1 A FRAMEWORK FOR EVALUATING ICT SECURITY AWARENESS HA Kruger, L Drevin, T Steyn North-West University (Potchefstroom Campus) Private Bag X6001, Computer Science and Information Systems, Potchefstroom, SA, Private Bag X6001, Computer Science and Information Systems, Potchefstroom, SA, Private Bag X6001, Computer Science and Information Systems, Potchefstroom, SA, 2520 ABSTRACT ICT resources are important assets of any organization and the protection of these resources are equally important. To be able to protect themselves and their profitability, many organizations have established information security awareness programs. In order for a security awareness program to add value to an organization and at the same time make a contribution to the field of information security it is necessary to have a set of methods to study and measure its effect. This paper gives an overview of a suggested framework for evaluating ICT security awareness. Following a brief description of the framework, a more detailed overview on the identification of areas to be evaluated, using a value focused assessment, will be presented. Comments on possible system generated information, that may be used to assist with the evaluation of security behavior of users, will also be presented. KEY WORDS ICT security, security awareness, value focused approach, ethics, framework, system data
2 A FRAMEWORK FOR EVALUATING ICT SECURITY AWARENESS 1 INTRODUCTION Information and information assets have become the lifeblood of organizations and the protection of these assets became one of the major aspects that management has to deal with. Often huge amounts of money and time are invested in technical solutions while the human factor receives less attention. Technical solutions are necessary to address vulnerabilities such as viruses, denial of service attacks, etc. However, the involvement of humans in information security is of equal importance and many examples of security issues such as phising and social engineering, where humans are involved, exist. One of the key defences to address human-oriented controls is the implementation of an information security awareness program. These programs are used to create and maintain security positive behavior amongst employees and the goal of such a program would be to heighten the importance of information systems security and the possible negative effects of a security breach or failure (Hansche, 2001). The importance of security awareness programs is further emphasized in the BS7799:1 where the objective of user training is given as to ensure that all users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work. Following the implementation of an information security awareness program there is usually a normal business need to evaluate and measure the success and effectiveness of it. Schlienger and Teufel (2005) stated that evaluation should always be the final step in an information security management program in order to obtain information on the efficiency and effectiveness of actions, to define follow-up actions and to justify investments in the program. In an attempt to contribute to the evaluation process of an information security awareness program, this paper describes a suggested framework that may assist management with this task. The framework was developed jointly in an academic environment and at a private enterprise and it forms part of an ongoing research process. Progress to date will be highlighted this includes an overview of the framework, the identification of areas to be evaluated using a value focused approach, and some comments on possible system generated data that may be used to assist with the evaluation of security behavior of users. The remainder of the paper is structured as follows. Section 2 presents an overview of the proposed framework. The identification of areas to focus on is discussed in section 3 and comments on the possible use of system generated data in the process is given in section 4. Section 5 concludes the paper with some general comments. 2 PROPOSED FRAMEWORK An initial study to develop and test a prototype model was performed during 2005 at an international mining company (Kruger and Kearney, 2005). The proposed framework in this study is based on this earlier work and some of the aspects, techniques and approaches are similar to the previous study. Briefly the suggested framework, which is presented schematically in figure 1, entails the following.
