How to develop a culture of security in the enterprise

In October this year, the HMG Information Assurance Maturity Model and Assessment Framework was published.

Win a 150 euro gift card for your holiday shopping Are you interested in the IT challenges your peers are facing in today's economic climate? Here's your chance to find out and sanity check your company's initiatives. Simply complete this short reader survey.

Its aim is to help senior information risk owners in government departments create an effective change programme to improve information risk management (IRM). The model is aligned with the security standard ISO/IEC 27001:2005 and incorporates the mandatory information related requirements of the HMG Security Policy Framework (SPF), a set of internal risk management and security practices and policies for government departments.

Although the model's target audience is government, it contains much useful guidance that is pertinent to businesses as well, particularly if they work with government and need to align themselves with the SPF.

A goal of any maturity model is to lay out a programme of work to achieve clear progress through easily identifiable milestones. The three goals in information assurance (IA) that this model focuses on are:

• Embedding IRM culture within the organisation.
• Implementing best practice IA measures.
• Effective compliance.

I'm especially interested in the first goal -- embedding an IRM culture of security within the organisation -- because the speed of change in the way we do IT threatens to undermine even the best technology-based defences.

Getting employees and partners on board
The recent revelation by T-Mobile Inc. that its staff passed on customer records to third-party brokers shows that employees still pose one of the biggest threats to security. In the future, information assurance will be a key asset if it is embedded within the way an organisation, its partners and suppliers do business. This is particularly important in the context of cloud computing and shared services, which require trust in third parties.

There are five levels within this model, and I really like the fact that the framework stresses the need for board-level awareness and involvement, requiring procedures to be in place so the main board is able to understand and manage information risk.

In the maturity model, there's quite a jump from Level 1 "Initial" to Level 2 "Established" as it looks for IA processes to be "institutionalised" within the organisation, its delivery partners and its third-party suppliers.

Levels three to five require increasing levels of IA awareness and measured improvements in IRM behaviours, not only within the organisation, but also within its partners and suppliers. The goal is for IA to be a fully integrated aspect of normal business and seen as a business enabler, as staff attitudes and actions towards IA align to the needs of the business.

Creating a security awareness training program Compliance expert Richard Mackey reveals the tell-tale signs that a compliance program is effective.

Beyond information security awareness training
To achieve such goals and develop a culture of security, basic security awareness and data handling training is no longer enough. It has to be delivered in such a way that employees don't just know how to handle data security but that they consider it as a passion and a true company value. Your training programme has to make it clear that information security is an integral part of everyone's job with ownership, responsibility and accountability for risk made obvious in policies and job descriptions.

Many attacks aimed at obtaining confidential data rely on social engineering to be successful. Social engineers use psychological triggers such as appealing to someone's innate curiosity or natural desire to help.

Your staff needs to know that they are vulnerable to social engineering manipulation. They should be trained in how to respond to requests for data, whether via email, pop-ups or some other ruse. By laying out clear policies on how data is to be handled, you will ensure that employees will not be in a position where they have to consider whether or not certain information can be given out; this helps employees defend against the psychological triggers used by social engineers.

Before you start a round of security awareness training, though, check that your security policies are up to date, particularly sections covering the acceptable use of newer technologies such as smartphones, Skype and Twitter. Decide on which communication channels can and can't be used to exchange sensitive information. Training should ensure that employees know how to identify confidential information and understand their role in protecting it. Employees must know what kind of information a social engineer is after and what kind of requests are suspect and how they might be manipulated. You're almost aiming for an environment where if any request for sensitive information is made, the first reaction is to think, "No."

Due to continually evolving technologies and threats, you will need to update and repeat your awareness programmes as you update your security polices. Because security policies are unique to an organisation, I've found that generic training packages are nowhere near as effective as those that have been tailored to reflect an organisation's own polices and environment. For example, if ID badges have to be worn at all times or visitors must always be escorted by a member of staff, then this can be reflected in the training with examples that staff will recognise as relevant to their own situation.

Do make sure training is rounded off with a test. This allows you to measure not only the effectiveness of the training but also report on progress in establishing an IA culture. I have found that by offering small prizes you can greatly improve people's active participation in training. Prizes for the first department to get its entire staff through the course or for the top ten scores help demonstrate security awareness is valued. Even just posting average scores by department can help motivate people to do better next time and encourage continued compliance.

Embedding a culture of security within an organisation is no overnight task. You're never going to be able to "patch" employees like you can software, but you need a similar programme to keep employees up to date with the latest threats. The Information Assurance Maturity Model gives you a good benchmark against which to measure your progress in achieving a security-aware workforce.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk management strategies Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser Using resource allocation management to prevent DoS and other attacks How risk management standards can work for enterprise IT Are you too small for an email retention and archiving policy? Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Increasing information security awareness in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security IT Security Frameworks and Standards ISACA issues mobile smartphone security policy guidance How to meet the PCI DSS compliance deadline on an IT security budget PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Panel advocates need for cloud computing data security standard Exclusive PCI DSS news: EU regional director rallies UK merchants Jericho Forum: Self-assessment guide ICO issues draft guidelines for personal information online Using ICO privacy impact assessment template for DPA compliance The elements of a compliance-oriented architecture Security Policies and User Awareness Company files at risk of employee data theft Employee security training for Data Protection Act compliance Spy recording devices can be thwarted by portable USB security policy Background employment screening decreases insider threats, study says Risk management in information technology Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) ISO 27001  (SearchSecurityUK.com) Jericho Forum  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.