Security Policy and Awareness
Lexicon IT Security will work with you to understand your business requirement and evaluate the effectiveness of your existing security policies, standards, guidelines, and procedures. Lexicon IT Security can work with you to establish security processes that support business goals and objectives.
Each day organizations are faced with an increasing number of threats. While hackers and viruses are attacking from the Internet, social engineers or disgruntled employees may be circumventing security from within. A formal security awareness program is required to help address these threats by educating employees. The primary goal of the program should be to recognize threats and vulnerabilities and respond to them appropriately.
An awareness program should begin with the support of senior management. Ideally the CEO launches the program by sending an e-mail. The CEO's message should briefly summarize threats and state that security is the responsibility of everyone in the organization.
The next step is to create or revise the organization's security policies and require employees to sign them. Job descriptions and performance reviews must also include security responsibilities. All employees should attend an annual security briefing and receive an awareness handbook.
Distribute security awareness tips by e-mail about once every two weeks. Tips should advise of best practices and reinforce policy. Here are a few topics to start off with:
- Viruses
- Passwords
- Workstation Security
- Continuity
- Destruction of sensitive materials
- Systematic removal of access
- Laptops
- Operation Security
- Backups
- Social Engineering
Additional training methods include luncheons, a security web site and awareness posters. Each location should have a security representative to assist in the security awareness program and address security incidents. An Information security day or month is another effective way to bring security to the forefront of everyone's mind.
Security audits also raise awareness. Consider implementing office space reviews and annual self-assessment surveys. The key is to make security a part of everyone's day without being obnoxious or repetitive. An awareness program requires creativity and constant care and feeding.
An awareness program cannot be conducted in a vacuum. Ensure that security does not negatively impact productivity. Consider the current security culture and choose your battles. It takes time to make a change. Lastly, lead by example. If you believe in security and explain why, it is much easier to bring others around to your way of thinking.
|