Beyond Security Awareness Achieving culture and avoiding fatigue
|
|
- Branden Blaze Peters
- 8 years ago
- Views:
Transcription
1 Beyond Security Awareness Achieving culture and avoiding fatigue Prof. Steven Furnell Centre for Security, Communications & Network Research University of Plymouth United Kingdom
2 Session Content Introduction Security Awareness Fatigue and Bad Practices Understanding Security Behaviour Conclusions
3 Introduction It is increasingly recognised that technology alone cannot solve security the attitudes, awareness, behaviour and capabilities of users can have significant influence Factors such as lack of understanding and unreasonable demands from technologies can dramatically impede users security efforts Employers have a significant role to play in helping to overcome the challenges
4 The Security Hurdles Perception Priority Responsibility Confidence Capability Usability
5 Security Awareness
6 Getting users to act securely Without adequate awareness, users may neglect to consider security, leading them to: open unknown attachments, without considering the possibility that they could contain malware select obviously weak passwords, or share their access with other people, thereby leaving their account vulnerable to misuse become complacent about warning messages from applications or the operating system, simply selecting the OK button without reading messages in order to make them disappear neglect safeguards such as making backup copies of their data
7 The need for awareness DTI ISBS 2000: 16% claimed that lack of training was the reason for their most significant incident in the previous year Ernst & Young GISS 2002: 66% cited employee awareness as a barrier to effective security PWC ISBS 2010: Last paragraph of Executive Summary states: Given the rising level of breaches seen in the survey it is more critical than ever that organisations raise security awareness among all their staff
8 Promoting Security How is it done? Source: DTI/BERR ISBS
9 Investment in training Percentage of Security Budget Source : CSI 2009
10 Investment in training Adequacy of investment Source : CSI 2009 Survey assessed four areas: End-user Security Awareness Training Regulatory Compliance Efforts Security Technology Security Service Training was the only case in which the majority view was too little
11 It s not enough! Many do not do enough about awareness AND Awareness alone is not enough anyway even security-aware users can reject and disobey it Going beyond awareness requires buy-in users need to understand, accept and engage with security as part of their natural behaviour This is unlikely to be the default position
12 Fatigue and Bad Practices
13 Getting users to act securely Without adequate awareness, users may neglect to consider security, leading them to: open unknown attachments, without considering the possibility that they could contain malware select obviously weak passwords, or share their access with other people, thereby leaving their account vulnerable to misuse become complacent about warning messages from applications or the operating system, simply selecting the OK button without reading messages in order to make them disappear neglect safeguards such as making backup copies of their data
14 Explaining bad practice Despite widespread recognition, many fail to follow good security practice maybe due to lack of awareness, skill or investment failings can still happen despite these being in place Often relates to how people perceive security, and how it is promoted to them many already see a barrier rather than an enabler starts from a disadvantage for gaining user acceptance SAI Global Information Security Awareness Survey 2008 (>1,280 respondents) - almost 1/3 believed security interfered with their ability to get the job done
15 Security Fatigue A threshold at which it simply gets too hard or burdensome for users to maintain security This is not simply disregarding security or not being bothered with it at all a gradual process of decline people have been following good practice but then drift (or completely switch) into becoming tired or disillusioned with it Adds a further dimension to what may already be an uphill struggle
16 Why Security Fatigue? Lacey suggests that security is basically about persuading people to do things they don t want to do at the least it often requires users to adopt behaviours that may not come naturally to them May become amenable if enthusiasm can be generated through (e.g. via security education) this may wane over time as the novelty wears off Already lower on the to do list than a variety of must do productivity tasks fatigue will increase the ease of slipping down the list
17 A Fatigue Example User Account Control Introduced within Windows Vista Limits application software to standard user privileges unless an administrator specifically grants additional permissions intention to prevent malware compromising the OS Manner of implementation meant users could be continually interrupted by UAC dialogues asking permission for software to run Many quickly got frustrated and sought to turn it off then fatigued in another way, with Vista continually reporting that UAC was switched off!
