Showing posts with label Information Security Awareness. Show all posts
Showing posts with label Information Security Awareness. Show all posts

Tuesday, May 12, 2015

Information Security Professionals: Roles & Responsibilities

In Software Development Industry, Information security is best initiated from the top down. Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. These article describes the typical information security responsibilities of various professional roles in an organization.

The senior technology officer is typically the Chief Information Officer (CIO), although other positions like vice president of information, VP of information technology, and VP of systems may be used. The CIO is mainly responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The CIO transcribes the strategic plans of the organization as a whole into strategic information strategy for the information systems or data processing division of the organization. Once this is accomplished, CIOs work with junior managers to develop tactical and operational plans for the different department and to enable planning and management of the systems that support the organization.

The Chief Information Security Officer (CISO) has primary responsibility for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT security, the security administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations it is not uncommon for one or more layers of management to exist between the two. However, the recommendations of the CISO to the CIO must be given equal, if not greater, priority than other technology and information-related proposals. The placement of the CISO and supporting security staff in organizational hierarchies is the subject of current debate across the industry.

Information Security Project Team

The information security project team should consist of a number of individuals who are experienced in one or multiple facets of the required technical and nontechnical areas in Software Development Industry. Many of the same skills needed to manage and implement security are also needed to design it. Members of the security project team fill the following roles:

Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.
Team Leader: A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.
Security Policy Developers: People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.
Risk Assessment Specialists: People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
Security Professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.
Systems Administrators: People with the primary responsibility for administering the systems that house the information used by the organization.
End Users: Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Data Responsibilities

The three types of data ownership and their respective responsibilities are outlined below:

1. Data Owners: Those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.

2. Data Custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

3. Data Users: End users who work with the information to perform their assigned roles supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

Conclusion: AS Information Security is best initiated from the top down. Senior management is the key component and the vital force for a successful implementation of an information security program. But administrative support is also essential to developing and executing specific security policies and procedures, and technical expertise is of course essential to implementing the details of the information security program.
Posted by at 1 comment:
Labels: , , , , ,

Tuesday, May 5, 2015

Methodologies for Information Security Awareness Program

Presenting a clear security awareness message to all employees in Software Development Companies can be achieved by variety of methods but all of them are not very effective and sometimes do not meet the requirements of the organization. These methods if implemented together lead to a comprehensive security awareness program. The organization can also chose any one of them to address the most critical and vital issue in the business without implementing a full fledge security program. All of these methods have the same core message, the employee responsibility and his behavior towards organization’s information asset’s security. Having different media and techniques to convey this message will get audience attention. They will be more attentive to new occurrence than to the same communication type and method every time.

Here are some of the methods to convey security awareness message across the organization:
  • Information Security awareness training
  • Computer based information security awareness
  • Awareness services and reminder tools
1. Information Security Awareness Training

This is very mature, experienced and most effective method to get users attention in a class room environment. It helps to explain the subject and its contents in an interactive way. The contents of the sessions could be different as per the audience profile. Usually security awareness audience can be categorized into the following categories.

i. Management

The management is the ultimate and most important sponsor of the awareness program. He has a very specific need to understand the goals of awareness program and the role security plays in achieving their business objectives.

The presentation to the management should focus on security threats which organization may encounter in the shorter or longer run. It should be clearly communicated to the management that without its support the organization and the employees will not be able to protect information assets. Below are some of the management mistakes which have to be highlighted in the presentation.
  • Ignore security problems
  • Fail to realize the value of their information reputations
  • Rely primarily on technology/products.
  • Fail to deal with the operational aspects of security
  • Fail to understand the relationship of information security to their business
  • Not providing training/ time to their staff.
  • Always think quick and visible return on investment while implementing solution
ii. End Users

End users usually are not responsible for overall protection of the information in IT Companies. They must secure the work environment and the information they are dealing with. End users are involved in day to day activities and use data to perform their jobs. This type of audience requires detailed understanding of the information security threats, damage by those threats and solutions to mitigate the damage. They should also be familiar with the policies and procedures which will help them to ensure performance and security.

The underline message that should be communicated to end users is, consult your information security department whenever something went wrong or whenever you have questions. Here are some of the mistakes of end users which should be highlighted in the presentation.
  • Violation of security policy
  • Opening unsolicited e-mail attachments
  • Installing software from unknown sources
  • Visiting suspicious web sites
  • Not reporting security incidents
  • Victims of social engineering
iii. Technical Staff

Mostly it is understood that technical people do not require security awareness as they are the ones who designed the system so why should they be called for basic awareness sessions? The purpose of security awareness session for technical people is explaining them how technology is helping out business and what is needed to protect business and technology.