3 System Data MODEL Awareness Levels Stakeholders Employees Behavior Survey VFA Focus Areas Knowledge Survey Employee Survey Data Attitude Survey Rules Predictions Changes Areas Figure 1 Proposed Framework As an initial step, certain areas on which measurements will be taken need to be identified. These focus areas are necessary to ensure that areas, important to all stakeholders, form the basis of a measuring tool. It will also help to focus questions, or aspects to be measured, when developing for example a survey tool. A value focused approach (VFA) that will take into account stakeholders wishes, concerns, problems and values pertaining to information security awareness, is suggested for identifying the focus areas. This approach is presented in the next section. Once the focus areas have been identified, employees should be surveyed to determine their level of awareness. The methodology is based on the study of Kruger and Kearney (2005) and is described by them as follows. It makes use of techniques borrowed from the field of social psychology that propose that learned predispositions to respond in a favourable or unfavourable manner to a particular object have three components: affect, behaviour and cognition. The affect component encompasses one s positive and negative emotions about something, the behaviour component consists of an intention to act in a particular manner while the cognition component refers to the beliefs and thoughts one holds about an object (Feldman, 1999; Michener and Delamater, 1994). These three components are used as a basis and the model will be developed on three equivalent dimensions namely what does a person know (knowledge); how do they feel about the topic (attitude); and what do they do (behaviour). This approach is not completely new and other researchers have already performed work where the social sciences were related to the field of information security awareness. Thomson and von Solms (1998) have shown how social psychological principles could be utilised to improve the effectiveness of an information security awareness program while Schlienger and Teufel (2003) made use of social-cultural measures to define a model for analysing information security culture in organisations. In addition to the employee surveys, appropriate system generated data should also be used as input to the final model. This data will assist with the determination of security behaviour. System data is expected to be more reliable (not subjective or human dependent) and should be fairly easy
4 to get. Section 4 deals with the identification of system data and how it may be related to the focus areas. The above data combined with appropriate importance factors will then be used to construct the final model. The model and the calculations performed will be based on aspects of value trees, score cards and other management science techniques. Details on how this is done can be found in Kruger and Kearney (2005). Using these techniques will enable decision makers to measure and present awareness levels in a drilled-down manner at different levels of detail. By applying the model at regular intervals it would be possible to measure changes in security awareness levels, focus on specific issues during follow-up security campaigns, derive rules for effective security awareness exercises and predict levels of awareness. The ICT security and security awareness fields are dynamic and is constantly influenced by new developments and technologies. It poses ongoing challenges to both researchers and practitioners and by applying the proposed framework, a structured methodology is offered that allows for constant confirmation that the appropriate areas are addressed in an effective manner when implementing and evaluating ICT awareness programs. 3 FOCUS AREAS A VALUE FOCUSED APPROACH The first step in the proposed framework, in figure 1, is to identify focus areas in the security awareness domain. This was done using a value-focused approach (Drevin, Kruger and Steyn, 2006). 3.1 Methodology The value-focused approach is a decision technique suggested by Keeney (1994) and involves four steps. First, interviews are conducted to determine stakeholders wishes, concerns, problems etc. within the decision context. Next, the result of the interviews, which represents a list of individual values and wishes, is converted into objectives. These consist of a decision context, an object, and a direction of preference that one wants to strive towards (Nah, Siau and Sheng, 2005). Thirdly, a process to distinguish between means and fundamental objectives is performed. If an object supports or helps achieve another objective, it is classified as a means objective. Otherwise it is a fundamental objective. Finally, the means and fundamental objectives are organized into a network that shows the interrelationships among all objectives. The network can then be used to derive cause-effect relationships and to generate decision opportunities. The value-focused thinking approach has already been applied successfully in different areas. Hassan (2004) applied it to the environmental selection of wall structures, while Nah, Siau and Sheng (2005) used the approach to describe the value of mobile applications. Other examples can be found in Dhillon and Torkzadeh (2001) and Dhillon, Bardacino and Hackney (2002) where the value-focused thinking approach was used in assessment of information system security in organizations and privacy concerns for Internet commerce respectively. 3.2 Application Keeney s approach, as described above, was applied in an academic environment as follows.