18 A Fatigue Example User Account Control Microsoft is on record as suggesting that UAC was specifically intended to annoy users Behaviour toned down in Windows 7 dialogues no longer appear in relation to actions directly initiated by the user via mouse or keyboard
19 Potential to fatigue us A fundamental factor that can cause fatigue is that controls become more demanding the longer you use them e.g. passwords and the need to change them while the underlying mechanism remains the same, the more passwords you have had, the more difficult it is to choose and remember new ones so, if used correctly, the overall approach is progressively more demanding Meanwhile, other controls (e.g. backup) levy a consistent overhead once operational they just need to be set up in the first instance
20 Factors of Fatigue Effort what the security requires of the user in order to achieve compliance (e.g. frequency and extent of activities). Difficulty how easy it is to provide the required effort relates to how the security concept has been realised in practice (e.g. ease of use etc) Importance how the user perceives and prioritises the need to secure a given asset reflects their motivation to keep going despite effort and convenience issues of the related controls
21 The measure of Fatigue Effort and Difficulty are essentially judged relative to Importance to determine Fatigue: Potential Fatigue = Effort x Difficulty Importance
22 The complicating factor Gaining actual values for each factor is easier said than done Difficulty and Importance will in turn be affected by several underlying influences: difficulty will depend upon how security has been presented (encompassing issues such as usability) plus what the user understands of the technology and/or task involved importance will relate to the priority placed by the organisation (assuming a workplace scenario), plus a highly subjective element based upon individuals perceptions
23 More complications Factors may evolve over time and influence each other: e.g. a task initially seen as important, but requiring much effort to adhere to (or found to be difficult to implement) may lose its perceived importance over time i.e. the user becomes fatigued by a task, influenced by the required effort and difficulty, and justifies lowering its importance if a task becomes easier over time and requires less effort to perform, or the user gains a deeper understanding of the need for it, then the perceived importance of the task may increase effectively offsetting fatigue Therefore, effort, difficulty and importance are involved in a continuous feedback loop with each potentially affecting the others
24 Implications of fatigue Users may try to find workarounds to avoid controls if they do not fully understand the risks of doing so e.g. turn off Automatic Updates to avoid interruption by restarts Fatigue could be a major issue in preventing people from adhering to security practices one bad experience could affect attitudes towards other encounters in the future if users decide that security is something that they don t like, then in future they may behave as if they are fatigued from the outset As a user becomes more fatigued, the less security compliant they will become
25 Understanding Security Behaviour
26 Users security behaviour Often not a simple case of being secure or insecure Individual commitment to security can be categorised on a scale reflecting: their acceptance of the issue the consequent compliance exhibited in their behaviour Yields a set of resulting levels of compliance and non-compliance
27 Non-compliance Compliance Categorising staff behaviour Culture Commitment Obedience Awareness Ignorance Apathy Resistance Disobedience The ideal state, in which security is implicitly part of the user s natural behaviour. Security is not a natural part of behaviour, but if provided with appropriate guidance/leadership then users accept the need for it and make an associated effort. Users may not fully understand or buy into the principles, but can be made to comply via appropriate authority (i.e. implying a greater level of enforcement than simply providing guidance). Users are aware of their role in information security, but are not necessarily fully complying with the associated practices or behaviour as yet. Users remain unaware of security issues and so may introduce inadvertent adverse effects. Users are aware of their role in protecting information assets, but are not motivated to adhere to good information security practices. Users work against security, through factors such as laziness and disregard for known procedures. Users actively work against security, with insider abusers intentionally breaking the rules and circumventing controls.
28 Staff compliance and disruption within organisations Culture Degree of Compliance Commitment Obedience Awareness Ignorance Apathy Resistance Disob. Degree of Non- Compliance Source: Furnell and Thomson, 2009
29 Considering the boundaries Not necessarily a clear boundary between compliance and non-compliance awareness and ignorance categories can be considered a grey zone resulting user behaviours not consistently compliant or non-compliant Staff in the middle area are likely to share similar characteristics relatively easy to effect a transition into the compliance category?
