• Choose a category
• All
• Classic-Fiction

One method to keep security at the forefront of employee thinking is to make information security a specific job responsibility for every person in the enterprise. This encourages employees to recognize their crucial role in the overall security of the company. Otherwise there is a strong tendency to feel that security “is not my job.”

While overall responsibility for an information security program is normally assigned to a person in the security department or the information technology department, development of an information security awareness program is probably best structured as a joint project with the training department.

The ongoing awareness program needs to be creative and use every available channel for communicating security messages in ways that are memorable so that employees are constantly reminded about good security habits. Methods should use all of the traditional channels, plus as many nontraditional ones as the people assigned to develop and implement the program can imagine. As with traditional advertising, humor and cleverness help. Varying the wording of messages keeps them from becoming so familiar that they are ignored.

The list of possibilities for an ongoing awareness program might include:

• Providing copies of this book to all employees.

• Including informational items in the company newsletter: articles, boxed reminders (preferably short, attention-getting items), or cartoons, for example.

• Posting a picture of the Security Employee of the Month.

• Hanging posters in employee areas.

• Posting bulletin-board notices.

• Providing printed enclosures in paycheck envelopes.

• Sending email reminders.

• Using security-related screen savers.

• Broadcasting security reminder announcements through the voice mail system.

• Printing phone stickers with messages such as “Is your caller who he says he is?”

• Setting up reminder messages to appear on the computer when logging in, such as “If you are sending confidential information in an email, encrypt it.”

• Including security awareness as a standard item on employee performance reports and annual reviews.

• Providing security awareness reminders on the intranet, perhaps using cartoons or humor, or in some other way enticing employees to read them.

• Using an electronic message display board in the cafeteria, with a frequently changing security reminder.

• Distributing flyers or brochures.

• And think gimmicks, such as free fortune cookies in the cafeteria, each containing a security reminder instead of a fortune.

The threat is constant; the reminders must be constant as well.

WHAT’S IN IT FOR ME?

In addition to security awareness and training programs, I strongly recommend an active and well-publicized reward program. You must acknowledge employees who have detected and prevented an attempted social engineering attack, or in some other way significantly contributed to the success of the information security program. The existence of the reward program should be made known to employees at all security awareness sessions, and security violations should be widely publicized throughout the organization.

On the other side of the coin, people must be made aware of the consequences of failing to abide by information security policies, whether through carelessness or resistance. Though we all make mistakes, repeated violations of security procedures must not be tolerated.

chapter 16

Recommended Corporate Information Security Policies

Nine out of every ten large corporations and government agencies have been attacked by computer intruders, to judge from the results of a survey conducted by the FBI and reported by the Associated Press in April 2002. Interestingly, the study found that only about one company in three reported or publicly acknowledged any attacks. That reticence to reveal their victimization makes sense. To avoid loss of customer confidence and to prevent further attacks by intruders who learn that a company may be vulnerable,