5 To perform the first step, a discussion document, rather than a questionnaire, was used to obtain information from interviewees. The discussion document contained six statements or questions and was compiled according to the techniques for the identification of objectives suggested by Keeney (1994). Examples of issues discussed with interviewees include: What would you do or implement to increase the level of security awareness? What is important to you regarding ICT security awareness and how would you achieve it? The same interview process used by Nah et al. (2005) was followed and interviews were conducted until no new values or objectives could be identified. A total of 7 employees were interviewed, however, no new values were obtained after the fourth interview. The interviews, which lasted for approximately one and a half hours, were recorded for future reference. Respondents included staff from both management and non-management levels and were selected from the IT department and from users. The immediate result of the interview process was a list of values that apply to ICT security awareness. These values were, in the second step, converted into objectives by changing statements such as: lock doors when out of office or keep laptops out of sight into a structure consisting of a decision context, an object and a direction of preference, e.g. maximize physical access control. Next, the fundamental and means objectives were derived from the list of objectives. This was done following Keeney s why is it important? test. If an objective is important because it helps achieve another objective, it was categorized as a means objective; otherwise it was classified as a fundamental objective. Finally the means-ends objective network was constructed graphically by linking means and fundamental objectives to one another to show the interrelationships among them. The network is presented in Figure 2. On the left are the means objectives that show the concerns, wishes and values of the interviewees pertaining to ICT security awareness. The right hand side shows the fundamental objectives that are derived from the means objectives or stated by the stakeholders. The fundamental objectives are in line with the acknowledged goals of ICT security e.g. integrity, confidentiality and availability. Other objectives that emerge from this exercise are more on the social and management side e.g. responsibility for actions and effective use of resources. Although no new aspects of security awareness could be identified, the approach served as confirmation that the same areas, found in any corporate environment, is important in an academic environment and could not be ignored. In addition, the results are important as the information will be used to develop a measuring instrument that will cover and focus on the identified means objectives in order to address fundamental objectives. It may also serve as a framework for management to structure an awareness program that includes all the appropriate learning areas.
6 Overall objective: ICT security awareness Fundamental Means objectives Objectives effective use of passwords Max logical access control Minimize tampering with systems integrity of data Minimize virus infections Safe home (mobile equipment) use confidentiality of data Responsible use of and Internet physical access control Effective and efficient use of electronic communication Regular backups availability of data and hardware information transfer user (internal) information external information Comply with requirements (Adhere to policies) use of security related statistics acceptance of responsibility for actions use of resources (money, time, people) Figure 2 - Means-ends objectives network for ICT security awareness The fundamental and means objectives derived from the network are listed in tables 1 and 2. Table 2 can be used to see what aspects influence the means objectives according to the interviewees while table 1 shows the fundamental objectives and the factors describing them.
7 Table 1 Fundamental objectives 1. integrity of data Correctness of data; Comply with formal ICT strategy 2. confidentiality of data Ensure confidentiality of business, research, client (student) data 3. Effective and efficient use of e-communication systems Minimize cost of e-communication; e-communication resources; Minimize negative impact of e-communication 4. availability of hardware and software Uninterrupted usage; Prevent damage and loss 5. acceptance of responsibility for actions Consequences of actions 6. use of resources (money, time people) Comply with formal ICT strategy Table 2 Means objectives 1. effective use of passwords Use of strong passwords; Keep passwords secret; Sign off from PC when not in use; Minimize number of passwords used on the Internet 2. logical access control Use encryption; Limit multiple log-ins; Correct system authorizations; Separation of duties; Clean-up procedures when people resign. 