30 Towards disobedience Users at lower levels (apathy, resistance, disobedience) all possess security knowledge but have chosen to reject it a different basis for non-compliance to those acting out of ignorance increasing levels of severity as we move down the list Need to cultivate buy-in and support rather than just educate them about security
31 A realistic target? The level of compliance will rarely be homogenised across an organisation even the compliance of an individual may vary depending upon context Achieving the culture state across all users may not be viable natural distribution is likely to be as shown in the diagram getting them all at least into a compliance category is a worthy target
32 Points to note More difficult to get compliance once fatigue has set in once the threshold has been reached it may not be possible to tangibly reduce fatigue Identify those who have reached the threshold could enable compensation via additional checks, reminders etc May be necessary to revive the security message being sent throughout an organisation reduce the potential for a seen it all before attitude
33 Relating Influences to Job / Role Policy Framework Supervision / Leadership Colleague Behaviour Organisation -controlled Behaviour (a work-in-progress model) Personality Filter Situation Filter Security Behaviour Prior Experience Claimed Benefits Media Coverage Organisation -independent Source: Rajendran, Furnell and Gabriel, 2011
34 Conclusions
35 Conclusions It is all too easy to focus upon technology and forget the people that use it Awareness and training are essential but are not a panacea More awareness may not deliver more tolerance overexposure could lead to apathy that would exacerbate the issue repeatedly receiving the message without evidence of a breach could engender complacency Need to properly consider how to pitch and communicate the messages
36 Conclusions The way in which security is promoted should depend upon the people involved Recognition of the compliance categories can help to inform awareness-raising framing messages to reach different portions of the the audience Requires a flexible approach to security awareness varying the approach and the message according to the context of the user
37 References From culture to disobedience: Recognising the varying user acceptance of IT security S.Furnell and K.Thomson Computer Fraud & Security February 2009, pp5-10. Recognising and addressing security fatigue S.Furnell and K.Thomson Computer Fraud & Security November 2009, pp7-11.
38 Prof. Steven Furnell Centre for Security, Communications & Network Research
Chapter 1: Health & Safety Management Systems (SMS) Leadership and Organisational Safety Culture
Chapter 1: Health & Safety Management Systems (SMS) Leadership and Organisational Safety Culture 3 29 Safety Matters! A Guide to Health & Safety at Work Chapter outline Leadership and Organisational Safety
More informationFinancial Services Core Competences
The Sector Skills Council for financial services, accountancy and finance National Occupational Standards for the Financial Services Sector Financial Services Core Competences Final version approved September
More informationTowards dynamic adaption of user's organisational information security behaviour
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus 2015 Towards dynamic adaption of user's organisational information security
More informationNational Occupational Standards. Compliance
National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements
More informationUser Authentication Methods for Mobile Systems Dr Steven Furnell
User Authentication Methods for Mobile Systems Dr Steven Furnell Network Research Group University of Plymouth United Kingdom Overview The rise of mobility and the need for user authentication A survey
More informationDual Diagnosis Dr. Ian Paylor Senior Lecturer in Applied Social Science Lancaster University
Dual Diagnosis Dr. Ian Paylor Senior Lecturer in Applied Social Science Lancaster University Dual diagnosis has become a critical issue for both drug and mental health services. The complexity of problems
More informationAttitudes to Use of Social Networks in the Workplace and Protection of Personal Data
Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data David Haynes, City University, School of Informatics, Department of Information Science August 2011 Background Two surveys
More informationHMRC Business Education
Research report HMRC Business Education Business Customer & Strategy June 2011 Behavioural Evidence & Insight Team About Business Customer & Strategy (BC&S) Business Customer & Strategy is part of Business
