Call 1-314-596-8750 - First 5 minutes FREE

The Security Planning education campaign involves a variety of issues that relate to the human component of information security. This section is designed to help get you oriented to the subject by providing a basic blueprint for building your own Security Planning initiative as well as providing practical advice from published sources. We welcome your suggestions. Please send article or publication referrals to Security Planning.

• Blueprint for building a Security Planning
• Top 10 Most Common Information Security Mistakes by Individuals
• Educational articles and background information

Blueprint for building a Security Planning

Here is a brief overview of the major elements you should consider in building a Security Planning initiative within your organization.

8 Essential Steps to Building a Security Planning

1. Get top management buy-in and commitment

   Like most initiatives, improving information security awareness across your organization requires the buy-in and commitment of top management. Changing attitudes and behavior begins at the very top with your CEO and executive management team. Fortunately, there appears to be a trend toward more top management involvement in information security issues.

   It may help to make your case to the executive management team with a presentation and discussion of the importance of the "human side" of information security. See the trade journal article links below to help bolster your arguments. In many cases, recruiting an individual on the executive management team in advance to act as your "Security Planning" champion will make a big difference. The key is to get your executive management team to regard information security as a business enabler that helps support the growth and well being of your organization, not just an IT department expense.

   The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting information security issues:

    

   • Is our security policy enforced fairly, consistently and legally across the organization?
   • Would our employees, contractors and partners know if a security violation was being committed?
   • Would they know what to do about it if they did recognize a security violation?

   Emphasize that an information security awareness initiative can help them answer these questions. When you raise these issues of information security awareness be sure you are ready to propose some initial steps to remedy the situation. Some of those steps are listed here. Obviously, you will need to adapt them to your specific situation as you develop and carry out an information security awareness action plan.

    

2. Assign and clarify roles and responsibilities

   One of the biggest obstacles to improving information security awareness and behavior is a lack of clear-cut roles and responsibilities. You may want to set up an information security task force that includes your Chief Information Officer, Chief Security Officer or head of IT Security, Internal Audit Manager, Physical Security Manager, as well as others from Legal and Human Resources departments.

   Beyond forming a lead committee of professionals representing various departments, information security needs to be considered as an ongoing function within the organization. In some cases, information security responsibility has been assigned to a few technical individuals in the IT department. These individuals rarely have the time or the authority to carry out an organization-wide security awareness initiative. Therefore, it's essential that one person have designated responsibility as "chief" of information security, and that person be evaluated and compensated based on information security tasks and responsibilities. Larger organizations often appoint a "Chief Security Officer" or CSO that may combine duties as a privacy officer as well since there may be overlaps in both security and information privacy issues.

   In any case, it is important to spell out information security functions in job descriptions and organizational structures and reporting relationships. In his new book Information Security Roles & Responsibilities Made Easy, information security consultant and Security Planning Council member, Charles Cresson Wood, writes that unfortunately "management at many organizations has never clearly stated its intentions about the work it wanted an information security function to perform. It's hard to do a 'good job,' if you don't know what your job is supposed to be. As perverse as this situation may sound, many information security specialists have been asked to do just that. When things go wrong, they often get blamed even though they didn't know these same things were important."

    

3. Create an Action Plan with a budget

   Information security action plans should start with an assessment of the relative value of information assets within your organization. This typically involves some sort of risk management assessment and process. You will probably want to get an information security professional or consultant involved in helping to determine what to protect and how far you need to go to safeguard specific kinds of information. The key here is to prioritize the value of information within your organization so that you can develop a plan and budget to address the most important information assets first.

   InformationWeek magazine's Global Information Security Survey revealed that nearly 40% of companies still don't classify the sensitivity of their data. As Pete Lindstrom, security analyst with Hurwitz Group points out, "If you don't know how much something is worth, it's kind of hard to determine how much you should spend to protect it."

   Many information security industry groups (See Helpful Websites section of this Web site) offer published material that can help explain information security plans and strategies. Two recent books on the subject may prove helpful. They are Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier and Security Transformation: Digital Defense Strategies to Protect Your Company's Reputation and Market Share by Mary Pat McCarthy & Stuart Campbell.

   Obviously an organization-wide information security plan without a budget has little likelihood of being effective. When treated as a business enabler, rather than simply as an added IT expense, information security deserves an ongoing budget for staffing as well as security awareness policy and awareness programs. The Computer Security Institute (www.gocsi.com) has published results of a survey entitled "Information Security Staffing Levels: Calculating the Standard of Due Care," in its Spring 1998 Journal. The survey helps to establish some quantitative reference points for security professionals. The survey is in the process of being updated.

   While the human side of information security has often been neglected in the past, keep in mind that technical security personnel need to be intimately involved in any security awareness program and staffing. The technical and human side needs to be integrated with each other for your plan to improve overall information security.

    

4. Develop and/or update information security policies

   Information security policies provide the guidelines for what is considered to be acceptable and unacceptable behavior when it comes to safeguarding information. Well-defined policies that are read and understood by everyone involved in handling sensitive information is one of the best ways to improving protection of vital information assets. Yet, InformationWeek magazine's just published Global Information Security Survey revealed that half the companies responding have not written down their security policies and 7% have no information security policies at all.

   Information security policies must be aligned with business goals to be effective. In the past, security policies have all to often been regarded as constraining or contradictory to business "performance" goals and thus pushed off the priority list for many organizations. The goal today is to weave in information security practices as essential to conducting business safely and securely.

   While some information security policies will apply to just about everyone who either works in or works with your organization, others will be directed to specific groups. An example of a universal information security policy might describe the way all email communication attachments are to be handled. Other policies will apply to more specific groups within the organization such as technical IT staff that maintain and administer web servers, or a sales staff using wireless PDAs.

   Beyond the formation of policies, it is essential to make sure policies are distributed, read and understood by those who must abide by the policies. Traditional forms of policy dissemination such as printed booklets or binders are being supplanted by electronic communication that publish policies on internal Web sites or Extranets. This allows for much easier, automated distribution and updating of relevant information security policies. There are also automated tools available to help measure understanding and compliance by employees and others who need to comply with security policies.

   Sources for learning more about information security policy development include:

    

   • http://www.misti.com/
   • http://www.sans.org/newlook/resources/policies/bssi3/
   • http://www.baselinesoft.com/ispme.html

    

5. Develop an organization-wide Security Awareness/Education program

   Based on a foundation of a risk assessment, defined information security roles and responsibilities, an action plan with budget and officially sanctioned policies, an organization-wide security awareness program can then be implemented to communicate with employees and other individuals involved in handling sensitive or confidential information.

   In communicating any important organizational policy such as workplace safety or official policy on sexual harassment issues, the goal is to heighten awareness, change attitudes and influence behavior. One of the best ways to do all three is to make people aware of the threats and consequences of an information security breach as it relates to your specific organization or situation. Making consequences real by illustrating the potential harm of security incidents helps to personalize the message and make it more relevant to people. Any security awareness program needs to be creative and engaging if not "entertaining" to reach an audience that's pressed for time and often overloading with competing messages.

   One way to research and launch an information security awareness program would be to use the "Test Your Security Awareness" survey on this Web site home page. An information security professional that fills out the online organization survey can then email up to 30 employees or others and encourage them to test their own security awareness. Results can be used by an information security professional to pin point areas of weakness and focus on specific security awareness goals.

   There are several sources listed here that can help you put together your own security awareness program. See also the Resources section of this Web site.

    

   • http://www.sans.org/infosecFAQ/aware/lack.htm
   • http://www.sans.org/infosecFAQ/policy/sec_aware.htm
   • http://www.techrepublic.com/article.jhtml?id=r00520010717aue01.htm&src=search&_requestid=65429
   • http://www.misti.com/

    

6. Measure the progress of your Security Awareness/Education efforts

   While measuring the results of a security awareness program is important to evaluate progress, it is fast becoming a necessity in specific industries such as financial services and healthcare where new regulations governing privacy and security require that organizations act in good faith to communicate policies and procedures---and are able to prove they have done so.