3. Minimize tampering with systems Restricted access 4. Minimize virus infections Viruses from home/mobile equipment; Viruses from Internet; Viruses from 5. Safe home (mobile equipment) use Remote access /modems; Use of passwords 6. Responsible use of and Internet Cost and time for Internet usage; Handle strange s with care; Large attachments; Correct defaults 7. physical access control Minimize theft; Use of security equipment e.g. cameras; Clean-up procedures when people resign 8. Make regular backups Minimize loss of data; Criteria on how long to keep data; Correct default saves; Criteria for important data; Availability of equipment to make backups 9. information transfer to employees IT literacy; Use communication channels (posters, bulletin boards, contracts); Criteria for important data; Illegal use of software 10. Comply with requirements (Adhere to policies) Make risks clear; Make security implications clear 11. user (internal) information Use user feedback; Use internal audit statistics; Minimize loss of knowledge e.g. when resign 12. external information Use external input/reports e.g. external auditors, Gartner 13. use of security related statistics Use all comparable statistics
8 4 SYSTEM INFORMATION To complement employee surveyed data, appropriate system generated data should also be used as input into the final measuring process. System data is expected to be more reliable in certain instances as it is not human dependent. It is regarded as objective and should greatly assist in getting additional insight into the general security behaviour of ICT users. To be able to incorporate system data into the proposed model, there are three aspects that should be dealt with; technical feasibility, relevance to means and fundamental objectives and ethics. Technical feasibility in this study simply means that the required data is available in such a form that it can be used, or that it can be extracted and transformed into usable data. The system data to be used should be related to the identified means and fundamental objectives to ensure that relevant data is obtained that can contribute to addressing stakeholders values. It would be possible to trace or link most of the suggested system data to specific employees. This means that there would be ethical consequences when dealing with some of the data. Traditionally ethics imply the avoidance of harm (emotionally and physically) to research subjects (employees in this study), informed consent from the research subjects to do the research and protecting the privacy and identity of the research subjects (Fontana and Frey, 2003). The ethical codes of professional bodies such as the Association for Computing Machinery and the South African Computer Society also include references to the ethical behaviour of members regarding the protection of people s privacy and confidentiality (ACM, CSSA). Confidentiality refers to an ethical principle meaning that some types of communication between a person and professionals who share the data are "privileged" and may not be discussed or divulged to third parties. Privacy is the ability of an individual or group of individuals to stop information about them from becoming known to people other than those whom they choose to give the information to. The nature of the data that needs to be gathered in this project for analysis may have significant confidentiality and privacy consequences if disclosed and linked to individual employees. It is therefore necessary to consult with the appropriate review board or ethical committee in the organization where the research project is conducted. In addition, for this study, it was decided that it would not be necessary to identify individuals or to link specific individuals to specific data. Percentages or totals of the data will suffice for analysis purposes. For example: How many employees have reacted on a phising message as opposed to who has reacted; or The percentage of Internet users that surf unauthorized websites; or The number of users that have installed anti-virus software; or The percentage of users that use weak passwords. Table 3 summarizes possible system data pertaining to the focus areas determined in section 3, which are candidates for inclusion in the model. The first column shows the system data area, the second column explains why the system data is needed, while the third one indicates the source of the data. The technical feasibility has already been cleared with IT management while the ethical aspects are still being considered.
9 Table 3 System Data System data area Purpose Source of data Time spent on the Internet Comply with policies; Availability of ICT resources Internet logs Illegal web page visits Comply with policies Internet logs; Click-stream analysis. Passwords Use of strong passwords Tested Programmatically Suspicious messages Special security messages or policy announcements Reaction of staff when dealing with suspicious that may contain viruses; responsible use of Reaction of staff on security messages; comply with policies. Send out suspicious and monitor statistics on read, delete without open it, forward, etc. Send out notices and monitor statistics on read, delete without reading it, visits to web page with new policies etc. Phising Test attempted identity theft Send (or use web page) and request specific information. Installation of anti-virus software Negative effect on availability, integrity and effective use of resources; Comply with policies; Acceptance of responsibility System logs Switch off PC s after hours Unauthorised access; Spyware System logs Number of hits on web pages containing