Educate Staff and Security Personnel xxxiii
Introduction
Educate Staff and Security Personnel
According to National Institute of Standards and Technology (NIST) Pub-
lication SP800-12 [18], the purpose of computer security awareness, train-
ing, and education is to enhance security by:
Improving awareness of the need to protect system resources;
Developing skills and knowledge so computer users can perform their
jobs more securely; and
Building in-depth knowledge, as needed, to design, implement, or
operate security programs for organizations and systems.
Making computer system users aware of their security responsibilities
and teaching them correct practices helps users change their behavior. It
also supports individual accountability, which is one of the most important
ways to improve computer security. Without knowing the necessary secu-
rity measures (and to how to use them), users cannot be truly accountable
for their actions. The importance of this training is emphasized in the
Computer Security Act, which requires training for those involved with the
management, use, and operation of federal computer systems.
Awareness stimulates and motivates those being trained to care about
security and reminds them of important security practices. Explaining what
will happen to an organization, its mission, its customers, and its employees
when security fails often motivates people to take security more seriously.
Awareness can take on different forms for particular audiences. Appropriate
awareness for management officials might stress management’s pivotal role
in establishing organizational attitudes toward security. Appropriate aware-
ness for other groups, such as system programmers or information analysts,
should address the need for security as it relates to their job. In today’s sys-
tems environment, almost everyone in an organization may have access to
system resources, and therefore may have the potential to cause harm.
Both dissemination and enforcement of policy are critical issues that are
implemented and strengthened through training programs. Employees can-
not be expected to follow policies and procedures of which they are
unaware. In addition, enforcing penalties may be difficult if users can claim
ignorance when they are caught doing something wrong. Training employ-
ees may also be necessary to show that a standard of due care has been taken
in protecting information. Simply issuing a policy, with no follow-up to
xxxiv Educate Staff and Security Personnel
implement that policy, may not suffice. Many organizations use acknowl-
edgment statements that employees sign to indicate that they have read and
understand computer security requirements.
Awareness is used to reinforce the fact that security supports the mission
of the organization by protecting valuable resources. If employees view
security as just bothersome rules and procedures, they are more likely to
ignore security policies. In addition, they may not make needed suggestions
about improving security, nor recognize and report security threats and vul-
nerabilities. Awareness is also used to remind people of basic security prac-
tices, such as logging off a computer system or locking doors. A security
awareness program can use many teaching methods, including videotapes,
newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short
reminder notices at login, talks, or lectures. Awareness is often incorporated
into basic security training and can use any method that can change
employees’ attitudes. Effective security awareness programs need to be
designed with the recognition that people tend to practice a tuning-out
process (also known as acclimation). For example, after a while, a security
poster, no matter how well designed, will be ignored; it will, in effect, sim-
ply blend into the environment. For this reason, awareness techniques
should be creative and frequently changed.
Security education is more in-depth than security training and is tar-
geted for security professionals and those whose jobs require expertise in
security. Security education is normally outside the scope of most organiza-
tion’s awareness and training programs. It is more appropriately a part of
employee career development. Security education is obtained through col-
lege or graduate classes, or through specialized training programs. Because
of this, most computer security programs focus primarily on awareness. An
effective Computer Security Awareness and Training (CSAT) program
requires proper planning, implementation, maintenance, and periodic eval-
uation. The following seven steps constitute one approach for developing a
CSAT program:
Step 1: Identify Program Scope, Goals, and Objectives
Step 2: Identify Training Staff
Step 3: Identify Target Audiences
Step 4: Motivate Management and Employees
Step 5: Administer the Program
Step 6: Maintain the Program
Step 7: Evaluate the Program
Educate Staff and Security Personnel xxxv
Introduction
Crafting Corporate Social Engineering Policy
When you begin the process of building a corporate policy for social engi-
neering, there are several important considerations that need to be included
in the policy. Ensure that employees are aware of the data they are making
available to others and what hackers might do with the knowledge they gain
from that data. Train end users in the proper handling of social engineering
tactics such as:
Dumpster-diving
Phone calls
E-mail
IM (Instant Messenging)
Onsite visits
Teach employees how to prevent intrusion attempts by verifying identi-
fication, using secure communications methods, reporting suspicious activ-
ity, establishing procedures, and shredding corporate documents. It is
important to define a simple, concise set of established procedures for
employees to report or respond to when they encounter any of these types
of attacks.