   Take our free survey that enables professionals to benchmark their security management efforts based on global ISO 17799 standards.  To ensure an accurate report, you should plan to take 30 minutes to an hour to complete this survey.  After completion of the survey, you will get a SCORE and REPORT that compares your security management practices with others in your industry and peer group.  You may consider conducting it before and after a major awareness effort in your organization, comparing the results from a sampling of employees, contractors, trusted partners and others. Other measuring techniques include "spot checks" of employee work areas, tracking the number of security incidents over time in a "before and after" comparison, or literally testing people on their awareness and comprehension of specific procedures and policies using automated software tools.

   Prepare a report of your findings for top management as follow up to your information security efforts. Help reassure them that you've made progress in answering the key questions posed at the beginning of this blueprint:

    

   • Is our security policy enforced fairly, consistently and legally across the organization?
   • Would our employees, contractors and partners know if a security violation was being committed?
   • Would they know what to do about it if they did recognize a security violation?

    

7. Adapt and improve your Security Awareness/Education programs according to progress/feedback

   As an ongoing function, information security needs to be treated as a continuous cycle of planning, action, feedback and improvement. Because information technology evolves so rapidly (e.g. the recent explosive growth of wireless communications) in today's marketplace, the human side of information security must try to keep pace by building on a strong "Security Planning" foundation.

   The human side of information security has to be integrated with the technology side in order to significantly improve our overall protection of valuable information assets. By sharing our experiences and knowledge, we can refine our educational awareness efforts and build a Security Planning to reinforce our technical firewalls so that both work better together.

    

8. Develop an information security incident response team and plan

   Just as an organization should have some kind of a disaster recovery plan in the event of a natural disaster such as a flood, so should you have a plan for managing information security incidents that are detected and/or reported by employees and others. Designating a security incident response team will help you to establish proper procedures in advance and greatly increase the odds of resolving any incidents quickly and effectively. It's important that anyone responsible for assuring information security understand the process for reporting any suspected incident.

   Information security incident response is a complex process usually involving several different people, and it's likely that you'll want to involve experts who have experience in the field to help you plan and perhaps even manage the process. Several information security portals with Web sites listed in the Resources section of the this Web site can provide further information and referrals to consulting firms that offer incident response services.

   To report information security incidents go to http://www.nipc.gov/incident/incident.htm or to http://www.infragard.net/ireporting.htm on your web browser. These sites will provide forms that will assist you in reporting security incidents to the appropriate government organizations. This does not mean every reported incident will involve criminal or law enforcement personnel, but it does help to track the type and number of incidents that occur. Your own organization's legal department will need to meet with information security staff to determine proper procedures for any prosecution or follow up to an information security incident. Reporting information security incidents is essential if all organizations are to help and learn from one another.

   NOTE: This blueprint represents only the most basic steps necessary to build a Security Planning and improve the protection of your precious information assets. We encourage you to continually update and educate yourself on the issues and solutions available. The www.intek.net Web site will feature news and events that will help you learn more, so please check back with us often.

Top 10 most common info security mistakes made by individuals

The following list represents a compilation of mistakes identified by security experts as those most commonly made by employees---often unknowingly---that put their organization's information assets at risk. The list is based on an article by Alan Horowitz in Computerworld, July 9, 2001 and a press release from the @stake European office, May 1, 2001, and not much has changed since. Compare their list here with your own behavior. How many of these mistakes have you made-and can easily avoid if given some attention?

1. Passwords on Post-it Notes

   The ubiquitous Post-it Note appears to be a major crippler of security measures. Leaving a note with your valid password written on it posted near your computer monitor is the most frequent violation of information security policy, (some experts say one out of five employees are guilty). It's too easy for someone to copy it down and gain legitimate access with your systems with your password. It's the equivalent of identity theft. Toss those notes into the shredder and change your password now.

