This blog mainly focuses
on the needs of an information security awareness program. Implementation of an
information security awareness program is a main task and gives final result.
The blog discusses implementation of an awareness program in Software Development Comapnies and some of the
obstacles in implementation. It seems very difficult to involve employees and
busy managers in such programs which are not related to their job. This blog describes the importance and the association of employees with information
security awareness program, and motivational factor to attract employees to be
responsive to this program. This is required and is the responsibility of all
members in the organization to protect the information assets.
It is management’s and
employee’s responsibility to protect the company’s information and resources.
Implementation of the awareness program is also one of the responsibilities of
both at their levels. Everyone in the organization has an important role and
should contribute in implementing information security awareness and
information protection program.
Implementation of Awareness Program Management's Responsibility
Due diligence and due care
is part of Management’s job. They are legally responsible and held accountable
for integrity and security of corporate data assets just as they are for other
assets of the corporation. Management has the final responsibility of
implementation of awareness program as they have big picture of corporate
activities and functions.
Information security is
part of due diligence and due care, management support for awareness program is
a critical factor and one of the most important contributors. It is
management’s responsibility to oversee the need of awareness and start
implementation at its earliest.
Implementation of Awareness Program Employee's Responsibility
No organization can run
without its employees. These are users of the data assets which is the soul of
the organization’s success and growth. Employees must understand the value of
the information assets available on their network, computers and desks and be
an active part of its protection. It is part of their job responsibilities and
legal duty.
“Organizations don’t change – people change. And then people change
organizations.”
Without involvement of
employees at each level, a security program will not be implemented or
enforced, and upper management will not be able to provide protection of its
information assets.
Implementation Techniques
There are mainly two main
techniques of information security awareness program, and its implementation
can be done by using any one or both of the techniques.
1. Formal Technique
- Security awareness tutorials/Training courses
- Formal presentations of security policies
- Professional articles in newsletters
2. Informal Technique
- Brief newsletter articles
- Quick notes
- Screen savers
- Posters
- Physical reminders like mouse pads, pens etc.
Formal techniques of
security awareness program are more professional and direct towards the
subject in IT companies of India. Informal methods have their own importance as people pay more
attention to pictures, artwork and physical things. To make security awareness
program successful and dynamic use diagrams, pictures and symbols.
Delivering Security Awareness
Implementation can be
delivered in-house based on experience, understanding and knowledge or
outsourced to consultants who will bring their own industry experience. Both
internal and external resources can be utilized to benefit a program. The
ultimate goal of any security awareness program must be to change the behavior
of the people in the organization. Successful implementation
of security awareness program depends upon effective communication and delivery
of the message and the subject. Following are the main factors of success:
- Who is your audience?
- What is the message you are planning to convey?
- How this message will be communicated?
- How often this practice will be repeated?
To achieve this you need a
strategy which might include a logo, slogan, common look-and-feel and
templates. This will not only enable you to deliver consistent and clear
messages, but will also enable your audiences to develop an understanding of
what to expect. In addition, your audiences will be able to provide more
valuable feedback on the information that they receive.
Obstacles in Implementation
Implementation of security
awareness is a troublesome task and might face many obstacles from the users
and at time from the management as well. Implementation also depends upon the
staff and consultants who are leading this implementation and are the center
point of communication both for the management and employees of the
organization.
Just to list down some of
the obstacles that could affect successful implementation of security awareness
program.
- No management support
- Interaction with users, difficult to change their behavior and attitude
- No user’s involvement in designing the awareness program
- Too much information without prior knowledge of users
- Lack of dedicated resources to run the program
- On size fits for all approach
- Employee turnover, program could be discontinued in the middle as employee leave the company
- Hire and train new employees, sometimes it is difficult to conduct screen out test and involve new employees in the awareness program
Post-Implementation
As we have discussed in
detail security awareness is a continuous process that could not be completed
if necessary measures are not taken to evaluate its success. You must get
feedback from the participants and then update the program based on the
results.
Post implementation in Software Development Companies mainly deals
with measurement, monitoring, effectiveness and execution of the program. It
also addresses revision in the contents and methodology based on the results
obtained from feedback, surveys and benchmarking.
Evaluation of Awareness Program
Evaluation helps to measure
the success of awareness program. It identifies the weaknesses and strengths of
the awareness program and is an essential part to know the audience’s behavior
and topic of interest.
Periodic evaluation is not
an easy task and requires lot of time and resources. Here are some of the techniques
which can be used.
- Count the number and type of incidents before and after the program
- Survey by distributing questionnaire among audience
- Interview people individually and in a group
- Benchmark the program according to established standards
- Count the number of people participating in the awareness program and compare it with expected number of audience
- Audit the awareness program and the team who is responsible to design and implement the group Evaluation of the awareness program is a must and gives following results.
- Statistics of awareness level before and after the awareness program.
- Statistics on awareness methods and topics interesting to the audience
- Helps to know whether objective and goals of program have been achieved or not
- Return on investment projection for the management
Thanks for sharing this post. I get more information in this post.
ReplyDeleteISO 27001 Requirements