It was both a dramatic illustration and held an obvious truth: If you don't watch what you say, unintended people may pick up on the discussion and take advantage of it -- maliciously.
I thought of the saying after listening to a very loud person -- a senior executive, I am pretty sure -- discuss his business plans with an associate. Given how he projected his voice when he talked, a person two rooms down could have listened in, as well, while he discussed what firm was failing, who they planned to acquire and so on.
In our rush to implement technical solutions for security, it's imperative not to forget the role of users and the responsibilities that go along with it.
There are two parts to this. First, users need to understand their role in security. Secondly, there must be an on-going awareness campaign.
Employees must understand that in order to have an effective internal control environment and security, they must play an active role. The formal responsibility and any specifics need to be outlined in each job description. The phrase ''responsible for adhering to corporate policies and procedures'' is an important addition. This way the policy and procedure documentation can be updated and the job descriptions left alone. The employee should sign and date the form attesting to his/her understanding of the position and compliance with the requirements.
The next step is to cover the policies and procedures during new hire training.
Formal classes should cover what processes and controls are relevant and then the employee should date and sign a statement noting that the classes were conducted and that he/she attended the training and understood the material presented. Management should consider the use of professional trainers to ensure that the lesson plans are correctly assembled and communicated to maximize efficacy.
Annually, refresher training should be given. This is an ideal time to cover any new changes to job descriptions, policies and procedures, etc. The intent is to again formally go over what is expected, hear any concerns and obtain signed and dated review forms.
Be prepared for questions and objections.
Inevitably, issues arise during these reviews. There needs to be a defined process to discuss and resolve, when possible, disputes. Note that standards cannot be infinitely flexible. In some cases, tough decisions will be made as to whether to support a standard or the person in question. Trying to do both constantly, while giving concessions, will make the standard collapse and send the wrong message.
The intent of awareness programs is to keep responsibilities and issues at the forefront of peoples' minds. It is not a replacement for training programs, but rather a supplement to training intended both to inform and remind.
There are a great many ways to enhance awareness. The type of program followed depends on company culture and resources -- notably time and money. In the same way defenses are layered, consider layering your awareness programs to try and maximize their reach. Potential avenues include:
Technology and processes alone are not enough. The user community must be actively engaged and own the responsibility for internal controls and security, as well. By working together, the organization can effectively and efficiently reduce risks. Without the recognized and accepted ownership by the users, the organization's internal control environment and security posture will be compromised.