Employees Security Awareness and Training Based On ISO 27001 Standards
- Importance of security awareness program
In the modern world, most of the organizations have their information stored electronically. There is a growing reliance on IT and technology. In addition, most of today’s users have become ardent users of the internet. Continuous use and exposure of staff to the internet pre disposes the company information systems to external threat. Therefore, security awareness program is essential,if the company’s information is to remain secured.
There have been increased threats from organized crimes. Recent studies carried out by ENISA (2007,pg 22-23) show that there is a high rate of internet crimes in the recent past. These crimes involve malicious activities ranging from Trojan, phishing and zero-day threats. This could be contained in the past. It is now a global threat. Due to this reason, it is important for organizations to take to account the awareness program and enhance their information security system.
Much of the risk that is faced by an organization on matters concerning its information security is usually blamed on technology break down. This however is not the case;many risks on an organization’s information system are caused by the abilities or inabilities of the employees and other stakeholders of the organization. Their actions in the organization lead to security system failure. Some of the actions by employees and organizationspersonnel that would lead to weakness in the information security system are:
Disclosure of an organization’s sensitive information to third parties. This could lead to external attacks on the information system in the case of social engineering. Illegal access to information not related to the employees done by not following the right procedures set forth by the organization’s management is another action that could lead to weakness in the information security system.
By employing the security awareness program in an organization, employees are taught on the importance of safeguarding the sensitive information of an organization. It is also through this program that employees and other personnel are taught on ways they can adapt to ensure the sensitive information is handled safely and professionally.
Employees and other personnel are also made aware of the risks that accompany the mishandling of organization’s sensitive information, more so any information. Employees are predisposed to harm on their roles in the organization upon disclosure and mishandling of vital information.
Employees and personnel are taught on how to follow the right channels and procedures to obtain information. That is, information only relevant to their roles in the organization. Organizations should hence put to place individual disciplinary actions to be used on employees who mishandle information and cause bleach in the security systems.
- Impact of user awareness and training on company’s information security
Organizations that have exposed and introduced their staff to the awareness of security are less likely to face external threats. There are reduced security incidents concerning organization information.
Due to the increased identity theft, customers have taken great precautions in handling of information. Organizations that have awareness on security have increased their customers’ confidence in them. This is a positive impact.
The information security of organizations that have introduced the awareness program is more secure.
- Human resource security
In an organization, roles of different personnel differ. Different groups of personnel have different responsibilitiesENISA (2007, pg 10). For this reason, the different groups are exposed to different external threats. Depending on roles taken by each personnel they should have different training programs.
Staff with specialized roles such as cashiers and the procurement team should receive special training. The training should be aimed at improving their skill level of detecting and preventing external attacks on organization’s information.
- Planning and implementing the program
An organization that plans to start on security awareness program has to plan thoroughly and get ready to implement the program. There are processes involved in the planning stage of the program.
The organization should identify the standards by which the program is supposed to conform to. The organization should put to consideration these standards so as to come up with the best plan for the program.
Identification of the requirements of the security awareness program is also another consideration that the organization should put to place during their planning. These requirements should be got from the ISO international standardsISO( 2011,pg20) . On meeting the requirements for the program, the organization is deemed ready to carry out the training.
It is part of the planning process for the organization to identify its goals, risks that the organization is predisposed to and the organizations security policy. Understanding and identifying these aspects helps the organization in the formulation of a suitable plan to carry out the program effectively.
In addition to the identification of the above aspects, it is also important for an organization to identify all the stalk holders in the organization. The stake holders act as the main supporters in the planning and implementation process of the security awareness program.
During the planning process, the information to be communicated to different groups is identified. This is necessary since different groups would require different kind of training. Depending on their roles in the organization, only relevant information should be included in the training program. This would help reduce misunderstanding of information by the people involved in the training program.
The time and duration to pass the content to the audience is alsodetermined during the planning stage. It is advisable to be brief and precise to the point. Short periods of information delivery are necessary so as to avoid loss of focus by the employees. Being precise makes sure important information is passed effectively.
The organization should find ways on how to deliver the content of the program to the target audience. The information should not be relayed to the audience all in one session. Planning on ways to deliver the information may vary depending on the audience and their availability. This can be done is sessions, annually, monthly or even weekly depending on the organizations plans and policies.
Methods to effectively pass the information of the program should also be devised. For instance people would tend to receive and understand information readily through mechanical, auditory or visual means. Depending on the target audience, the most effective method should be employed.