Awareness session for technical people should be centered on technology is not driving the business, it is the opposite. It is always the business that decides the need of technology.

As discussed earlier, security awareness program doesn’t mean one-size fits for all but topics have to be customized according to profile of the audience.

2. Computer Based Information Security Awareness

Some of the companies make awareness program easy and accessible for users at all times. They design a computer application and install it on the company’s network which is available all the time. By using this self-learning approach employees can access at their leisure and then learn by themselves the topics which are of interest to them. Mainly computer applications cover two basic modules and compliant with company security policies. The first module is a self-assessment using a survey form. This helps users to assess where they are lacking in understanding company security policies. It’s a good technique for users to analyze their strengths, weaknesses and compliance with company’s awareness program. The second module is usually on the education of security issues, this helps users to learn and educate themselves the company security Policies and Procedures. 

Following are some of the topics which education module should cover:
  • Password Construction
  • Internet Usage
  • Telephone Fraud
  • Physical Security
  • E-mail Usage
  • Viruses
  • Desktop Security
  • Social Engineering
  • Identity theft
3. Awareness Services and Reminder Tools

As discussed many times before, the security awareness is a continuous process and it should be a part of employee’s job description and work environment in Software Development Companies. Using reminder tools is one of the methods to keep employees updated on security awareness topics and remind them from time to time.

Below are some of the reminder tools available, organization can choose any or all of them as per its need and acceptance.

i. Multimedia Presentation

Multimedia presentation on security awareness topics is a good and interactive tool. Employees can use it as a refresher on all the topics which they have already covered in awareness training. It is also a great help for remote users where to organize training is not cost effective.

ii. Security Booklet

Most of the people in the organization find it convenient to read hard copy of the subject instead of soft or electronic format. Booklet in this case is an effective tool to convey information security awareness message, organization’s objective and user’s responsibility in protecting information assets. The booklet can also contain information security related pictures, quotes and case studies to educate employees.

iii. Security Posters

It is widely said that pictures and images are more effective to convey one’s message across different types of community. People are more prone and feel happy to see graphical representation. Organization can design posters on different security issues and themes and place them on public places like entry door, sports hall, dining hall, cafeteria, recreation room, and near the water coolers in the organization.There are lot of web sites that offer free posters or free sample of them, you can simply download and print them out.

iv. Computer Screen Saver

Screen savers can be a good idea to promote security messages. Almost all of the employees in an organization use computers and have screen savers which appear while computer is idle. Screen savers can be developed by using security awareness messages, quotes or graphical representation of security related issues and installed on employee’s computer. A customizable free screen saver from Microsoft Corporation is available.

v. Email Shots

Most cost effective tool to remind users about security awareness is an email message. Email is widely used communication medium and most of the staff access email once in a day. Sending email periodically containing security awareness reminder is a good and effective tool.

vi. Promotional Items with Security Issues

Gift items and promotional tools like Pencils, Pens, Erasers, Notepads, Mouse pads, Key chains, Cups or mugs etc. can be printed with security wordings, quotes and pictures and distributed among people. This is also one of the motivational tools to remind employees of security issues.

vii. Security Newsletter

Many of the big organizations publish monthly or quarterly official newsletter. Add security related news and messages in that newsletter and give free copy to all employees could be an effective reminder. This newsletter can also be used as motivational tool by adding best employee of the month/quarter. Who won prize on taking care of security issues, or by participating actively in protecting the company’s information assets.
Posted by at No comments:
Labels: , , , , ,

Implementation of Information Security Awareness in an Organization

This blog mainly focuses on the needs of an information security awareness program. Implementation of an information security awareness program is a main task and gives final result. The blog discusses implementation of an awareness program in Software Development Comapnies and some of the obstacles in implementation. It seems very difficult to involve employees and busy managers in such programs which are not related to their job. This blog describes the importance and the association of employees with information security awareness program, and motivational factor to attract employees to be responsive to this program. This is required and is the responsibility of all members in the organization to protect the information assets.

It is management’s and employee’s responsibility to protect the company’s information and resources. Implementation of the awareness program is also one of the responsibilities of both at their levels. Everyone in the organization has an important role and should contribute in implementing information security awareness and information protection program.

Implementation of Awareness Program Management's Responsibility

Due diligence and due care is part of Management’s job. They are legally responsible and held accountable for integrity and security of corporate data assets just as they are for other assets of the corporation. Management has the final responsibility of implementation of awareness program as they have big picture of corporate activities and functions.

Information security is part of due diligence and due care, management support for awareness program is a critical factor and one of the most important contributors. It is management’s responsibility to oversee the need of awareness and start implementation at its earliest.

