Information Security - Security Awareness
Security Awareness 4
Regulatory Requirements for Awareness and Training 7
Information security means protecting information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. A policy can be described as a set of principles intended to manage actions. An Information Security Policy (ISP) is a defined set of principles intended to protect information and information systems by controlling the actions allowed within an organization.
There is not a single off the shelf approach to implement ...view middle of the document...
Consequently while the organizational security strategy works to put scope and definitions to the overall nature of the security posture, a targeted effort to bring those concepts and directives to life in the day-to-day operations of the company, and specifically it’s employees is a Security Awareness Program. The protection of this information is at the heart of an organizations information security program. A security awareness program is an essential component of an organization's overall security strategy; it is the human knowledge and behaviors that the organization uses to protect against information security risks. The awareness level of an employee is a significant part of a comprehensive security posture because many of the vulnerabilities an organization must address rely of human intervention. Education and empowerment of the workforce through policies, procedures and education fortifies the layers in the defense strategy referred to as Defense in Depth. Defense in Depth strategy involves a balanced focus on three primary elements: People, Technology and Operations. Awareness, not just technology, is a key factor in an organization's goal to improve governance, protect assets through education and empowerment, and reduce risk.
Many organizations are finding themselves creating a security awareness program in response to legal or regulatory requirements concerning data protection. Certain regulations are very specific about the requirements for security awareness and training. Other regulations simply require safeguards that are appropriate and applicable for the size and type of organization and the desired security posture. In such cases, agencies responsible for regulatory enforcement and internal or external auditors must rely on industry accepted best practices or frameworks for guidance. Control Objectives for Information Technology (COBIT®) among others, such as ISO/IEC 17799:2005 (now ISO 27002), and the Organization for Economic Co-operation and Development (OECD) - Privacy Principles, is one of the popular best practice frameworks. COBIT provides managers, auditors, and information technology users with a set of generally accepted measures, indicators, processes and best practices to aid them in taking full advantage of the benefits derived through the use of information technology, and developing appropriate information technology governance and control in an organization. This methodology is not new to the industry although repealed by the Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.), the United States Computer Security Act of 1987 (Pub. L. No. 100-235, 101 Stat. 1724 1987) requires that "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency."...