Tuesday, May 5, 2015

Implementation of Information Security Awareness in an Organization

This blog mainly focuses on the needs of an information security awareness program. Implementation of an information security awareness program is a main task and gives final result. The blog discusses implementation of an awareness program in Software Development Comapnies and some of the obstacles in implementation. It seems very difficult to involve employees and busy managers in such programs which are not related to their job. This blog describes the importance and the association of employees with information security awareness program, and motivational factor to attract employees to be responsive to this program. This is required and is the responsibility of all members in the organization to protect the information assets.

It is management’s and employee’s responsibility to protect the company’s information and resources. Implementation of the awareness program is also one of the responsibilities of both at their levels. Everyone in the organization has an important role and should contribute in implementing information security awareness and information protection program.

Implementation of Awareness Program Management's Responsibility

Due diligence and due care is part of Management’s job. They are legally responsible and held accountable for integrity and security of corporate data assets just as they are for other assets of the corporation. Management has the final responsibility of implementation of awareness program as they have big picture of corporate activities and functions.

Information security is part of due diligence and due care, management support for awareness program is a critical factor and one of the most important contributors. It is management’s responsibility to oversee the need of awareness and start implementation at its earliest.

Implementation of Awareness Program Employee's Responsibility

No organization can run without its employees. These are users of the data assets which is the soul of the organization’s success and growth. Employees must understand the value of the information assets available on their network, computers and desks and be an active part of its protection. It is part of their job responsibilities and legal duty.

“Organizations don’t change – people change. And then people change organizations.”

Without involvement of employees at each level, a security program will not be implemented or enforced, and upper management will not be able to provide protection of its information assets.

Implementation Techniques

There are mainly two main techniques of information security awareness program, and its implementation can be done by using any one or both of the techniques.

1. Formal Technique
  • Security awareness tutorials/Training courses
  • Formal presentations of security policies
  • Professional articles in newsletters
2. Informal Technique
  • Brief newsletter articles
  • Quick notes
  • Screen savers
  • Posters
  • Physical reminders like mouse pads, pens etc.

Formal techniques of security awareness program are more professional and direct towards the subject in IT companies of India. Informal methods have their own importance as people pay more attention to pictures, artwork and physical things. To make security awareness program successful and dynamic use diagrams, pictures and symbols.

Delivering Security Awareness

Implementation can be delivered in-house based on experience, understanding and knowledge or outsourced to consultants who will bring their own industry experience. Both internal and external resources can be utilized to benefit a program. The ultimate goal of any security awareness program must be to change the behavior of the people in the organization. Successful implementation of security awareness program depends upon effective communication and delivery of the message and the subject. Following are the main factors of success:
  • Who is your audience?
  • What is the message you are planning to convey?
  • How this message will be communicated?
  • How often this practice will be repeated?

To achieve this you need a strategy which might include a logo, slogan, common look-and-feel and templates. This will not only enable you to deliver consistent and clear messages, but will also enable your audiences to develop an understanding of what to expect. In addition, your audiences will be able to provide more valuable feedback on the information that they receive.

Obstacles in Implementation

Implementation of security awareness is a troublesome task and might face many obstacles from the users and at time from the management as well. Implementation also depends upon the staff and consultants who are leading this implementation and are the center point of communication both for the management and employees of the organization.

Just to list down some of the obstacles that could affect successful implementation of security awareness program.
  • No management support
  • Interaction with users, difficult to change their behavior and attitude
  • No user’s involvement in designing the awareness program
  • Too much information without prior knowledge of users
  • Lack of dedicated resources to run the program
  • On size fits for all approach
  • Employee turnover, program could be discontinued in the middle as employee leave the company
  • Hire and train new employees, sometimes it is difficult to conduct screen out test and involve new employees in the awareness program

Post-Implementation

As we have discussed in detail security awareness is a continuous process that could not be completed if necessary measures are not taken to evaluate its success. You must get feedback from the participants and then update the program based on the results.

Post implementation in Software Development Companies mainly deals with measurement, monitoring, effectiveness and execution of the program. It also addresses revision in the contents and methodology based on the results obtained from feedback, surveys and benchmarking.

Evaluation of Awareness Program

Evaluation helps to measure the success of awareness program. It identifies the weaknesses and strengths of the awareness program and is an essential part to know the audience’s behavior and topic of interest.

Periodic evaluation is not an easy task and requires lot of time and resources. Here are some of the techniques which can be used.
  • Count the number and type of incidents before and after the program
  • Survey by distributing questionnaire among audience
  • Interview people individually and in a group
  • Benchmark the program according to established standards
  • Count the number of people participating in the awareness program and compare it with expected number of audience
  • Audit the awareness program and the team who is responsible to design and implement the group Evaluation of the awareness program is a must and gives following results.
  • Statistics of awareness level before and after the awareness program.
  • Statistics on awareness methods and topics interesting to the audience
  • Helps to know whether objective and goals of program have been achieved or not
  • Return on investment projection for the management

1 comment: