Information Security Awareness Program

Employees are part of an organization’s attack surface and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA, or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.

The benefit of a Security Awareness Program

A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT).  Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset. Regular training is particularly necessary for organizations with high turnover rates and those that rely heavily on a contract or temporary staff.  Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.

What is a Security Awareness Program?

An Information Security Awareness Program is an organized effort to make employees and customers aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks. While the program can be focused on one specific group (e.g., leadership), to be effective in its maturity the program should address all stakeholders, including leadership, employees, customers (i.e., students), and partners (i.e., external service providers).  a Successful Security Awareness Program,” the program should include C-Level support, partnering with key departments, creativity, metrics, ‘how-to’ information, and multiple methods of delivery.

Why an Information Security Awareness Program?

Community members must understand security and privacy compliance requirements.

•  Breaches can have serious legal and financial implications.

•  Certain breaches must be investigated and reported promptly.

 Community members have a critical role in risk mitigation.

•  Attackers are focusing on community members; they must understand the risks to their credentials and other dangers.

•  Community members need to understand how to work with security solutions.

1) Establish an Information Security Program

Without an effective security awareness program, you'll find it difficult to help community members understand the risks they face, the secure methods they should use, and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. It is important to develop support from senior management for the information security program in order to ensure appropriate human resource allocation and financial support.

2) Develop a Security Awareness Plan

Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determine how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.

We provide materials and tools needed to develop your awareness plan and also provide examples of techniques used by other organizations. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year after year. But don't forget to "think outside the box" as you develop your plan!

3) Adopt and Modify "Key Messages"

Your audience will only have so much time and patience to hear your messages. Select your messages carefully, present them in an easily digestible format, and limit the number of concepts or topics introduced to your audience in each message. Remember, the typical attention span of an audience is 5-10 minutes. If your materials or presentation require more time, think about how to break up the content and re-ignite audience interest throughout the presentation. Here is a list of sample key messages that are common to most institutions:

• Unexpected e-mail messages that have you click on links, open attachments, or disclose sensitive information can be seriously malicious…learn about phishing now!

•  Passwords that are simple, short, based on dictionary words, or lack upper & lower case letters, numbers, and symbols, are easily guessed by hackers. Change your password now!

•  Consider using passwords that are at least fifteen characters, passphrases, and/or two-factor authentication.

•  Security is everyone’s responsibility. Ask about your role in protecting sensitive information today.

•  Information security is a shared interest. Things you do to protect institutional data may very well help to protect your personal information as well.

•  Information security breaches are serious, expensive, and can cause life-long impacts on victims.

•  Institutions that think they have not been hacked probably just do not know that they have been hacked. Be humble; learn today what you can do to prevent a breach.

4) Establish a Security Awareness Website

Establishing an information security awareness website allows you to communicate effectively and efficiently with members of your institution's community. It can quickly become a trusted resource to:

• provide timely and updated information

• compile external repositories of accurate information for more in-depth reading

• act as your communication hub, promoting additional resources, such as Facebook pages, Twitter profiles, and RSS feeds

If you creating or revamping your program's website,  We can provide excellent tips, as well as links to experts in the field. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic.

5) Measure the Effectiveness of your Program Annually

One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that you would collect over time. Consider retaining yearly data for the following:

• User awareness surveys

• Number of incidents and help desk incident reports

• Computers meeting baseline guidelines

  • Number of machines that have malware protection tools

  • Number of tickets on compromised machines

  • Number of requests for installing and updating malware protection tools

• Number of stolen mobile devices

• Participation for security events

• Awareness quiz scores

• Completion rate of security awareness courses (e.g. PCI, HIPAA, basic security, etc.)

Another way to measure success is to incorporate a “just-in-time” component into your program. For example, with your administration’s permission, launch a non-malicious simulated phishing e-mail to your audience quarterly. Connect those who do not recognize it as phishing and click on links in the message to an educational splash page. Count how many persons were connected to the splash page and see if over time more recipients recognize these messages as possibly phishing, and fewer click on the links.