Editor's Note: This is a cross post from the article of Robb Reck at InfoReck
Security is viewed as a non-negotiable requirement of being ‘in business'. [Allen, Julia. “Governing for Enterprise Security: An Introduction.” June, 2005. ]
Everytime I do a lecture, seminar, workshop, training on Security I always emphasize the point that Information Security implementation is a human enterprise. No organization will be successful enough to implement Information security without getting to the end-point (the users).
The problem of not involving every employee in the implementation of Information Security, in my observation is if you allow your IT people to totally implement it. Almost everything becomes a technical wish list at the end of the day!
Here's a good article written by Robb Reck, Every Employee, a Security Partner. And I totally subscribe to this.
The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.
The information security team is responsible for the creation of the policies and standards. This is the framework that a security program is built on. By using a well-tested framework we can ensure that our organization’s security needs are adequately documented. The policies are critical, but they are only the framework. To flesh out the program we need the actual implementation, and that’s where the rest of the staff comes in.
Another essential role of information security is in properly distributing the policies. Having a perfect set of policies and standards is one thing, but if it’s never put into the hands of those who do the work, it is of very limited value. Security awareness training must be more than just a checkbox we check to get through an audit. Awareness of corporate policies and standards should be provided through formal training, but also gorilla marketing, regular staff meetings, reminder emails, and performance reviews.
Once the policies are in the hands of our entire staff, it is up to them to successfully implement data security. Whether the policy is password complexity rules, sensitive data handling, or secure coding standards, we depend completely on our employees to implement it. We cannot overlook any employee group; even the least likely-seeming employee will have access to our organization, and could be used as a jumping off point for an attack. A thorough and consistent security message, delivered to every area of the organization, is required.
In order to ensure that each employee hears the appropriate message, we need to customize their training to their daily experiences. There are some areas that every employee should be taught (secure password rules, avoiding tailgaters, how to spot an intruder), there are many others that are essential in departments, but unnecessary for others (secure coding standards, firewall configuration rules). By tailoring the training to the intended recipients we successfully reduce the amount they need to be taught, while make the training both more interesting and more effective.
Employees partnering in security can give us granular security knowledge that InfoSec cannot otherwise have.
Once we get our employees to view themselves as our partners in security, they will start to point out areas we missed. This provides us significantly improved insight to the organization as a whole. When we have the accounting team providing suggestions on how to improve accounting security, the DBAs helping with database security, and the call-center reps with our customer service process, we get the kind of granular level insight that one central InfoSec team could never have.
Another benefit that this kind of enterprise-wide security implementers is that our employees can work as a human intrusion detection system (IDS). As an example, last year when the “Here You Have” worm hit the internet, the employees at Intel immediately recognized this as malicious and provided the central IT/InfoSec departments a heads-up so they could take immediate actions to prevent exploitation in their organization. The same thing can be said for any type of persistent threat. A server admin may notice continued bad authorization attempts from a specific IP, a receptionist may notice a stranger lingering around the entryway, or a HR employee may forward on suspicious emails that seem specifically targeted against the organization. In any of these situations, our employees can be a first line of defense, and prevent more serious exploits from occurring.
By integrating all employees as information security partners we not only improve the overall quality of our information security program, but we educate our employees to make better choices, both at work and home. By partnering with all our employees we add value to all sides. That sounds pretty good, doesn’t it?
Great article and well said Robb.
People can become the most effective layer in an organization's defense-in-depth strategy with [Ernst & Young. "Global Information Security Survey 2004." ]:
- proper training
- education
- motivation
And most of all, the implementation of Information Security in any organization should be championed by the executives, and the executives themselves should adhere to it, otherwise, the initiative is a waste of effort and resources.
Related articles
No comments:
Post a Comment