The Importance of Security Awareness and Training

The Importance of Security Awareness and Training

Security Awareness and Training are Important

Information security, like everything else, is a human enterprise and is influenced by factors that impact the individual. It is well recognized that the greatest information security danger to any organization is not a particular process, technology, or equipment; rather, it is the people who work within the “system” that hide the inherent danger. Therefore, IT security is a “people issue” and awareness programs address common “people” problems.

We know that solutions for yesterday’s security issues are obsolete today, and the security solutions we have today may be obsolete tomorrow. The security environment is constantly changing and the variety of solutions is growing at a phenomenal rate. Awareness is a crucial element in addressing these issues.

Company-wide security awareness training and education initiatives that include, but are not limited to classroom style training sessions, security awareness websites, helpful hints via e-mail, or even posters as a campaign are methods that can help ensure employees have a solid understanding of company security policy, procedure and best practices.

A well-designed, effective awareness program reminds everyone — IT staff, management, and end users — of the dangers that are out there and things that can be done to defend the organization against them. Providing your personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of your organization’s business success.

If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, you not only risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risk being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation.

Information security awareness, training and education are important for many reasons, including the following.

1. Regulatory Requirements Compliance

There are an increasing number of laws and regulations that require some forms of training and awareness activities to occur within the organizations over which they have jurisdiction. Failure to train employees for product, process, policy and practice, could violate compliance requirements and expose enterprises to legal liability. Laws requiring security and privacy awareness or training programs apply to:

• The Federal Government (Federal Information System Security Managers’ Act)
• The Health Care Industry (Health Insurance Portability and Accountability Act)
• Financial Institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)
• Publicly-traded Companies (Sarbanes-Oxley Act)

The Federal Information System Security Managers’ Act (FISMA) requires government agencies to report on their security awareness and training efforts annually.

National Institute of Standards and Technology (NIST) has developed Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is “security awareness training”. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

NIST also acknowledges that the awareness program must comply with the 5 Code of Federal Regulations (C.F.R.) Part 930.301, whereby everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

1. All users
2. Executives
3. Program and functional managers
4. Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/ application security officers)
5. IT function management and operations personnel

NIST SP 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the FISMA. The NIST Computer Security Handbook cites the importance of managers to understand security consequences and costs, and thereby they must take security as an important factor when making decisions.

OMB Circular A-130 requires that system users receive security awareness instruction prior to being granted access to the system, and it requires periodic refresher training for continued access.

2. Customer Trust and Satisfaction

Respect for customer security and privacy is one of the most important issues facing your company today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).

To gain and keep customer trust, your company must exercise good judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages.

All employees or companies directly handling or influencing the handling of your company’s customer PII should receive targeted security and privacy training before handling customer information. They should also receive ongoing awareness communications to reinforce security and privacy issues and requirements and help to embed such practices within their daily work activities.

3. Corporate Reputation

Reputation is another critical organizational business success asset. Without a good reputation, customers leave, sales drop, and revenue shrinks.

A component of managing a good reputation is ensuring that personnel and business partners follow the right information security and privacy precautions to lessen the risk of compromising private information; such incidents will likely lead to some very unfavorable news reports and media attention.

In conclusion, Government and industry organizations must protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment. The best way to achieve a significant and lasting improvement in information security is not by throwing more technical solutions at the problem, instead it is by raising awareness, training and educating everyone who interacts with computer networks, systems, and information in the basics of data, information, network and cyber security. Information security awareness programs serve a critical role in keeping an organization safe by keeping the user community vigilant against the dangers of intruders.

E-SPIN as the end-to-end security solution services provider, supply consultancy, technology and services for the clients to yield the holistic return on their security program and investment. Please feel free to contact E-SPIN for the package solution that go beyond product technology that comes with consultancy, training and maintenance support for the effectiveness of enterprise IT risk management best practice.