A committee is formed at the planning stage so as to help with the running and implementation process of the program. Creation of a committee is of great benefit since all the plans of the organization are run accordingly and to the letter. Hence, there is much impact from the program as intended.
In the implementation stage of the program, the organization should take the responsibility of purchasing materials that would be required for the implementation of the program to be successful. These materials should be part of the requirements put forth during the planning stage of the program.
During this process, documentation is necessary. Thus, documentation of the processes and methods to be used in the measure of the success of the program is done. Other factors that are put to consideration concerning the measurement of the success are time and when. These are major factors that contribute to the complete evaluation of the program’s success.
Identification of the proper channels to communicate the results to is also a part of the program implementation process. This is put to place through documenting.
After all the necessary preparations and precautions are done, the training program is deployed. This is done using the methods as outlined in the formulation stage of the program. All materials required for the implementation are provided and the process starts.
It may be necessary to put in place tracking mechanisms for the employees and other parties involved in the training program. The tracking mechanism would enable the organization to keep record of the employees and other personnel who successfully complete the training program as required. Time and when they complete the program is also a factor considered. Ways to evaluate the overall understanding of the employees on issues of information security.
Measures such as establishing a record for training attendance would be one of the methods to keep track of the employees.
- How to conduct security awareness program
Security awareness programs may be conducted in a number of ways. This depends on an organization’s needs and available means to present the content of the program to its employees. However effectiveness of the methods to be employed is a key factor.
An organization has a database where employee contact information is stored. Emails being one of the most used methods of relaying information virtually would be an effective method. Sending emails to employees and other personnel containing the program content would be a way to enhance awareness on information securityINTERNATIONAL MARITIME ORGANIZATION. (2011,pg 234)..
Information security team branding
The organization takes the responsibility of appointing a security team. The team has the responsibilities of scheduling training sessions with the employees. It should also ensure effective passing of information on all the relevant contents in the training. This is an effective method of creating security awareness.
Cyber security awareness month
Security awareness is effectively made in the month of cyber security awareness. Cyber security is set aside to educate and create awareness to the public and private sectors through set initiatives and effective methods on information security awarenessCIAMPA, M. D. (2009,pg 45). The month is specifically designed to mobilize people to stay safe online and to enhance their security systems on information. An organization can benefit from the initiatives set in that month by encouraging their employees to take part in them. This makes sure that employees are aware of security matters.
Social networking tools
Websites such as twitter, Facebook and other social media sites are good platforms to pass information to create security awarenessCIAMPA, M. D. (2009,pg 46-47). Since most people spend much time on social media, this is one of the most effective methods of passing the intended content on security awareness.
This is a method of conducting training where the personnel have access to information that is available online. This information is meant to create awareness on security issues. This is therefore a great tool for the creation of awareness to the employees.
- What areas should be covered in the security awareness program
The security awareness program should focus on key areas that mostly affect the information security systems. The main areas to be covered would be passwords, social engineering, social networking, email, hacking, mobile security and even physical security ENISA (2007, pg67-72).
Majoring on these areas would create a milestone in stopping security related threats and attacks. Equipping organization employees with techniques to secure information from social engineering attacks would help in the securing of information. Thus improved security.
Social engineering is an attack that is well designed to deceive users and administrators of target sites. This is meant for the attacker to acquire information hidden in the site. Through chatting on social sites, sending and receiving emails, social engineering can be used to acquire hidden information not intended for other people.
Phishing is another form of social engineering where the attacker attempts to get useful and sensitive information from a user. This information may be passwords or even payment card details. By creating awareness on this vice to the employees, such security threats are eradicated and dealt with completely. Instilling knowledge on phishing and social engineering in general would improve the security systems of an organization. Including this in the program would be of so much benefit to the receivers of the training.
- Benefits of measuring the effectiveness of the program
Some organizations use a combination of different metrics in the measurement of the effectiveness of the program (ENISA, 2007). This is one of the methods that enable an organization to balance on the effective ways of creating awareness to its employees.
The attack resistance method of program assessment I provides a way to evaluate the actual state (ENISA, 2007,pg 99) provides a way to evaluate the actual state of staff awareness. This information is then used by the management in decision making. The management can decide on best awareness and security measures to take.
According to (ENISA, 2007, pg 99) the Process Improvement method involves the assessment of the program activities that were employed during the training process. Use of this process for the program assessment has proved to be easy to define and to gather information.
The method of efficiency and effectiveness (ENISA, 2007,pg 99) focuses on the actual experience of security incidences within the organization. By using this method, data can be easily gathered by use of security incident monitoring system. Statistics gathered are thus used by the management for performance evaluation.
- How to measure the success of the security awareness program
This is a method where, observation is made on the staff’s overall capability to overcome possible attacks. There are indicators according to (ENISA, 2007,pg 109) that show whether the staffs are resistance to attack. Staff may recognize possible external attacks and they normally ask questions on security (ENISA, 2007,pg 112)
This is a method that monitors how well the staff have secured their information from external threats according to (ENISA, 2007, pg 115), indicators that would show the extent of internal protection against attacks by staff are, extent to which individuals have protected their data by use of passwords, the extent of malware attack on the staff files and also the extent to which the staff harbor inappropriate materials. Installations of unauthorized software are also an indicator of extent of internal protection.
Number and type of incidents
This is one of the main metrics by which the effectiveness of the security awareness plan can be measured. According to the number of incidents occurring, frequent occurrence of incidents is a clear indication that the security awareness program was not well understood BIDGOLI, H. (2006,pg 115). Employees not understanding the program would be a cause for continued occurrence of insecurity incidents in the organization. In an organization where the program had positive impact on the employees, the frequency of occurrence of the incidents is at minimal.
Types of incidents related to security that may occur in an organization may also be a way to evaluate the success of the program. In an organization where the program takes effect positively, incidents related to information security are at minimal or not there at all.
Surveys may be done to gather information on the effectiveness of the security awareness program. This is done by employing different surveying methods. Among the methods to be employed would be, observation of behavior of employees in an organization Information gathered from different parties is tabled and assessed to give result. The effectiveness of the program can then be evaluated from the survey data. BIDGOLI, H. (2006,pg 119).
Employees involved in the program are the main source of information in this method of assessing the success of the trainingBIDGOLI, H. (2006,pg 115). Improvement by employees on their security behavior could be an indication of positive effect of the awareness program. However, employees may exhibit negative feedback which could be an indication of ineffectiveness of the program on the employees.
Pre and post testing
In order to know how much knowledge employees and other personnel have on matters of an organization’s information security, a pretest is assigned to them. This is done just before the enrolment into the training program. Results from the test are then kept. Another test is given to the employees and personnel after the training program is complete. Improvement in result from the test show positive impact of the program on the knowledge of the employees.
Some people prefer to use computer based training while others opt to have an instructor based training. According to research by ENISA (2007, pg 67-73), comparisons between the two methods of training show that the tutor based method proved to be more effective. Posttestscarried out on the staff after the training process proved that more staff understood better through tutor based training than through computer based training.
Organizations planning on employing security awareness programs in their systems should evaluate on best methods to make the program effective. All the requirements as set by the (ISO 27001) should be met. Proper planning should be done and enough preparations be done before the program is initiated.
Every organization ought to look for approaches that best suit them. Sticking to simple ways that are cost effective and produce best results is the best approach ENISA, (2007, pg 117). Employee and personnel evaluation methods should also be put to place. This will ensure an organization’s information is kept at bay from third parties and hence remains secured. Special training should also be given to personnel who have special tasks.
BIDGOLI, H. (2006). Handbook of Information Security Volume 3.Hoboken, John Wiley & Sons.
CIAMPA, M. D. (2009). Security awareness: applying practical security in your world. Boston, MA, Course Technology, Cengage Learning.
FAY, J. (2011). Contemporary security management. Burlington, MA, Butterworth-Heinemann
INTERNATIONAL MARITIME ORGANIZATION.(2011). Security awareness training for port facility personnel with designated security duties. London, IMO.
MADDOCK, V. (2010).IT induction and information security awareness a pocket guide. Ely, IT Governance Publishing
RE VELLE, J. B., & STEPHENSON, J. (1995).Safety training methods: practical solutions for the next millennium. New York, N.Y., J. Wiley and Sons.
ROPER, C., FISCHER, D. L., & GRAU, J. A. (2005).Security Education, Awareness and Training SEAT from Theory to Practice. Burlington, Elsevier.
UNITED STATES. (1994). Security awareness overseas: an overview. [Washington, D.C.?], U.S. Dept. of State, Overseas Security Advisory Council.