• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Home

    Compliance Scorecard - Is Your Security Awareness Program All It Can Be?

    Oct. 27, 2008

    Your organization may have to (or, in the case of standards, feel compelled to) comply with any number of regulations, such as HIPAA, C-TPAT, PCI, NERC Cyber Assets, Title 18 (sentencing guidelines) or ISO 17799. What do all these regulations have in common? Security awareness and training program requirements. If you feel your department is adequately addressing these requirements by conducting a few training sessions a year, slapping up some posters or sending out some e-mails, you may run the risk of security awareness failures.

    To test the basic robustness of your security awareness and training program, ask yourself if it appropriately addresses each of the following questions.

    What: What risks impact your organization? Countermeasures: What measures are in place to mitigate the most potentially damaging risks, as defined by you and senior management?

    Who: Who needs to be made aware of your organizational risks, and to what degree? Roles and responsibilities: Security is everyone's responsibility; as the expert, you can assist others in defining their roles. You may need to provide varying levels of advice or training to different groups of employees based on their functions and titles.

    When: How often do you engage people in awareness activities?

    How: How do you satisfy awareness and training requirements? Delivery: You may deliver your awareness and training messages in a number of ways, including e-mail reminders, posters, meetings, exercises/drills, newsletters, and intranet resources. The frequency and intensity of training may depend on your risks (What) and the responsibilities of individual employees (Who).

    After you have developed your program around these questions, how do you know it is working? You need to develop your measures and metrics program to include awareness program effectiveness. Do not forget to tie your work into the areas of risk to which the board responds, so they can identify with your efforts.

    Kathleen Kotwica is vice president of research and product development for the Security Executive Council. Prior to joining the council, she held a wide range of leadership positions including information architecture consultant at a New England consulting firm, director of online research at CIO and CSO magazines, and research associate at Children's Hospital in Boston. For information about the Security Executive Council, visit www.csoexecutivecouncil.com/?sourceCode=std .