, budget allocations for security awareness are often further reduced. In times when information security budgets are evershrinking, the amount that is allocated to security awareness is often up for internal debate. Yet, lack of security awareness, in fact, is one of the most overlooked aspects of information security 3 and the root cause of many security breaches It is true that many current regulations require security awareness efforts: Gramm-Leach Leach-Bliley Act (GLBA) Financial product/service providers governed by the GLBA are required to implement IT security awareness training. Health Insurance Portability and Accountability Act (HIPAA) Health plans, healthcare clearinghouses, and healthcare providers are governed by HIPAA. Personnel involved with the handling of Electronic Protected Health Information (ephi) or Protected Health Information (PHI) need to be provided security awareness training on an ongoing basis.
2 Sarbanes-Oxley Act All publicly-traded companies in the United States must comply with the Sarbanes-Oxley Act. These companies are required to establish ongoing IT security awareness efforts. Federal Information System Security Managers Act (FISMA) The FISMA requires federal government agencies to establish security awareness training for personnel, including contractors. The agencies need to report annually on their security awareness and training efforts. Payment Card Industry Data Security Standard (PCI DSS) While the PCI DSS is not a regulation, if you were ever to issue credit cards bearing the logo of one of the founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. you would need to comply with the PCI DSS. The standard requires educating employees upon hire and at least annually on the importance of cardholder data security and how employees can maintain and enhance internal security controls. Today s regulations requiring security awareness affect a wide array of industries, so it is very likely that any organization would encounter at least one of these regulations. And regulatory compliance usually takes precedence over all else. When the compliance bells toll, time and money are as scarce as ever and a fix-it-quick approach is often taken towards security awareness. Employee attitudes towards information security awareness efforts then simply follow suit. As a result, security awareness is seldom seen apart from a law that requires it. If regulatory compliance is the main aim of security awareness efforts at an organization, it will invariably end up becoming a mechanical procedure rather than a beneficial learning experience. This perfunctory approach towards security awareness by top management always seeps down to the lower rungs in the hierarchy. Compliance: A By-Product People are the first line of defense in any organization against threats to information security. Think about it. These people often have the authorization to bypass all the technical security mechanisms in place. How else would you conduct business? If you spend hours applying the latest patches to all technical infrastructure components in your organization, it is equally wise to apply up-to-date patches to the people in your organization on an ongoing basis. Compliance is best viewed as a by-product of an organization s security awareness efforts. To get desirable results from the investment you put into security awareness look beyond the prism of compliance toward the greater good for your organization. Compliance will then naturally follow. The Organization-Centric Approach The right approach to security awareness is an organization-centric approach. The first step should always involve the effort to understand the organization s security awareness needs. This can be done using evaluation tools such as questionnaires, interviews, and quizzes. Even judgment calls can be very helpful at this stage because nobody knows your employees better than yourself.
3 Formal evaluation models such as the COBIT Maturity Model can also be employed to inject greater accuracy and objective data in the evaluations. The model helps evaluate organizational maturity to give an indication of how well an organization manages information security. It utilizes a six-point scale ranging from the non-existent (0) maturity level to the optimized (5) maturity level. At the end of your evaluations, you should be able to point out specific security awareness areas that need improvement. Once this list is complete, prioritize these areas based on their importance to the organization for minimizing the risk of information security compromise. Security Awareness Program Once you have a reasonably clear picture of the areas where your organization lacks in security awareness, the next step is to plan a security awareness program to address these specific areas. A security awareness program is a series of campaigns that aims to steadily infuse the right attitude towards information security in the minds of employees. To reinforce the importance of this approach, top management should formally communicate the details of the organization s security awareness program to the employees. A security awareness program should be well-planned with specific details such as the date, topic, intended audience, expected resources, and the method that will be used. A number of methods can be used, including; Articles/newsletters posted on the organization s intranet Webcasts and podcasts Security awareness posters (and note that humor makes them eye-catching and interesting) Security awareness seminars and training events Live demonstrations that illustrate how things can go wrong Booklets and brochures. Coffee mugs, pens, pencils, notepads, stickers, etc. bearing awareness messages. Ensure that the topics of security awareness communications are addressed in the order of the priority list identified previously. It is also important that these communications are in harmony with the organization s information security policies and procedures. An Ongoing Process Once a security awareness program is in place and underway, periodic evaluations should be performed to measure the progress and make necessary improvements and adjustments. Metrics such as the number of employees attending the training sessions, the number of security incidents caused by human error, the number of hits received by the intranet pages, etc. can often help in these measurements. Social Engineering engagements can also be extremely helpful at this stage. These engagements are performed by professional social engineers who perform tests to evaluate how hack-able the people of an organization are.