Implementation of Awareness Program Employee's Responsibility

No organization can run without its employees. These are users of the data assets which is the soul of the organization’s success and growth. Employees must understand the value of the information assets available on their network, computers and desks and be an active part of its protection. It is part of their job responsibilities and legal duty.

“Organizations don’t change – people change. And then people change organizations.”

Without involvement of employees at each level, a security program will not be implemented or enforced, and upper management will not be able to provide protection of its information assets.

Implementation Techniques

There are mainly two main techniques of information security awareness program, and its implementation can be done by using any one or both of the techniques.

1. Formal Technique
  • Security awareness tutorials/Training courses
  • Formal presentations of security policies
  • Professional articles in newsletters
2. Informal Technique
  • Brief newsletter articles
  • Quick notes
  • Screen savers
  • Posters
  • Physical reminders like mouse pads, pens etc.

Formal techniques of security awareness program are more professional and direct towards the subject in IT companies of India. Informal methods have their own importance as people pay more attention to pictures, artwork and physical things. To make security awareness program successful and dynamic use diagrams, pictures and symbols.

Delivering Security Awareness

Implementation can be delivered in-house based on experience, understanding and knowledge or outsourced to consultants who will bring their own industry experience. Both internal and external resources can be utilized to benefit a program. The ultimate goal of any security awareness program must be to change the behavior of the people in the organization. Successful implementation of security awareness program depends upon effective communication and delivery of the message and the subject. Following are the main factors of success:
  • Who is your audience?
  • What is the message you are planning to convey?
  • How this message will be communicated?
  • How often this practice will be repeated?

To achieve this you need a strategy which might include a logo, slogan, common look-and-feel and templates. This will not only enable you to deliver consistent and clear messages, but will also enable your audiences to develop an understanding of what to expect. In addition, your audiences will be able to provide more valuable feedback on the information that they receive.

Obstacles in Implementation

Implementation of security awareness is a troublesome task and might face many obstacles from the users and at time from the management as well. Implementation also depends upon the staff and consultants who are leading this implementation and are the center point of communication both for the management and employees of the organization.

Just to list down some of the obstacles that could affect successful implementation of security awareness program.
  • No management support
  • Interaction with users, difficult to change their behavior and attitude
  • No user’s involvement in designing the awareness program
  • Too much information without prior knowledge of users
  • Lack of dedicated resources to run the program
  • On size fits for all approach
  • Employee turnover, program could be discontinued in the middle as employee leave the company
  • Hire and train new employees, sometimes it is difficult to conduct screen out test and involve new employees in the awareness program

Post-Implementation

As we have discussed in detail security awareness is a continuous process that could not be completed if necessary measures are not taken to evaluate its success. You must get feedback from the participants and then update the program based on the results.

Post implementation in Software Development Companies mainly deals with measurement, monitoring, effectiveness and execution of the program. It also addresses revision in the contents and methodology based on the results obtained from feedback, surveys and benchmarking.

Evaluation of Awareness Program

Evaluation helps to measure the success of awareness program. It identifies the weaknesses and strengths of the awareness program and is an essential part to know the audience’s behavior and topic of interest.

Periodic evaluation is not an easy task and requires lot of time and resources. Here are some of the techniques which can be used.
  • Count the number and type of incidents before and after the program
  • Survey by distributing questionnaire among audience
  • Interview people individually and in a group
  • Benchmark the program according to established standards
  • Count the number of people participating in the awareness program and compare it with expected number of audience
  • Audit the awareness program and the team who is responsible to design and implement the group Evaluation of the awareness program is a must and gives following results.
  • Statistics of awareness level before and after the awareness program.
  • Statistics on awareness methods and topics interesting to the audience
  • Helps to know whether objective and goals of program have been achieved or not
  • Return on investment projection for the management

Posted by at 1 comment:
Labels: , , , , ,

Information Security Awareness Goals and Objectives

In Software Development Companies, we all know people are the weakest link in the chain and are the source of many information security breaches within the organization. Before demanding information security, employees should be conveyed the importance of company’s information and criticality. An educated and aware user is the foundation of a secure and reliable business environment.

Dealing with information security threats and incidents is not a technology issue but people’s behavior. It is a critical factor to have a successful and effective information security program that will modify the behavior of employee’s dealing and interacting with company’s policies and procedures. Usually in many IT companies of India, IT or Security department is considered responsible for the security of information assets. It is a misconception which has to be communicated among employees that the IT department is not the only one responsible but Information security is everyone’s responsibility. Information Security is everyone’s responsibility and at any level of the hierarchy.


Information security awareness program helps in minimizing the cost of security incidents, helps accelerate the development of new application systems in Software Development Industry, and helps assure the consistent implementation of controls across an organization’s information systems.

