Building a Security Awareness Program
- Addressing The Threat From Within -
Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA
Each day organizations are faced with an increasing number
of threats. While hackers and viruses are attacking from the
Internet, social engineers or disgruntled employees may be
circumventing security from within. A formal security awareness
program is required to help address these threats by educating
employees. The primary goal of the program should be to recognize
threats and vulnerabilities and respond to them appropriately.
awareness program should begin with the support of senior
management. Ideally the CEO launches the program by sending
an e-mail. The CEO's message should briefly summarize threats
and state that security is the responsibility of everyone
in the organization.
next step is to create or revise the organization's security
policies and require employees to sign them. Job descriptions
and performance reviews must also include security responsibilities.
All employees should attend an annual security briefing
and receive an awareness handbook.
security awareness tips by e-mail about once every two weeks.
Tips should advise of best practices and reinforce policy.
Here are a few topics to start off with:
Destruction of sensitive materials
Systematic removal of accesses
Don't be afraid to say no
Piggybacking and tailgating
Backup your data
training methods include luncheons, a security web site
and awareness posters. Each site should have a security
representative to assist in the awareness program and address
security incidents. Information security day is another
effective way to bring security to the forefront of everyone's
audits also raise awareness. Consider implementing office
space reviews and annual self-assessment surveys.
key is to make security a part of everyone's day without
being obnoxious or repetitive. An awareness program requires
creativity and constant care and feeding.
awareness program cannot be conducted in a vacuum. Ensure
that security does not negatively impact productivity. Consider
the current security culture and choose your battles. It
takes time to make a change.
lead by example. If you believe in security and explain
why, it is much easier to bring others around to your way
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission