One of the key success factors of an effective Information Security (IS) implementation is a comprehensive training and awareness program that is embedded in the organization’s culture. My experience tells me such a program should take a top-down, bottom-up approach that features content that is demonstrable and easy to understand.
Here are few thoughts to make it effective and relevant:
First and foremost, top management commitment has to be demonstrated through periodic dissemination of the organization’s IS policies, leveraging a multi-mode (emails, posters, floor-walks, desktop wallpapers, screensavers, desk standees, kiosks, etc.,) communication mechanism.
The critical success factor is how well top management acts as role models for its employees. Their actions will influence and enhance policy compliance and awareness levels among employees.
From a user perspective, the individual has to realize that their actions make a significant impact with respect to safe and secure practices of information security. They need to take ownership and adhere to the organization’s policy practices.
It is prudent to ensure that the user community is apprised of:
- Safe and secure practices through real-time examples (e.g., best practices) as part of information dissemination initiatives
- The organization’s risk profile and the related controls, implemented to safeguard the information and information processing assets
- Incidents that lead to loss or negative impact on the organization and/or individuals if safe and secure practices are not followed
- Legal implications (e.g., class action suits, penalties, etc.) if there is a breach or compromise of confidentiality, integrity and availability aspects
- Consequences with regard to noncompliance of ever-increasing statutory and regulatory requirements of IS and data privacy
- Expectations of customer, which are reflected through contractual obligations or customer feedback, especially if sensitive data is maintained by the service organization
- Business losses, customer dissatisfaction, reputation or dent on the brand image, due to lack of understanding or adoption of the safe and secure information security practices
- Liability for any violation of the organization’s policies and practices, either intentional or unintentional, irrespective of their status of association with the organization, i.e., the maintenance of confidentiality of the information at all times
- Adherence to the requirements of nondisclosure agreement, intellectual property rights and copy rights requirements at all times
Adopting a robust awareness program provides an assurance to customers and all other stakeholders associated with the organization that their information is maintained by the service provider organization safely and securely at all times.
Recognize and reward the employees (either individually or as teams) who demonstrate healthy practice of IS policies. Similarly, reprimand those who do not fall in line and deviate from mandated policies and practices.
Last but not least, establish accountability at all levels, through a no-exception policy for violation of IS policy requirements. Ensure that the measures are considered for individual performance review discussions as well. This will bring significant change in the way IS awareness is perceived or understood across the board.
(About the author: V J Srinivas is information security lead with the ISACA. This post originally appeared on his ISACA blog, which can be viewed here)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access