    

2. Leaving your computer on, unattended

   Too may people simply leave their computers on and walk away to do other things. Didn't your parents teach you to turn out the lights? The point isn't to save energy, it's to save your company from a potentially costly and embarrassing computer breach. Even passwords are worthless when someone can simply access your network systems while you are absent.

    

3. Opening e-mail attachments from strangers

   The Love Bug virus cost businesses billions of dollars worldwide. There is no substitute for looking a bit before you leap and open any email. There's a reason why these types of cyber attacks are so successful: trust and curiosity in human nature can easily be abused. Don't let it be you unknowingly spreading the latest social computer virus.

    

4. Poor password etiquette

   Everyone should take a quick course in password etiquette. Don't let your default password remain as your primary password. Don't enter the same password you've always had when the system asks you to change your password. Be original; think of your own combination of letters and numbers. This goes for the IT professionals as well. Failing to enter a password into Microsoft's server admin system, leaves a default password that can easily compromise your whole corporate network.

    

5. Laptops on the loose

   While theft of a laptop computer that's loaded with company secrets can happen in the airport, it's just as likely to happen from your office overnight. Lock your laptop in a desk drawer, out of sight, to minimize the risk or the temptation for it to walk off.

    

6. Blabber mouths

   Talking about your passwords, or about confidential information over lunch, in the break room, after work in a public drinking spot, or at the gym only increases the risk of someone gaining access to information they are not authorized to know.

    

7. Plug and Play without protection

   In the rush to get things going too many folks plug modems straight into servers, or servers straight into the Internet, bypassing routers with firewalls or other corporate security measures. Like calling the phone and cable company before you start digging holes in your backyard, check with your corporate security officer before you plug and play.

    

8. Not reporting security violations

   You may be vaguely aware of corporate security policies, but it's important to know what's kosher and what's not. And, you have to be willing to report a breach of security if you observe it in another individual. It's no time to worry about being a tattletale. Your company's success (and your job too) depends on prompt action to avert or respond to a security incident.

    

9. Always behind the times (the patch procrastinator)

   One of the biggest vulnerabilities of any system is the failure to install updates and patches for deployed software. Updates often close any loopholes that may exist. Ignoring them or putting them off for another day could cost you and your company dearly.

    

10. Keeping an eye out inside the organization

    While most managers believe an information security breach will come from an outside intruder, they are wrong. The biggest risk comes from within. Disgruntled employees, laid-off employees, a less than ethical contractor, or a partner working both sides of the fence. Every employee has to be responsible for themselves and the behavior they observe in others. "Only you can prevent security incidents," says Smokey the anti-hacker.

Helpful articles and background information

Listed here are recent articles from various media that focus on key Security Planning issues.

• "Can Someone Help Me Remember My Password, Please?" Revolution 

   

• "Lack of Training Leads To Serious Security Lapses" Personnel Today 

   

• "People Are The Weak Links In IT Security" by Stefan Hull, The Argus

   

• "Users Spill Password Beans" by Liesbeth Evers, Newwork News 

   

• "Preventing Information Loss: Strengthening a Weak Link" by Josh Ryder, SecurityPortal

   

• "Employees: Your best defense, or your greatest vulnerability" by Neal O'Farrell, a searchSecurity.com advisor [MORE INFO]

   

• "Top Ten Security Mistakes" by Alan S. Horowitz, Computerworld [MORE INFO]

   

• "Human Error May be No. 1 Threat to Online Security" by Jaikumar Vijayan, Computerworld [MORE INFO]

   

• "Government, Companies Cracking Down on Security Lapses" by Brian Ploskina, Interactive Week [MORE INFO]

   

• "The Weakest Link" by Bill Scanlon, Interactive Week [MORE INFO]

   

• "Panel: Better privacy and security require 'cultural evolution'" by Kathleen Melymuka, Computerworld [MORE INFO]