security policies Comply with policies Backups on network drives Are personal backups performed; Effective use of resources; Comply with policies Multiple login facilities Forwarding of chain s Size of attachments Downloading of files from Internet e.g. huge music files Incidents reported e.g. viruses, theft, unauthorised access etc. Access rights of staff that has resigned Unauthorised access; Comply with policies Availability and effective use of resources; Comply with policies Availability and effective use of resources; Comply with policies Availability and effective use of resources; Comply with policies Loss of data; Downgrading of performance; Physical access Logical access; Integrity of data Internet/Intranet logs Network drives logs System logs system logs system logs Internet logs Helpdesk, asset management, security department etc. System logs; HR department
10 5 CONCLUSION In order for security awareness programs to add value to an organization and at the same time make a contribution to the field of security information it is necessary to follow a structured approach to study and measure its effect. This paper discussed a possible framework for evaluating ICT security awareness. The framework starts with the identification of areas to focus on these areas are then used to gauge employees knowledge, attitude and behavior levels. Combined with certain system generated data, and appropriate importance factors, the employee surveys are used as input into a model to calculate awareness levels. A discussion on the identification of focus areas was also given. To do this, a value focused approach was followed and resulted in a network of relationships that suggests how means objectives may interact and influence fundamental objectives and ultimately the overall objective of maximizing ICT awareness. Brief notes on the use of system generated data that may assist with the determination of security behavior, was also presented. Progress and findings of the study are encouraging and the intention is to proceed with a follow-up study of the remaining phases of the proposed framework. Specific goals of the followup study are to (1) continue an in-depth study (currently in progress) into the availability, applicability and use of system generated data to strengthen the model, (2) generate measures representing the factors of the identified focus areas, and (3) develop a final model, using appropriate management science techniques, to generate measurements and recommendations that are reliable and valid. Acknowledgement: Financial assistance from the National Research Foundation (NRF) is acknowledged. Opinions expressed are those of the authors. 6 REFERENCES ACM. Association for Computer Machinery, Code of Ethics and Professional Conduct. Date used: March BS Date used: January CSSA. Computer Society of South Africa, Code of Conduct. Date used: March Dhillon, G. & Torkzadeh, G Value-focused assessment of information system security in organizations. In: Proceedings of the twenty second international conference on Information Systems Dhillon, G., Bardacino, J. & Hackney, R Value focused assessment of individual privacy concerns for Internet commerce. In: Proceedings of the twenty third international conference on Information Systems Drevin, L., Kruger, H.A. & Steyn, T Value-focused assessment of ICT security awareness in an academic environment, In: IFIP International Federation for Information Processing, Volume 201, Security and Privacy in Dynamic Environments, eds. Fischer-Hubner, S., Ranneberg, K., Yngstrom, L., Lindskog, S. Boston: Springer, Feldman, R.S Understanding Psychology. Fifth edition. McGraw-Hill College. Boston, River Ridge, IL. Fontana, A. & Frey, J. H The interview: from structured questions to negotiated text. In: Denzin N. K. & Lincoln Y. S. (Eds.), Collecting and interpreting qualitative materials,
11 Hansche, S Designing a security awareness program: Part 1, Information System Security, January/February: Hassan, O.A.B Application of value-focused thinking on the environmental selection of wall structures, Journal of environmental management, 70: Keeney, R.L Creativity in decision making with value-focused thinking. Sloan Management Review, Summer: Kruger, H.A. & Kearney, W.D Measuring information security awareness: A West Africa gold mining environment case study, In: Proceedings of the 2005 ISSA Conference, Johannesburg, South Africa, ISBN: X, 29 June 1 July Michener, H.A. & Delamater, J.D Social Psychology. Third edition. Harcourt Brace College Publishers. Orlando, Florida. Nah, F.F., Siau, K. & Sheng, H The value of mobile applications: A utility company study. Communications of the ACM, 48(2): Schlienger, T. & Teufel, S Information security culture from analysis to change, South African Computer Journal, 31: Schlienger, T. & Teufel, S Tool supported management of information security culture: An application to a private bank. In: R. Sasaki, E.Okamoto & H. Yoshiura, Eds. The 20 th IFIP International Information Security Conference (SEC 2005) Security and Privacy in the age of ubiquitous Computing, Makuhari Messe, Chiba, Japan, Kluwer Academic Press. Thompson, M.E. & Von Solms, R Information security awareness: educating your users effectively, Information Management & Computer Security, 6(4):