More informationBusiness Case. for an. Information Security Awareness Program
Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security
More informationMaking information security awareness and training more effective
Making information security awareness and training more effective Mark Thomson Port Elizabeth Technikon, South Africa Key words: Abstract: Information security, awareness, education, training This paper
More informationSEVEN STEPS TO ERP HEAVEN
SEVEN STEPS TO ERP HEAVEN In this special report Columbus ERP consultant Steven Weaver shares his secrets to ERP project success. Purchasing and successfully implementing an ERP system is one of the costliest,
More informationDocument management concerns the whole board. Implementing document management - recommended practices and lessons learned
Document management concerns the whole board Implementing document management - recommended practices and lessons learned Contents Introduction 03 Introducing a document management solution 04 where one
More informationInformation Security Awareness Survey 2008. Prepared by SAI Global
Information Security Awareness Survey 2008 Prepared by SAI Global Security Awareness: Measuring Attitudes, Knowledge and Behaviour Results of The SAI Global Benchmarking Survey 2008 Current Security Awareness
More informationData Protection Act. Conducting privacy impact assessments code of practice
Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3
More informationBest Practice Guide Managing underperformance
Best Practice Guide Managing underperformance 01 Work & family 02 Consultation & cooperation in the workplace 03 Use of individual flexibility arrangements 04 A guide for young workers 05 An employer s
More informationHuman Behaviour and Security Compliance
Human Behaviour and Security Compliance M. Angela Sasse University College London, UK Research Institute for Science of Cyber Security www.ucl.ac.uk/cybersecurity/ Academic Centre of Excellence for Cyber
More informationRisk Management Programme Guidelines
Risk Management Programme Guidelines Submissions are invited on these draft Reserve Bank risk management programme guidelines for non-bank deposit takers. Submissions should be made by 29 June 2009 and
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationPerformance Management System Skills and Behaviours Bank
Performance Management System Skills and Behaviours Bank Leadership Gives purpose and direction to ensure that staff are motivated and inspired to deliver the Parliament s aim, values and strategic priorities.
More informationA Relative Gap Moving from Gap to Strength A Relative Strength Organizational Readiness
A Relative Gap Moving from Gap to Strength A Relative Strength Organizational Readiness Performance history Implementation of new programs historically has not been well planned, and has not had intended
More informationBusiness Continuity Overcome the Challenges
Business Continuity Overcome the Challenges A briefing paper by Phoenix IT Infrastructure Support Services Inspiring Partnership Contents Introduction 3 The Business Case 4 Cost Effective Solutions 7 Selling
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationHow to Use Windows Firewall With User Account Control (UAC)
Keeping Windows 8.1 safe and secure 14 IN THIS CHAPTER, YOU WILL LEARN HOW TO Work with the User Account Control. Use Windows Firewall. Use Windows Defender. Enhance the security of your passwords. Security
More informationSCDLMCA2 Lead and manage change within care services
Overview This standard identifies the requirements associated with leading and managing change within care services. It includes the implementation of a shared vision for the service provision and using
More informationOutsourcing and third party access
Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security
More informationThe Healthcare Leadership Model Appraisal Hub. 360 Assessment User Guide
The Healthcare Leadership Model Appraisal Hub 360 Assessment User Guide 360 Assessment User Guide Contents 03 Introduction 04 Accessing the Healthcare Leadership Model Appraisal Hub 08 Creating a 360 assessment
More informationFSPFCC04(SQA Unit Code-F88P 04) Ensure you comply with regulations in your financial services environment
Ensure you comply with regulations in your financial services Overview This Standard is about working within the regulatory of the financial services industry. Most organisations within financial services
More informationEmail archives: no longer fit for purpose?
RESEARCH PAPER Email archives: no longer fit for purpose? Most organisations are using email archiving systems designed in the 1990s: inflexible, non-compliant and expensive May 2013 Sponsored by Contents
More informationSCDLMCB3 Lead and manage the provision of care services that deals effectively with transitions and significant life events
Lead and manage the provision of care services that deals effectively with transitions and significant life events Overview This standard identifies the requirements associated with leading and managing
More informationCisco SAFE: A Security Reference Architecture
Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationQuality Standard Customer Service Complaints Handling
Quality Standard Customer Service Complaints Handling Version 1 Date:- 2 nd December 2010 Page 1 Contents INTRODUCTION 4 OVERVIEW OF THE COMPLAINTS STANDARD 5 FRAMEWORK 6 MANDATORY SECTIONS 7 SECTION 1
More informationLessons Learned by engineering students on placement
Lessons Learned by engineering students on placement It is generally acknowledged that students have the opportunity to gain far more than technical knowledge on placement or even the chance to experience
More informationMeasuring the Impact of Sales Training
Measuring the Impact of Sales Training Authors: Barry Hennessy Barry@i2isales.com Jon Gooding Jon@i2isales.com Page 1 Table of Contents Why Measure? 3 What to Measure? 3 Business Impact Considerations
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationBusiness Continuity Policy
Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st
More informationBoard of Directors Meeting 12/04/2010. Operational Risk Management Charter
Board of Directors Meeting 12/04/2010 Document approved Operational Risk Management Charter Table of contents A. INTRODUCTION...3 I. Background...3 II. Purpose and Scope...3 III. Definitions...3 B. GOVERNANCE...4
More informationIT Service Management
IT Service Management Service Continuity Methods (Disaster Recovery Planning) White Paper Prepared by: Rick Leopoldi May 25, 2002 Copyright 2001. All rights reserved. Duplication of this document or extraction
More informationA COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE
A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE Contents How to Buy Cloud-to-Cloud Backup...................... 4 Wait What is Cloud-to-Cloud Backup?.....................
More informationWhat is social media?
The Scottish Social Services Council (SSSC) is responsible for registering people who work in social services and regulating their education and training. Our role is to raise standards of practice, strengthen
More informationBasel Committee on Banking Supervision. Working Paper No. 17
Basel Committee on Banking Supervision Working Paper No. 17 Vendor models for credit risk measurement and management Observations from a review of selected models February 2010 The Working Papers of the
More informationProposed Code of Ethical Principles for Professional Valuers
INTERNATIONAL VALUATION STANDARDS COUNCIL Second Exposure Draft Proposed Code of Ethical Principles for Professional Valuers Comments to be received by 31 August 2011 Copyright 2011 International Valuation
More informationMODULE 1.3 WHAT IS MENTAL HEALTH?
MODULE 1.3 WHAT IS MENTAL HEALTH? Why improve mental health in secondary school? The importance of mental health in all our lives Mental health is a positive and productive state of mind that allows an
More informationInsurance management policy and guidelines. for general government sector, September 2007
Insurance management policy and guidelines for general government sector September 2007 i Contents 1. Introduction... 2 2. Identifying risk is the first step... 2 3. What is risk?... 2 4. Insurance is
More informationPersonal current accounts in the UK
Personal current accounts in the UK An OFT market study Executive summary July 2008 EXECUTIVE SUMMARY Background The personal current account (PCA) is a cornerstone of Britain s retail financial system.
More informationManaging Risk in Procurement Guideline
Guideline DECD 14/10038 Managing Risk in Procurement Guideline Summary The Managing Risk in Procurement Guideline assists in the identification and minimisation of risks involved in the acquisition of
More informationStatement of Guidance
Statement of Guidance Foreign Exchange Risk Management 1. Statement of Objectives To provide a standard of best practice to banks for the implementation of an effective and sound Foreign Exchange Risk
More informationOperational Risk Management Policy
Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well
More informationProtecting Your Data On The Network, Cloud And Virtual Servers
Protecting Your Data On The Network, Cloud And Virtual Servers How SafeGuard Encryption can secure your files everywhere The workplace is never static. Developments include the widespread use of public
More informationEmail Etiquette (Netiquette) Guidance
Email Etiquette (Netiquette) Guidance January 2007 Email Etiquette (Netiquette) Guidance January 2007-1/13 Version Control Version Author(s) Replacement Date 1.0 Timothy d Estrubé Information Governance
More information005ASubmission to the Serious Data Breach Notification Consultation
005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation
More informationBUSINESS GUIDE Change Management
BUSINESS GUIDE Change Management. Change Management Effective change management is an essential ingredient to the successful implementation of new systems. When new systems are introduced, to improve the
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationDeveloping Policies, Protocols and Procedures using Kotter s 8 step Change Management Model
2013 Developing Policies, Protocols and Procedures using Kotter s 8 step Change Management Model Marion Foster Scottish Practice Management Development Network [Pick the date] IMPLEMENTING CHANGE POWERFULLY
More informationSKILLSOFT S CARE CERTIFICATE SOLUTION. Health and Social Care
SKILLSOFT S CARE CERTIFICATE SOLUTION Health and Social Care CARE CERTIFICATE SOLUTION The Care Certificate is the new training standard for all social and health care workers in England. Introduced in
More informationSocial Media Policy. Policies and Procedures. Social Media Policy
Policies and Procedures Social Media Policy 1 1. Introduction...3 2. Privacy settings and personal information.....3 3. Use of Social Media at Work.....4 4. Account Administrators and Login Details......4
More informationUncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity
Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800
More informationInformation Sheet 9: Supervising your Staff
Shaw Trust Direct Payments Support Services Information Sheet 9: Supervising your Staff Sheet Outline: Conducting an Appraisal interview Discipline and Grievances Outcome: To increase awareness of the
More informationFactors that Influence the Occupational Health and Safety Curricula. Jeffery Spickett. Division of Health Sciences Curtin University Australia
Factors that Influence the Occupational Health and Safety Curricula Jeffery Spickett Division of Health Sciences Curtin University Australia 1.0 INTRODUCTION Occupational health and safety has undergone
More informationChapter 3 HIPAA Cost Considerations
AU1953_C03.fm Page 23 Saturday, October 11, 2003 10:22 AM Chapter 3 HIPAA Cost Considerations Background Actual costs for HIPAA compliance will vary among covered entities (CEs) because of various factors
More informationSMALL BUSINESS PERSPECTIVE. Scott Hannan Hannan Partners Pty Ltd
SMALL BUSINESS PERSPECTIVE Scott Hannan Hannan Partners Pty Ltd Paper presented at the conference Crime Against Business, convened by the Australian Institute of Criminology, held in Melbourne 18 19 June
More informationGUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK
SUPERVISORY AND REGULATORY GUIDELINES: PU-0412 Operational Risk 25 th November, 2013 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK 1. INTRODUCTION 1.1. The Central Bank of The Bahamas ( the Central
More informationCode of Ethics for Pharmacists and Pharmacy Technicians
Code of Ethics for Pharmacists and Pharmacy Technicians About this document Registration as a pharmacist or pharmacy technician carries obligations as well as privileges. It requires you to: develop and
More informationHow To Assess A Critical Service Provider
Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight
More informationCHANGE MANAGEMENT PLAN WORKBOOK AND TEMPLATE
CHANGE MANAGEMENT PLAN WORKBOOK AND TEMPLATE TABLE OF CONTENTS STEP 1 IDENTIFY THE CHANGE... 5 1.1 TYPE OF CHANGE... 5 1.2 REASON FOR THE CHANGE... 5 1.3 SCOPE THE CHANGE... 6 1.4 WHERE ARE YOU NOW?...
More informationSTRESS POLICY. Stress Policy. Head of Valuation Services. Review History
STRESS POLICY Title Who should use this Author Stress Policy All Staff SAC Approved by Management Team Approved by Joint Board Reviewer Head of Valuation Services Review Date 2018 REVIEW NO. DETAILS Review
More informationChange Management. What Business Benefits Can I Expect?
