How Users Can Play an Active Role in Security

Sometimes users are the biggest security hole a company has. You can turn that around. Columnist George Spafford shows you how to do it.
During World War II, the United States was worried about German spies obtaining details about shipping routes and schedules to Europe. That's when they came up with the security awareness campaign -- ''Loose Lips May Sink Ship''.

It was both a dramatic illustration and held an obvious truth: If you don't watch what you say, unintended people may pick up on the discussion and take advantage of it -- maliciously.

I thought of the saying after listening to a very loud person -- a senior executive, I am pretty sure -- discuss his business plans with an associate. Given how he projected his voice when he talked, a person two rooms down could have listened in, as well, while he discussed what firm was failing, who they planned to acquire and so on.

In our rush to implement technical solutions for security, it's imperative not to forget the role of users and the responsibilities that go along with it.

There are two parts to this. First, users need to understand their role in security. Secondly, there must be an on-going awareness campaign.

Responsibility

Employees must understand that in order to have an effective internal control environment and security, they must play an active role. The formal responsibility and any specifics need to be outlined in each job description. The phrase ''responsible for adhering to corporate policies and procedures'' is an important addition. This way the policy and procedure documentation can be updated and the job descriptions left alone. The employee should sign and date the form attesting to his/her understanding of the position and compliance with the requirements.

The next step is to cover the policies and procedures during new hire training.

Formal classes should cover what processes and controls are relevant and then the employee should date and sign a statement noting that the classes were conducted and that he/she attended the training and understood the material presented. Management should consider the use of professional trainers to ensure that the lesson plans are correctly assembled and communicated to maximize efficacy.

Annually, refresher training should be given. This is an ideal time to cover any new changes to job descriptions, policies and procedures, etc. The intent is to again formally go over what is expected, hear any concerns and obtain signed and dated review forms.

Be prepared for questions and objections.

Inevitably, issues arise during these reviews. There needs to be a defined process to discuss and resolve, when possible, disputes. Note that standards cannot be infinitely flexible. In some cases, tough decisions will be made as to whether to support a standard or the person in question. Trying to do both constantly, while giving concessions, will make the standard collapse and send the wrong message.

Awareness

The intent of awareness programs is to keep responsibilities and issues at the forefront of peoples' minds. It is not a replacement for training programs, but rather a supplement to training intended both to inform and remind.

There are a great many ways to enhance awareness. The type of program followed depends on company culture and resources -- notably time and money. In the same way defenses are layered, consider layering your awareness programs to try and maximize their reach. Potential avenues include:

  • Emails, Newsletters and Web Pages These can be used to send messages en masse. The challenge is just getting the users to bother reading the email or going to the web page. Consider adding a competitive element -- find the answer to the question and win a prize;
  • Lunch Seminars - Offer to bring in lunch, have a potluck or have people bring their own lunches to hear topics that can affect their lives both in and out of work. For example, discuss anti-virus, privacy, firewalls, spyware, monitoring children's Internet usage, etc. Company specific messages can be interwoven with the topics of personal interest to the employees;
  • Posters -- Put them up in lunch rooms, by the water cooler, etc. Like emails and web pages, the challenge is to have employees actually read the poster and internalize the message;
  • Hold Periodic Meetings -- Have brief meetings to communicate updates about internal controls and security. The challenge with these is to try and coordinate the meetings with departments that already have a full bevy of their own meetings and issues;
  • Attend Periodic Meetings -- Rotate through the various departments and attend their meetings on a defined schedule to communicate updates. For example, perhaps you strive to hit each department once per quarter, and
  • Competitions -- As previously mentioned, competitions are a good way to get some additional participation. Some groups will offer gift certificates, a token electronic gizmo, etc. As the challenge and payoff increases, typically so do the number of participants.

    Technology and processes alone are not enough. The user community must be actively engaged and own the responsibility for internal controls and security, as well. By working together, the organization can effectively and efficiently reduce risks. Without the recognized and accepted ownership by the users, the organization's internal control environment and security posture will be compromised.






  • 0 Comments (click to add your comment)
    Comment and Contribute

     


    (Maximum characters: 1200). You have characters left.