4 The Larger Awareness Approaching security awareness at your organization with the right attitude and approach is vital. If you manage these two mission-critical aspects, then compliance will easily follow. Compliance will then be a by-product, not an end-product. While security awareness by itself is quite an underrated tool in the information security arsenal, an even larger awareness is probably the need of the hour the awareness that security awareness needs a healthier consideration that goes beyond regulatory requirements. References
5 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134
VoIP Security: Do You Have a Good Voice over IP? Voice Over Internet Protocol (VoIP) services was first introduced in 2004, but it was six years later when first criminal was charged with hacking 1. The
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Stronger: OCC s heightened expectations Enhancing risk management and driving growth Produced by the Center for Regulatory Strategies In the financial services industry, the attention given to managing
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
2014 Healthcare IT Security Checklist & Recommendations www.nuvodia.com 2014 HEALTHCARE IT SECURITY CHECKLIST & RECOMMENDATIONS WHILE IT SERVICES ARE AN INTEGRAL PART OF DAILY OPERATIONS FOR EVERY INDUSTRY,
Practice guide evaluating ethics-related PrograMs and activities JuNe 2012 Table of Contents Executive Summary... 1 Introduction... 2 D e fini tions... 2 Responsibilities for Ethical Climate... 3 Considerations
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Standard: PCI Data Security Standard (PCI DSS) Version: 1.0 Date: October 2014 Author: Security Awareness Program Special Interest Group PCI Security Standards Council Information Supplement: Best Practices
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
HOW WE DO BUSINESS THE REPORT JPMORGAN CHASE WHO WE ARE AT A GLANCE JPMorgan Chase & Co., a financial holding company, is a leading global financial services company and one of the largest banking institutions
SUMMARY REPORT: USE OF ELECTRONIC MEDICAL RECORDS TO FACILITATE COLORECTAL CANCER SCREENING IN COMMUNITY HEALTH CENTERS Prepared for: National Colorectal Cancer Roundtable American Cancer Society, Inc.
Software Usage Analysis Version 1.3 Implementation Guide Implementation Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM Corporation
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Summary of Responses to an Industry RFI Regarding a Role for CMS with Personal Health Records Table of Contents EXECUTIVE SUMMARY... 4 1. INTRODUCTON... 7 2. CMS ROLE WITH PHRs... 9 What PHR functionalities
Cyber security: it s not just about technology The five most common mistakes kpmg.com b Cyber security: it s not just about technology Contents Preface 1 01 Understanding the cyber risk 3 02 The five most
Convincing Your CFO That Network Security Is An Investment by Keith Bromley First Edition Copyright 2015 Ixia. All rights reserved. This publication may not be copied, in whole or in part, without Ixia
Aligning COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary A Management Briefing from ITGI and OGC The IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established
HR Series for Employers Succession Planning Retaining skills and knowledge in your workforce Catalogue Item # 759914 This publication is available to view or order online at alis.alberta.ca/publications.
U.S. CULTURE SERIES: U.S. Classroom Culture MICHAEL SMITHEE SIDNEY L. GREENBLATT ALISA ELAND Funded by a grant from the Bureau of Educational & Cultural Affairs of the U.S. Department of State About NAFSA: