Security Awareness: Looking Beyond Regulations



Similar documents
End of the SAS 70 Era

Banking Industry Regulations: Don t Burn A Hole In Your Pocket

VoIP Security: Do You Have a Good Voice over IP?

A Walk In The Clouds

You Need To Comply With HIPAA And You Probably Don t Even Know It!

Identity Theft: Are You Really You?

Social Engineering: People Hacking

Keeping watch over your best business interests.

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI DSS READINESS AND RESPONSE

PCI Compliance. Top 10 Questions & Answers

Guided HIPAA Compliance

SecurityMetrics. PCI Starter Kit

PCI Compliance Top 10 Questions and Answers

PAI Secure Program Guide

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

SECURITY CONSIDERATIONS FOR LAW FIRMS

AlienVault for Regulatory Compliance

Brown Smith Wallace, LLC

Managing data security and privacy risk of third-party vendors

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Payment Card Industry Standard - Symantec Services

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

HOW SECURE IS YOUR PAYMENT CARD DATA?

The State of Security and Compliance for E- Commerce and Retail

PCI Security Compliance

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

SecurityMetrics. history products expertise team awards

Achieving Compliance with the PCI Data Security Standard

A Compliance Overview for the Payment Card Industry (PCI)

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Payment Card Industry Data Security Standards

{Are you protected?} Overview of Cybersecurity Services

HOW TO PREPARE FOR A PCI DSS AUDIT

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS. Payment Card Industry Data Security Standard.

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

PCI DSS Overview and Solutions. Anwar McEntee

PCI Compliance Overview

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

The PCI DSS Compliance Guide For Small Business

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Project Title slide Project: PCI. Are You At Risk?

Contents. Facts. Contact. Company Biography...4. Qualifications & Accolades...5. Executive Leadership Team...6. Products & Services...

Achieving Regulatory Compliance through Security Information Management

John B. Dickson, CISSP October 11, 2007

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

SecurityMetrics Introduction to PCI Compliance

And Take a Step on the IG Career Path

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Western Australian Auditor General s Report. Information Systems Audit Report

Platform as a Service and PCI

Payment Card Industry Data Security Standard

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Introduction to Compliance:

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Third-Party Access and Management Policy

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Payment Card Industry Data Security Standard

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Payment Card Industry (PCI) Data Security Standard QSA Validation Requirements. Supplement for PCI Forensic Investigators (PFIs)

[Insert Company Logo]

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Managing Vulnerabilities For PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Credit Card Processing Through ROI Solutions: Simpler, Secure & More Cost Effective

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Reporting WHITEPAPER

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Compliance Overview

Hans Bos Microsoft Nederland.

CSR Breach Reporting Service Frequently Asked Questions

This article describes the history of the Payment Card

IT Security & Compliance. On Time. On Budget. On Demand.

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

How To Protect Your Credit Card Information From Being Stolen

HIPAA and HITRUST - FAQ

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Bridging the HIPAA/HITECH Compliance Gap

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

Cyber Security An Exercise in Predicting the Future

Transcription:

Security Awareness: Looking Beyond Regulations Over the years, security experts have religiously advocated that people are the weakest link in information security. Although the importance of security awareness to address this weakest link is common knowledge, the result of our efforts thus far is not very encouraging. The seventh annual security research study, by the Computer Technology Industry Association (CompTIA) in 2009 1, found that the primary cause of security breaches is unintentional human error. Security awareness efforts are failing royally for some reason. Naturally Aware of the Basics Human beings are naturally an aware species. We often teach our children to never speak to or accept anything from strangers. We teach them to lock the doors of our homes when we sleep, and to be careful and look both ways when crossing the street. Essentially, we teach our children everything they need to know to enhance their personal security. Human beings have a natural tendency towards practicing and advocating better awareness. And yet, moving this natural tendency from personal security awareness to information security awareness stands today as a significant challenge. The Culprit: Regulatory Pressures Regulatory compliance is seen as one of the major driving factors of information security 2 today. It is no surprise then that security awareness efforts often result in unsatisfactory results and increased skepticism about security awareness. Consequently, budget allocations for security awareness are often further reduced. In times when information security budgets are evershrinking, the amount that is allocated to security awareness is often up for internal debate. Yet, lack of security awareness, in fact, is one of the most overlooked aspects of information security 3 and the root cause of many security breaches It is true that many current regulations require security awareness efforts: Gramm-Leach Leach-Bliley Act (GLBA) Financial product/service providers governed by the GLBA are required to implement IT security awareness training. Health Insurance Portability and Accountability Act (HIPAA) Health plans, healthcare clearinghouses, and healthcare providers are governed by HIPAA. Personnel involved with the handling of Electronic Protected Health Information (ephi) or Protected Health Information (PHI) need to be provided security awareness training on an ongoing basis.

Sarbanes-Oxley Act All publicly-traded companies in the United States must comply with the Sarbanes-Oxley Act. These companies are required to establish ongoing IT security awareness efforts. Federal Information System Security Managers Act (FISMA) The FISMA requires federal government agencies to establish security awareness training for personnel, including contractors. The agencies need to report annually on their security awareness and training efforts. Payment Card Industry Data Security Standard (PCI DSS) While the PCI DSS is not a regulation, if you were ever to issue credit cards bearing the logo of one of the founding members American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. you would need to comply with the PCI DSS. The standard requires educating employees upon hire and at least annually on the importance of cardholder data security and how employees can maintain and enhance internal security controls. Today s regulations requiring security awareness affect a wide array of industries, so it is very likely that any organization would encounter at least one of these regulations. And regulatory compliance usually takes precedence over all else. When the compliance bells toll, time and money are as scarce as ever and a fix-it-quick approach is often taken towards security awareness. Employee attitudes towards information security awareness efforts then simply follow suit. As a result, security awareness is seldom seen apart from a law that requires it. If regulatory compliance is the main aim of security awareness efforts at an organization, it will invariably end up becoming a mechanical procedure rather than a beneficial learning experience. This perfunctory approach towards security awareness by top management always seeps down to the lower rungs in the hierarchy. Compliance: A By-Product People are the first line of defense in any organization against threats to information security. Think about it. These people often have the authorization to bypass all the technical security mechanisms in place. How else would you conduct business? If you spend hours applying the latest patches to all technical infrastructure components in your organization, it is equally wise to apply up-to-date patches to the people in your organization on an ongoing basis. Compliance is best viewed as a by-product of an organization s security awareness efforts. To get desirable results from the investment you put into security awareness look beyond the prism of compliance toward the greater good for your organization. Compliance will then naturally follow. The Organization-Centric Approach The right approach to security awareness is an organization-centric approach. The first step should always involve the effort to understand the organization s security awareness needs. This can be done using evaluation tools such as questionnaires, interviews, and quizzes. Even judgment calls can be very helpful at this stage because nobody knows your employees better than yourself.

Formal evaluation models such as the COBIT Maturity Model can also be employed to inject greater accuracy and objective data in the evaluations. The model helps evaluate organizational maturity to give an indication of how well an organization manages information security. It utilizes a six-point scale ranging from the non-existent (0) maturity level to the optimized (5) maturity level. At the end of your evaluations, you should be able to point out specific security awareness areas that need improvement. Once this list is complete, prioritize these areas based on their importance to the organization for minimizing the risk of information security compromise. Security Awareness Program Once you have a reasonably clear picture of the areas where your organization lacks in security awareness, the next step is to plan a security awareness program to address these specific areas. A security awareness program is a series of campaigns that aims to steadily infuse the right attitude towards information security in the minds of employees. To reinforce the importance of this approach, top management should formally communicate the details of the organization s security awareness program to the employees. A security awareness program should be well-planned with specific details such as the date, topic, intended audience, expected resources, and the method that will be used. A number of methods can be used, including; Articles/newsletters posted on the organization s intranet Webcasts and podcasts Security awareness posters (and note that humor makes them eye-catching and interesting) Security awareness seminars and training events Live demonstrations that illustrate how things can go wrong Booklets and brochures. Coffee mugs, pens, pencils, notepads, stickers, etc. bearing awareness messages. Ensure that the topics of security awareness communications are addressed in the order of the priority list identified previously. It is also important that these communications are in harmony with the organization s information security policies and procedures. An Ongoing Process Once a security awareness program is in place and underway, periodic evaluations should be performed to measure the progress and make necessary improvements and adjustments. Metrics such as the number of employees attending the training sessions, the number of security incidents caused by human error, the number of hits received by the intranet pages, etc. can often help in these measurements. Social Engineering engagements can also be extremely helpful at this stage. These engagements are performed by professional social engineers who perform tests to evaluate how hack-able the people of an organization are.

The Larger Awareness Approaching security awareness at your organization with the right attitude and approach is vital. If you manage these two mission-critical aspects, then compliance will easily follow. Compliance will then be a by-product, not an end-product. While security awareness by itself is quite an underrated tool in the information security arsenal, an even larger awareness is probably the need of the hour the awareness that security awareness needs a healthier consideration that goes beyond regulatory requirements. References 1. http://www.comptia.org/sections/research/white%20papers/white_paper-comptia_security_vfinal_4-09.pdf 2. http://www.computerworld.com/action/article.do?command=viewarticlebasic&articleid=105936 3. http://www.darkreading.com/security/management/showarticle.jhtml?articleid=208808177

ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit www.emrisk.com E-mail: info@emrisk.com Phone: 305-447-6750 800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information