Email security awareness a practical assessment of employee behaviour HA Kruger, L Drevin, T Steyn Computer Science & Information Systems North-West University, Private Bag X6001, Potchefstroom, 2520 South
A FRAMEWORK FOR GOOD CORPORATE GOVERNANCE AND ORGANISATIONAL LEARNING AN EMPIRICAL STUDY WD Kearney, HA Kruger School of Computer, Statistical and Mathematical Sciences North-West University, Private Bag
TheVALUE of Mobile Applications: A Utility Company Study Mobile and wireless devices are enabling organizations to conduct business more effectively. Mobile applications can be used to support e-commerce
State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
July 09 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European
U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE Privacy Impact Assessment Employee Relation and Labor Relation Case Management System (ERLRCSMS) PTOC-031-00 May 11, 2015 Privacy Impact
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology email@example.com Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
computers & security 27 (2008) 254 259 available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose Consensus ranking An ICT security awareness case study H.A. Kruger a, *, W.D. Kearney
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
Kenmore State High School Student Laptop Charter 2 Contents Student Laptop Charter... 4 Loan equipment... 4 Equipment ownership... 5 Fee for provision of laptop... 5 Laptop care... 6 Data security... 6
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
Guidelines for smart phones, tablets and other mobile devices Summary Smart phones, tablets and other similar mobile devices are being used increasingly both privately and in organisations. Another emerging
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
FIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT Elmarie Kritzinger 1 and Prof S.H. von Solms 2 1 School of Computing, University of South Africa, SA. 2 Department of Computer Science,
PERSONAL COMPUTER SECURITY April 2001 TABLE OF CONTENTS 1 INTRODUCTION... 1 1.1 PC INFORMATION SECURITY OVERVIEW... 1 1.2 EXCLUSIONS... 1 1.3 COMMENTS AND SUGGESTIONS... 1 2 PC INFORMATION SECURITY RESPONSIBILITIES...
IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Ivy Road Primary School Policy for e-safety Updated - 2014 1. Introduction Pupils interact with the internet and other communications technologies such as mobile phones on a daily basis. The exchange of
BCS IT User Syllabus IT for Users Level 2 Version 1.0 June 2009 ITS2.1 System Performance ITS2.1.1 Unwanted messages ITS2.1.2 Malicious ITS22.214.171.124 ITS126.96.36.199 ITS188.8.131.52 ITS184.108.40.206 ITS220.127.116.11 ITS18.104.22.168
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
An Introduction on How to Better Protect Your Computer and Sensitive Data Common Security Problems Computer users who fail to use strong passwords Constant attacks by viruses, worms, key loggers and bots
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library Why should you be concerned? There are over 1 million known computer viruses. An unprotected computer on the
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
National Unit specification General information Unit code: H9T5 44 Superclass: CC Publication date: October 2015 Source: Scottish Qualifications Authority Version: 01 Unit purpose The purpose of this Unit
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
Earth-Life Science Institute Tokyo Institute of Technology Operating Guidelines for Information Security 2013 1. Purpose The Operating Guidelines for Information Security (hereinafter, the Operating Guidelines
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
DATABASE SECURITY, INTEGRITY AND RECOVERY DATABASE SECURITY, INTEGRITY AND RECOVERY Database Security and Integrity Definitions Threats to security and integrity Resolution of problems DEFINITIONS SECURITY:
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy
Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
for Securing Personal Information Information Protection Readiness for Securing Personal Information May 23, 2014 Office of the City Auditor The Office of the City Auditor conducted this project in accordance
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
NOS for IT User and Application Specialist IT Security (ESKITU04) November 2014 V1.0 NOS Reference ESKITU040 ESKITU041 ESKITU042 Level 3 not defined Use digital systems NOS Title Set up and use security
Information Security Incident Management Plan Version 0.8 January 5, 2009 Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities...
Boston Public Schools Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and Scope of Policy Technology Resources ACCEPTABLE USE POLICY AND GUIDELINES Boston
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
Information Security Training for SysAdmins Center for Education and Research in Information Assurance and Security, Purdue University Published by: CERIAS, The Center for Education and Research in Information
ISSA-UK 5173 Information Security for Small and Medium Sized Enterprises March 2011 OVERVIEW Purpose This paper, prepared by a working group of the ISSA (UK), sets out recommendations on information security
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information