Change Management Effective change management is an essential ingredient to the successful implementation of technology-based projects that are made possible by Superfast Broadband. Change Management Effective
More informationRelationship Manager (Banking) Assessment Plan
1. Introduction and Overview Relationship Manager (Banking) Assessment Plan The Relationship Manager (Banking) is an apprenticeship that takes 3-4 years to complete and is at a Level 6. It forms a key
More informationBy Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions.
FEATURE AUTHENTICATION MARKET UPDATE 1540 words May 07 By Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions. USummary of feature * Breakdown of network security perimeter.
More informationRethinking Printing Kyocera Environmental Survey 2011
Rethinking Printing Kyocera Environmental Survey 2011 Table of Contents Executive summary... 3 Green Concerns, Green Fatigue... 7 Open to Change... 9 Corporate Responsibility... 10 New Green Options...
More informationAPES 320 Quality Control for Firms
APES 320 Quality Control for Firms APES 320 Quality Control for Firms is based on International Standard on Quality Control (ISQC 1) (as published in the Handbook of International Auditing, Assurance,
More informationData Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report
Data Analysis: The Cornerstone of Effective Internal Auditing A CaseWare Analytics Research Report Contents Why Data Analysis Step 1: Foundation - Fix Any Cracks First Step 2: Risk - Where to Look Step
More informationThe PMO as a Project Management Integrator, Innovator and Interventionist
Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter
More informationipad Program Information for Parents/Caregivers and Students
Next Review Date: September 2016 Page Number: 1 of 11 ipad Program Information for Parents/Caregivers and Students Next Review Date: September 2016 Page Number: 2 of 11 1 Introduction...3 2 Supplying the
More informationNovember 2015. Sales and advice
November 2015 Sales and advice 1 July 2014 30 June 2015 Who this report is about This report covers thousands of advisers and salespeople who help New Zealanders invest billions of dollars in financial
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationWHITE PAPER SOLUTION CARD. What is Fueling BYOD Adoption? Mobile Device Accountability and Control
WHITE PAPER Enabling BYOD in Government Agencies with Seamless Mobile Device Accountability & Control How to provide mobility and Web security in your agency s wireless network About This White Paper This
More informationSOLUTION CARD WHITE PAPER. What is Fueling BYOD Adoption? Mobile Device Accountability and Control
WHITE PAPER Enabling Enterprise BYOD with Seamless Mobile Device Accountability & Control How to provide mobility and Web security in your organization s wireless network About This White Paper This white
More informationModule 1 Study Guide
Module 1 Study Guide Introduction to OSA Welcome to your Study Guide. This document is supplementary to the information available to you online, and should be used in conjunction with the videos, quizzes
More informationMaximising the Effectiveness of Information Security Awareness
Maximising the Effectiveness of Information Security Awareness This thesis offers a fresh look at information security awareness using research from marketing and psychology. By Geordie Stewart and John
More informationHow to Justify Your Security Assessment Budget
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice
More informationQCF. Residential childcare. Centre Handbook
QCF Residential childcare Centre Handbook OCR Level 3 Diploma for Residential Childcare (England) Entry code 10405 OCR Level 5 Diploma in Leadership and Management for Residential Childcare (England) Entry
More informationHow to enable Disk Encryption on a laptop
How to enable Disk Encryption on a laptop Skills and pre-requisites Intermediate IT skills required. You need to: have access to, and know how to change settings in the BIOS be confident that your data
More informationManagement and Leadership. Level 5 NVQ Diploma in Management and Leadership (QCF)
Management and Leadership Level 5 NVQ Diploma in Management and Leadership (QCF) 2014 Skills CFA Level 5 NVQ Diploma in Management and Leadership (QCF) Page 1 Level 5 NVQ Diploma in Management and Leadership
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationAPPENDIX: CHECKLIST COMPLIANCE WITH THE CODE
AEDIX: CHECKLIST COMLIACE WITH THE CODE lease tick to indicate = ES, = ARTIAL, = O. Where partial or no, you should give reasons for any noncompliance, and any compensating measures in place or actions
More informationCHAPTER SIX CONCLUSION
112 CHAPTER SIX CONCLUSION Man Hiking on Steep Incline Don Mason/CORBIS 113 Medical Medical Ethics Ethics Manual Manual Medical Principal Ethics Features and Manual Medical of Medical Conclusion Research
More informationHow to reduce the cost and complexity of two factor authentication
WHITEPAPER How to reduce the cost and complexity of two factor authentication Published September 2012 48% of small and medium sized businesses consistently cite technical complexity and cost of ownership
More informationThreat Intelligence. Benefits for the enterprise
Benefits for the enterprise Contents Introduction Threat intelligence: a maturing defence differentiator Understanding the types of threat intelligence: from the generic to the specific Deriving value
More informationSuite Overview...2. Glossary...8. Functional Map.11. List of Standards..15. Youth Work Standards 16. Signposting to other Standards...
LSI YW00 Youth Work National Occupational Standards Introduction Youth Work National Occupational Standards Introduction Contents: Suite Overview...2 Glossary......8 Functional Map.11 List of Standards..15
More informationACHIEVING COMPLIANCE THROUGH PEOPLE: TRAINING SUPERVISORS TO TACKLE PROCEDURAL NON-COMPLIANCE
ACHIEVING COMPLIANCE THROUGH PEOPLE: TRAINING SUPERVISORS TO TACKLE PROCEDURAL NON-COMPLIANCE Paul Leach 1, Jonathan Berman 1 and David Goodall 2 1 Greenstreet Berman Ltd, London, UK 2 National Grid, UK
More informationAdvisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management
Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management
More informationWELS Compliance Risk Management Guide For Suppliers
WELS Compliance Risk Management Guide For Suppliers A working document (March 2007) A Working Document This is a WELS Compliance Risk Management working document. Prepared by the Water Policy Branch Department
More informationHazard Identification, Risk Assessment and Management Procedure. Documentation Control
Hazard Identification, Risk Assessment and Management Procedure Reference: Date approved: Approving Body: Implementation Date: Version: 3 Documentation Control GG/CM/007 Trust Board Supersedes: Version
More informationCOMPETENCY FRAMEWORK Trainee Actuary /Actuarial Technician / HEO / SEO
COMPETENCY FRAMEWORK Trainee Actuary /Actuarial Technician / HEO / SEO Is committed to GAD s organisational values and ensures they are reflected in all undertakings Is solution focused Adopts a flexible
More informationCRM Business Plan Template Introduction: How to Use This Template
CRM Business Plan Template Introduction: How to Use This Template This template will help build a living CRM business plan for the enterprise as well as document business justifications for specific near-term
More informationIntroduction Customers, and Customer Service What exactly do we mean by Great Customer Service? Customer Relationship Management Adding Value to the
Topic Outline Introduction Customers, and Customer Service What exactly do we mean by Great Customer Service? Customer Relationship Management Adding Value to the Customer Service Experience Customers
More informationChange Management. www.business.wales.gov.uk/superfastbusinesswales 03000 6 03000
Change Management Effective change management is an essential ingredient to the successful implementation of technology-based projects that are made possible by Superfast Broadband. www.business.wales.gov.uk/superfastbusinesswales
More informationIT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE. Part I: Reducing Employee and Application Risks
IT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE Part I: Reducing Employee and Application Risks As corporate networks increase in complexity, keeping them secure is more challenging. With employees
More informationLet Someone Break Rules to Improve Security Compliance
20 September 2012: Let Someone Break Rules to Improve Security Compliance Author Dr. T V Gopal Chairman, Division II [Software], Advisor CSI Communications [CSIC] and Professor Department of Computer Science
More information