Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
Professional
 
 
Security Awareness Program

An awareness campaign is the foundation of an effective information security program. It has three objectives: (1) Ensure all personnel have an awareness of common threats and a familiarity with security policies and procedures (2) Foster a culture of security and (3) Demonstrate the active support of senior management and information security personnel.

Here are tips for establishing a strong security awareness program within your organization:

1. Establish an Awareness Slogan: An awareness slogan gives life to the information security program. My favorite is "The key to security is embedded in the word itself. SEC - U-R-IT - Y" or "Security, you are it" for short. Include your awareness slogan in e-mail communications, in presentations, etc.

2. Build a Security Awareness Site: Create an internal security web site to provide personnel with access to security resources. Post policies, a list of security personnel, an incident response number, awareness tips, etc.

3. Get Senior Management Involved: An awareness program championed by the business has much more impact than one solely supported by security personnel. After obtaining the proper endorsements within your organization, ask for a meeting with the CEO. Briefly explain the components of your awareness program and how critical it is to the security posture of your organization. Finally ask the executive to send an e-mail to all personnel summarizing the importance of the information security program and explaining that security is everyone's responsibility. Offer to submit an e-mail template before you leave. The message should include your awareness slogan and announce the new security intranet site.

4. Distribute a Security Book to the Execs: The cost of sending a book to C-level executives has the potential for a great return on investment. Carefully select the appropriate book and write an effective letter to accompany it. If politically feasible, ask the CEO to send the book to his/her direct reports. This simple act has the potential to have wide spread impact throughout the organization.

5. Send Security Awareness Tips: Awareness tips are a great way to educate personnel and keep policy fresh in their minds. Send tips to ALL personnel by e-mail at least monthly. Start with core messages advising of common threats, countermeasures and security procedures. Your program should also include a distribution of awareness tips targeted by job function.

6. Conduct Office Space Reviews: Office space reviews measure the effectiveness of a security program by assessing compliance with security policies. As a function of the awareness program, distribute general statistics by building or site (e.g. the number of instances of sensitive material left unattended).

7. Market the Security Program: Marketing is a subtle way to keep security in the minds of all personnel. Hang security posters in common areas. Distribute awareness calendars. Create an attractive mouse pad with your organization's logo, awareness slogan and incident response phone number included. Establish permanent distribution channels such as giving a calendar to new employees and bundling mouse pads with new PCs.

8. Establish Mandatory Training Sessions: All personnel should attend security training on their first day and on an annual basis thereafter. Topics should address basic security policies (e.g. physical security practices, screen lock workstations, clean desk policy, etc.). Web-based training should include a testing component.

9. Keep the Program Fresh: An awareness program requires creativity and constant care and feeding. Keep apprised of new awareness resources and techniques by subscribing to newsletters and forums.

10. Request Funding: An awareness program needs to be adequately funded in order to be successful. Present management with a budget for the above awareness initiatives and ongoing maintenance activities.

An awareness program addresses the "people" in people, process and technology. For more information, refer to the resource web site below. It contains links to security awareness tips, awareness program guides, posters, newsletters and forums.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, IAM
Charlotte, NC
http://www.virtualcso.com

http://www.ussecurityawareness.org/highres/security-awareness.html

Posted: Sun Nov 5, 2006 3:19 pm



Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices