Posts Tagged ‘Security Program’

Security Awareness and Training are Important

Information security, like everything else, is a human enterprise and is influenced by factors that impact the individual. It is well recognized that the greatest information security danger to any organization is not a particular process, technology, or equipment; rather, it is the people who work within the “system” that hide the inherent danger. Therefore, IT security is a “people issue” and awareness programs address common “people” problems.

We know that solutions for yesterday’s security issues are obsolete today, and the security solutions we have today may be obsolete tomorrow. The security environment is constantly changing and the variety of solutions is growing at a phenomenal rate. Awareness is a crucial element in addressing these issues.

Company-wide security awareness training and education initiatives that include, but are not limited to classroom style training sessions, security awareness websites, helpful hints via e-mail, or even posters as a campaign are methods that can help ensure employees have a solid understanding of company security policy, procedure and best practices.

A well-designed, effective awareness program reminds everyone — IT staff, management, and end users — of the dangers that are out there and things that can be done to defend the organization against them. Providing your personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of your organization’s business success.

If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, you not only risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risk being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation.

Information security awareness, training and education are important for many reasons, including the following.

1. Regulatory Requirements Compliance

There are an increasing number of laws and regulations that require some forms of training and awareness activities to occur within the organizations over which they have jurisdiction. Failure to train employees for product, process, policy and practice, could violate compliance requirements and expose enterprises to legal liability. Laws requiring security and privacy awareness or training programs apply to:

  • The Federal Government (Federal Information System Security Managers’ Act) 
  • The Health Care Industry (Health Insurance Portability and Accountability Act) 
  • Financial Institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act) 
  • Publicly-traded Companies (Sarbanes-Oxley Act) 

The Federal Information System Security Managers’ Act (FISMA) requires government agencies to report on their security awareness and training efforts annually.

National Institute of Standards and Technology (NIST) has developed Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is “security awareness training”. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

NIST also acknowledges that the awareness program must comply with the 5 Code of Federal Regulations (C.F.R.) Part 930.301, whereby everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

  1. All users
  2. Executives
  3. Program and functional managers
  4. Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/ application security officers)
  5. IT function management and operations personnel

NIST SP 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the FISMA. The NIST Computer Security Handbook cites the importance of managers to understand security consequences and costs, and thereby they must take security as an important factor when making decisions.

OMB Circular A-130 requires that system users receive security awareness instruction prior to being granted access to the system, and it requires periodic refresher training for continued access.

2. Customer Trust and Satisfaction

Respect for customer security and privacy is one of the most important issues facing your company today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).

To gain and keep customer trust, your company must exercise good judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages.

All employees or companies directly handling or influencing the handling of your company’s customer PII should receive targeted security and privacy training before handling customer information. They should also receive ongoing awareness communications to reinforce security and privacy issues and requirements and help to embed such practices within their daily work activities.

3. Corporate Reputation

Reputation is another critical organizational business success asset. Without a good reputation, customers leave, sales drop, and revenue shrinks.

A component of managing a good reputation is ensuring that personnel and business partners follow the right information security and privacy precautions to lessen the risk of compromising private information; such incidents will likely lead to some very unfavorable news reports and media attention.

In conclusion, Government and industry organizations must protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment. The best way to achieve a significant and lasting improvement in information security is not by throwing more technical solutions at the problem, instead it is by raising awareness, training and educating everyone who interacts with computer networks, systems, and information in the basics of data, information, network and cyber security. Information security awareness programs serve a critical role in keeping an organization safe by keeping the user community vigilant against the dangers of intruders.

E-SPIN as the end-to-end security solution services provider, supply consultancy, technology and services for the clients to yield the holistic return on their security program and investment. Please feel free to contact info@e-spincorp.com for the package solution that go beyond product technology that comes with consultancy, training and maintenance support for the effectiveness of enterprise IT risk management best practice.

Read Full Post »

No matter how large or small your company is, you need to have a plan for security program to ensure the security of your information assets. Such a plan is called a security program by information security professionals. Whether yours is five or 200 pages long, the process of creating a security program will make you think holistically about your organization’s security. A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.

  • Product information, including designs, plans, patent applications, source code, and drawings
  • Financial information, including market assessments and your company’s own financial records
  • Customer information, including confidential information you hold on behalf of customers or clients
  • Failure to protect your data’s confidentiality might result in customer credit card numbers being stolen, with legal consequences and a loss of goodwill. Lose your clients’ confidential information and you may have fewer of them in the future.
  • A data integrity failure might result in a Trojan horse being planted in your software, allowing an intruder to pass your corporate secrets on to your competitors. If an integrity failure affects your accounting records, you may no longer really know your company’s true financial status.

elements of a good security program

Having a security program means that you’ve taken steps to mitigate the risk of losing data in any one of a variety of ways, and have defined a life cycle for managing the security of information and technology within your organization.

Elements of a good security program

A good security program provides the big picture for how you will keep your company’s data secure. It takes a holistic approach that describes how every part of your company is involved in the program. A security program is not an incident handling guide that details what happens if a security breach is detected (see The Barking Seal Issue Q1 2006). It’s also not a guide to doing periodic assessments, though it probably does dictate when to do a security assessment (see The Barking Seal Issue Q2 2008).

Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The key components of a good security program are outlined in the following sections.

  1. Designated security officer

For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement. Your security officer is the one responsible for coordinating and executing your security program. The officer is your internal check and balance. This person or role should report to someone outside of the IT organization to maintain independence.

  1. Risk assessment

This component identifies and assesses the risks that your security program intends to manage. This is perhaps the most important section because it makes you think about the risks your organization faces so that you can then decide on appropriate, cost-effective ways to manage them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to prioritize them and choose cost-effective countermeasures. The risks that are covered in your assessment might include one or more of the following:

  • Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to loss of electric power. You may also lose access to your data for more subtle reasons: the second disk failure, for example, while your RAID array recovers from the first.
  • Unauthorized access to your own data and client or customer data. Remember, if you have confidential information from clients or customers, you’re often contractually obliged to protect that data as if it were your own.
  • Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.
  • Your data in someone else’s hands. Do you share your data with third parties, including contractors, partners, or your sales channel? What protects your data while it is in their hands?
  • Data corruption. Intentional corruption might modify data so that it favors an external party: think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error that overwrites valid data.
  1. Policies and Procedures

Preparing your risk assessment hopefully gave you lots to worry about. The policies and procedures component is the place where you get to decide what to do about them. Areas that your program should cover include the following:

  • Physical security documents how you will protect all three C-I-A aspects of your data from unauthorized physical access.
  • Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation and aging requirements, and audit trail maintenance.
  • Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that your IT employees are engaged in implementing your IT-specific policies.
  • Risk assessment states how often you will reassess the potential threats to your IT security and update your security program.
  • Incident response defines how you will respond to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised). We discussed the importance of having an incident-handling guide in the Q1 2006 issue of The Barking Seal.
  • Virus protection outlines how you protect against viruses. This might include maintaining workstation-based products and scanning email, Web content, and file transfers for malicious content.
  • Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time you have defined.
  • Relationships with vendors and partners defines who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect your data. This is an often-overlooked aspect of data security because your IT organization probably has not had a lot of interaction with your legal organization over vendor contracts. You may need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place.
  1. Organizational security awareness

The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs. Don’t overlook it in yours.

Every employee needs to be aware of his or her roles and responsibilities when it comes to security. Even those who don’t even touch a computer in their daily work need to be involved because they could still be targeted by social-engineering attacks designed to compromise your physical security. In its Information Security Handbook, publication 80-100, the National Institute of Standards and Technology (NIST) describes the importance of making all levels of your organization aware and educated on their roles and responsibilities when it comes to security (Figure 2). All users need to have security awareness training, while those involved with IT systems need to have more role-specific training. Your IT organization, which implements a continuous cycle of assessing, acquiring, and operating security-related hardware and software, needs even a higher level of involvement, taking direction from your own security specialists and those you hire as consultants.

elements of a good security program

  1. Regulatory standards compliance

In addition to complying with your own security program, your company may also need to comply with one or more standards defined by external parties. This component of your security plan defines what those standards are and how you will comply. Regulatory standards that might affect you include HIPAA (for patient information), PCI (for credit card processing), FISMA (for governmental agencies and contractors, see The Barking Seal Q4 2006), Sarbanes-Oxley, and Gramm-Leach- Bliley (for corporate financial management).

  1. Audit compliance plan

This component of your security program dictates how often you will audit your IT security and assess its compliance with your security program. As we discussed in the Q2 2008 issue of The Barking Seal, there are aspects of your security that you will want to audit on a frequency ranging from daily to annually. Periodic security assessments are important for finding out whether your security has already been breached. They help you to stay on top of new security threats with the right technology and staff training. And they help you make smart investments by helping you to prioritize and focus on the high-impact items on your list.

A security program is never “done.” As Figure 2 illustrates, your IT organization is always in the process of iterating through the program’s life cycle for all areas that it defines. You assess risks, make plans for mitigating them, implement solutions, monitor to be sure they are working as expected, and use that information as feedback for your next assessment phase. Likewise, your security program document has this life cycle built into it, as it specifies how often you will re-assess the risks you face and update the program accordingly.

Getting on the right footing

It doesn’t matter whether your security program is five pages (as are some we’ve produced for clients) or 200 pages long (such as the NIST document cited above). The important thing is that you have a security program and that you use it to address your company’s security in an organized, comprehensive, and holistic way. You can adapt the above elements to create a security program for your organization, or, if you need help, give us a email at info@e-spincorp.com or you can visit to our website  at www.e-spincorp.com

Everyone needs to have a security program because it helps you maintain your focus on IT security. It helps you identify and stay in compliance with the regulations that affect how you manage your data. It keeps you on the right footing with your clients and your customers so that you meet both your legal and contractual obligations. Its life cycle process ensures that security is continuously adapting to your organization and the ever-changing IT environment we live in. And, of course, it’s the right thing to do because protecting your data’s security is the same as protecting your most important asset.

Read Full Post »