The primary and foremost objective of any awareness program is to educate users on their responsibility to protect the confidentiality, availability and integrity of their organization's information.

One of the objectives of an awareness program is to convey simple, clear and presentable message in a format that is easily understood by the audience.

The awareness program’s objective is that users understand not only how to protect the organization’s information, but why it is important to protect that information.

Awareness program’s goal is to get users attention on information security policies and increase awareness level on all security controls and practices in the organization.

One of the goals is to create a security culture across the organization and keep on reminding employees about its importance and their contribution in that.

“Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.””
Posted by at 1 comment:
Labels: , , , , ,

Information Security Awareness is a Business Need

In today’s business environment most of the Software Development Companies rely on electronically exchanged information. It is a requirement of all the departments to produce and pass information across different departments in a quick and secure manner to support their business decisions. Information plays an important role in making decisions. Therefore commercial companies and even the government departments have different classification of data based on its importance and use.

Business success depends upon continuity of operations and information provided to the business processes by information systems. The growth, excellence and efficiency of the business could be damaged due to the threats and misuse of information. Therefore, awareness program basically helps, set measures and educate users on how to behave and get benefit out of information without jeopardizing its confidentiality, integrity and availability.

The employees are the primary users of the information. A lack of awareness and mishandling of information could expose this information to competitors or get corrupted. If this information is freely available the following could be some of the impacts on the company and its business functions:
  • The information available easily can be used by competitors to design strategies and launch new products with more features
  • The company’s credibility can be affected from this disclosure
  • Customer confidence can be lost
  • Help competitors to gain more share in the market
  • Suppliers and partner would be conscious to deal with the company
  • Noncompliance to government and industry laws and standards
  • Employees will lose trust and will look for other opportunities

In today’s competitive business environment for Software Development Companies to have a good reputation in the market and legal compliance is a major concern. Suppliers, partners and even clients ask proof of information security before making any transaction. They want to make sure that all the information given to the company will be protected and will be used only for the purpose it is provided.

Therefore need of successful and responsible Outsourcing Companies in India have well written security polices and procedure, run information security awareness program on a continuous basis and be conscious in protecting its information assets. Implementing a strong information security awareness program can be a very effective method to protect critical business secrets and it will help employees to understand:
  • Why they need to take information security seriously
  • What they gain from active participation and support
  • How a secure environment helps them complete their assigned tasks
Note: The success of awareness program depends upon management’s consent and continuous support.


Posted by at No comments:
Labels: , , , , , ,

Introduction to Information Security Awareness

Information is considered lifeblood of a successful and profitable business and employees of the organization work as veins to pass this information through. Confidentiality, Availability and Integrity of information are then directly related with employee’s behavior towards information. Most companies think information security is a technical issue and do not consider involvement of employees in ensuring continuous security of the information. Organizations may have components of information security awareness program but without proper management of the needed resources, they will not be able to complete it properly and continue to be successful. Identifying and bringing together all available components to develop an effective information security awareness program can be a difficult and overwhelming task.

Information Security is the protection of information in opposition to fault, disclosure and manipulation.

In Software Development Companies in India, It is commonly accepted that the majority of the security violations are due to human interaction rather than technology fault. Yet, companies depend and grant a lot of consideration to technology and usually forget participation of human beings in the system. Usually organizations use best of the best products and technology for the protection of information and infrastructure. They ignore human’s contribution and role in securing organization assets. Actually companies make this mistake and relate information security with the products and technology although it is a process which needs human interaction and involvement. There is no such thing as 100% security but we try to maximize its level through an awareness program and human involvement in the process.

A simple definition of the three security pillars is as follows. If anyone of them is missing then it’s a flaw and is against the information security measures.

Confidentiality: It means only authorized people can see information e.g. you are the only one authorized to see your bank statement.

Integrity: It ensures that information has not been changed either in transit or while in storage. It means only authorized people can change the information e.g. you can see bank statement but not authorized to change it according to your wishes.

Availability: It means information is available when and where it is needed e.g. you can get money from ATM machine when you want to buy things.

Information Security Awareness is user’s education and awareness to handle information security threats and minimize their impact. Awareness program basically focuses attention on information security issues like confidentiality, integrity and availability. It highlights the importance of these factors, their role in business and finally concentrates on how to behave with them in a confident way.

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.”

Information Security awareness is a method used to educate people in the IT Industries in India. It highlights the importance of information, threats to that information and staff’s contribution in implementing policies and procedures for the protection of information. Awareness program is an attempt to change the behavior of employees towards systems and processes in the organization. It teaches what needs to be protected, against whom and how.
Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)