Security Awareness: Looking Beyond Regulations Over the years, security experts have religiously advocated that people are the weakest link in information security. Although the importance of security awareness to address this weakest link is common knowledge, the result of our efforts thus far is not very encouraging. The seventh annual security research study, by the Computer Technology Industry Association (CompTIA) in 2009 1, found that the primary cause of security breaches is unintentional human error. Security awareness efforts are failing royally for some reason. Naturally Aware of the Basics Human beings are naturally an aware species. We often teach our children to never speak to or accept anything from strangers. We teach them to lock the doors of our homes when we sleep, and to be careful and look both ways when crossing the street. Essentially, we teach our children everything they need to know to enhance their personal security. Human beings have a natural tendency towards practicing and advocating better awareness. And yet, moving this natural tendency from personal security awareness to information security awareness stands today as a significant challenge. The Culprit: Regulatory Pressures Regulatory compliance is seen as one of the major driving factors of information security 2 today. It is no surprise then that security awareness efforts often result in unsatisfactory results and increased skepticism about security awareness. Consequently, budget allocations for security awareness are often further reduced. In times when information security budgets are evershrinking, the amount that is allocated to security awareness is often up for internal debate. Yet, lack of security awareness, in fact, is one of the most overlooked aspects of information security 3 and the root cause of many security breaches It is true that many current regulations require security awareness efforts: Gramm-Leach Leach-Bliley Act (GLBA) Financial product/service providers governed by the GLBA are required to implement IT security awareness training. Health Insurance Portability and Accountability Act (HIPAA) Health plans, healthcare clearinghouses, and healthcare providers are governed by HIPAA. Personnel involved with the handling of Electronic Protected Health Information (ephi) or Protected Health Information (PHI) need to be provided security awareness training on an ongoing basis.
Sarbanes-Oxley Act All publicly-traded companies in the United States must comply with the Sarbanes-Oxley Act. These companies are required to establish ongoing IT security awareness efforts. Federal Information System Security Managers Act (FISMA) The FISMA requires federal government agencies to establish security awareness training for personnel, including contractors. The agencies need to report annually on their security awareness and training efforts. Payment Card Industry Data Security Standard (PCI DSS) While the PCI DSS is not a regulation, if you were ever to issue credit cards bearing the logo of one of the founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. you would need to comply with the PCI DSS. The standard requires educating employees upon hire and at least annually on the importance of cardholder data security and how employees can maintain and enhance internal security controls. Today s regulations requiring security awareness affect a wide array of industries, so it is very likely that any organization would encounter at least one of these regulations. And regulatory compliance usually takes precedence over all else. When the compliance bells toll, time and money are as scarce as ever and a fix-it-quick approach is often taken towards security awareness. Employee attitudes towards information security awareness efforts then simply follow suit. As a result, security awareness is seldom seen apart from a law that requires it. If regulatory compliance is the main aim of security awareness efforts at an organization, it will invariably end up becoming a mechanical procedure rather than a beneficial learning experience. This perfunctory approach towards security awareness by top management always seeps down to the lower rungs in the hierarchy. Compliance: A By-Product People are the first line of defense in any organization against threats to information security. Think about it. These people often have the authorization to bypass all the technical security mechanisms in place. How else would you conduct business? If you spend hours applying the latest patches to all technical infrastructure components in your organization, it is equally wise to apply up-to-date patches to the people in your organization on an ongoing basis. Compliance is best viewed as a by-product of an organization s security awareness efforts. To get desirable results from the investment you put into security awareness look beyond the prism of compliance toward the greater good for your organization. Compliance will then naturally follow. The Organization-Centric Approach The right approach to security awareness is an organization-centric approach. The first step should always involve the effort to understand the organization s security awareness needs. This can be done using evaluation tools such as questionnaires, interviews, and quizzes. Even judgment calls can be very helpful at this stage because nobody knows your employees better than yourself.
Formal evaluation models such as the COBIT Maturity Model can also be employed to inject greater accuracy and objective data in the evaluations. The model helps evaluate organizational maturity to give an indication of how well an organization manages information security. It utilizes a six-point scale ranging from the non-existent (0) maturity level to the optimized (5) maturity level. At the end of your evaluations, you should be able to point out specific security awareness areas that need improvement. Once this list is complete, prioritize these areas based on their importance to the organization for minimizing the risk of information security compromise. Security Awareness Program Once you have a reasonably clear picture of the areas where your organization lacks in security awareness, the next step is to plan a security awareness program to address these specific areas. A security awareness program is a series of campaigns that aims to steadily infuse the right attitude towards information security in the minds of employees. To reinforce the importance of this approach, top management should formally communicate the details of the organization s security awareness program to the employees. A security awareness program should be well-planned with specific details such as the date, topic, intended audience, expected resources, and the method that will be used. A number of methods can be used, including; Articles/newsletters posted on the organization s intranet Webcasts and podcasts Security awareness posters (and note that humor makes them eye-catching and interesting) Security awareness seminars and training events Live demonstrations that illustrate how things can go wrong Booklets and brochures. Coffee mugs, pens, pencils, notepads, stickers, etc. bearing awareness messages. Ensure that the topics of security awareness communications are addressed in the order of the priority list identified previously. It is also important that these communications are in harmony with the organization s information security policies and procedures. An Ongoing Process Once a security awareness program is in place and underway, periodic evaluations should be performed to measure the progress and make necessary improvements and adjustments. Metrics such as the number of employees attending the training sessions, the number of security incidents caused by human error, the number of hits received by the intranet pages, etc. can often help in these measurements. Social Engineering engagements can also be extremely helpful at this stage. These engagements are performed by professional social engineers who perform tests to evaluate how hack-able the people of an organization are.
The Larger Awareness Approaching security awareness at your organization with the right attitude and approach is vital. If you manage these two mission-critical aspects, then compliance will easily follow. Compliance will then be a by-product, not an end-product. While security awareness by itself is quite an underrated tool in the information security arsenal, an even larger awareness is probably the need of the hour the awareness that security awareness needs a healthier consideration that goes beyond regulatory requirements. References 1. http://www.comptia.org/sections/research/white%20papers/white_paper-comptia_security_vfinal_4-09.pdf 2. http://www.computerworld.com/action/article.do?command=viewarticlebasic&articleid=105936 3. http://www.darkreading.com/security/management/showarticle.jhtml?articleid=208808177
ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit www.emrisk.com E-mail: info@emrisk.com Phone: 305-447-6750 800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134