During World War II, the United States was worried about German spies
obtaining details about shipping routes and schedules to Europe. That’s
when they came up with the security awareness campaign — ”Loose Lips
May Sink Ship”.
It was both a dramatic illustration and held an obvious truth: If you
don’t watch what you say, unintended people may pick up on the discussion
and take advantage of it — maliciously.
I thought of the saying after listening to a very loud person — a senior
executive, I am pretty sure — discuss his business plans with an
associate. Given how he projected his voice when he talked, a person two
rooms down could have listened in, as well, while he discussed what firm
was failing, who they planned to acquire and so on.
In our rush to implement technical solutions for security, it’s
imperative not to forget the role of users and the responsibilities that
go along with it.
There are two parts to this. First, users need to understand their role
in security. Secondly, there must be an on-going awareness campaign.
Responsibility
Employees must understand that in order to have an effective internal
control environment and security, they must play an active role. The
formal responsibility and any specifics need to be outlined in each job
description. The phrase ”responsible for adhering to corporate policies
and procedures” is an important addition. This way the policy and
procedure documentation can be updated and the job descriptions left
alone. The employee should sign and date the form attesting to his/her
understanding of the position and compliance with the requirements.
The next step is to cover the policies and procedures during new hire
training.
Formal classes should cover what processes and controls are relevant and
then the employee should date and sign a statement noting that the
classes were conducted and that he/she attended the training and
understood the material presented. Management should consider the use of
professional trainers to ensure that the lesson plans are correctly
assembled and communicated to maximize efficacy.
Annually, refresher training should be given. This is an ideal time to
cover any new changes to job descriptions, policies and procedures, etc.
The intent is to again formally go over what is expected, hear any
concerns and obtain signed and dated review forms.
Be prepared for questions and objections.
Inevitably, issues arise during these reviews. There needs to be a
defined process to discuss and resolve, when possible, disputes. Note
that standards cannot be infinitely flexible. In some cases, tough
decisions will be made as to whether to support a standard or the person
in question. Trying to do both constantly, while giving concessions, will
make the standard collapse and send the wrong message.
Awareness
The intent of awareness programs is to keep responsibilities and issues
at the forefront of peoples’ minds. It is not a replacement for training
programs, but rather a supplement to training intended both to inform and
remind.
There are a great many ways to enhance awareness. The type of program
followed depends on company culture and resources — notably time and
money. In the same way defenses are layered, consider layering your
awareness programs to try and maximize their reach. Potential avenues
include:
messages en masse. The challenge is just getting the users to bother
reading the email or going to the web page. Consider adding a competitive
element — find the answer to the question and win a prize;
have people bring their own lunches to hear topics that can affect their
lives both in and out of work. For example, discuss anti-virus, privacy,
firewalls, spyware, monitoring children’s Internet usage, etc. Company
specific messages can be interwoven with the topics of personal interest
to the employees;
etc. Like emails and web pages, the challenge is to have employees
actually read the poster and internalize the message;
updates about internal controls and security. The challenge with these is
to try and coordinate the meetings with departments that already have a
full bevy of their own meetings and issues;
departments and attend their meetings on a defined schedule to
communicate updates. For example, perhaps you strive to hit each
department once per quarter, and
good way to get some additional participation. Some groups will offer
gift certificates, a token electronic gizmo, etc. As the challenge and
payoff increases, typically so do the number of participants.
Technology and processes alone are not enough. The user community must be
actively engaged and own the responsibility for internal controls and
security, as well. By working together, the organization can effectively
and efficiently reduce risks. Without the recognized and accepted
ownership by the users, the organization’s internal control environment
and security posture will be compromised.