|
|
|
Security Awareness Programs While the majority of companies have recognized the need to address the technical protection of their information assets not all have committed enough time and resources to ensure that the people factor has also been addressed. This creates the exposure that no matter how well designed and implemented the technical security is, it will be compromised due to ignorance and maliciousness on the part of individuals. The most obvious weakness relates to how employees treat their IDs and passwords. But there are a variety of human interfaces that should be reviewed. The answer to this is to have some form of annual program that informs and educates the staff. Some of the material is provided on an ongoing basis and rarely changes, other information is refreshed regularly to ensure that the message does not become background noise to an already busy employee. Another aspect of the awareness program would be to ensure that key departments who are involved in or actively promote privacy and confidentiality issues know what their roles are and are prepared to respond when necessary. In an average organization this would include the HR, legal and internal audit departments as well as specific areas of the IT department. Topics that the program should cover to varying degrees include:
Much of this material is available for use from a variety of sources and does not necessarily need to be generated internally. The key is to have a strategy and annual schedule of events that maintains the visibility for the need for security and hopefully engenders an increased awareness and level of vigilance within the organization.
|
|