It is a good idea to periodically employ external consultants to perform
audits and social engineering attempts to test employees and the network
security readiness of your organization. Define the regularity of audits con-
ducted by external consultants in a manner that cannot become predictable,
such as a rotation of the month in each quarter an audit would occur. For
example, if your external audits are conducted semiannually, the first audit
of the year may occur in month one of quarter one. The next audit may
occur in month three of quarter three. Then, when the next year comes
around, you have rotated to another month or even changed to quarters
two and four. The point is not which months and quarters the audits are
done, but that they are done in an unpredictable fashion that only you and
your trusted few will know.
Privacy Standards and Regulations
There has been a lot of activity on the national legislative front over the last
couple of years, specifically regarding the protection of information that is
xxxvi Educate Staff and Security Personnel
unique to the individual. This type of information is regarded as a basic ele-
ment of our right to privacy and companies are being required to take
(sometimes costly and arduous) steps to protect it. Failure to do so can have
serious repercussions. Insurance companies, health care providers, financial
institutions, service providers, retailers, telemarketing organizations, com-
munications providers, and so on all have a part to play in protecting an
individual’s right to privacy. The next few sections will highlight some of
the more relevant changes made in the last few years.
NAIC Model Act
Beginning in the early 1980s, the National Association of Insurance Com-
panies [19] (NAIC) recognized the importance of protecting the privacy of
their customers. With the adoption of the Insurance Information and
Privacy Protection Model Act, the NAIC established a standard for disclo-
sure of insurance consumers’ personal information, including financial and
health information. Currently, 13 states have laws based on this 1982
Model Act. The NAIC believes the state laws based on this model act are
generally more protective of consumer privacy than the privacy provisions
of the Gramm-Leach-Bliley Act (GLBA) discussed in the next section.
In 1998, the NAIC turned its focus specifically to the privacy of per-
sonal health information. The Health Information Privacy Model Act was
developed primarily to give guidance to Congress and the U.S. Department
of Health and Human Services, both of which were considering health
information privacy protections under the Health Insurance Portability
and Accountability Act (HIPAA).
In February 2000, the NAIC established the Privacy Issues Working
Group in order to give guidance to state insurance regulators in response to
the enactment of the GLBA, which required state insurance regulators to
promulgate regulations enforcing consumer privacy protection laws. On
September 26, 2000, the Privacy of Consumer Financial and Health
Information Model regulation was adopted by the NAIC.
In 2001, the NAIC reconvened the Privacy Issues Working Group. This
group was tasked to increase dialogue among regulators and interested par-
ties who were concerned about privacy standards and regulations, as they
deeply affected the conduct of operations for these insurance carriers. One
of the principal missions of the Privacy Issues Working Group was to serve
as a forum for regulators, industry, and individual consumers. This forum
allowed participants to discuss the questions and issues that arose as the
states interpreted and began enforcement of their privacy protections. To
Educate Staff and Security Personnel xxxvii
Introduction
stay abreast of the states’ efforts and to be consistent in their approaches to
privacy protection, the Privacy Issues Working Group established a goal to
agree on uniform responses to such questions, because many of these issues
would be repeated in multiple states. The Privacy Issues Working Group’s
analysis of particular issues and responses to questions has served as guid-
ance to all NAIC members.
In March 2002, the Privacy Issues Working Group adopted a document
entitled Informal Procedures for Consideration of Privacy Questions.
These procedures were developed as part of an effort to be responsive to
interested party concerns about the drafting and adoption of Question and
Answer (Q&A) documents among NAIC members. The informal proce-
dures are a reflection of the evolving efforts of the Privacy Issues Working
Group to ensure that members and other interested parties are well
informed of the process for consideration of privacy issues.
In early 2002, content found within financial institutions’ privacy
notices and the degree to which consumers were opting out from disclo-
sure received a great deal of attention. In an effort to make these privacy
notices worthwhile for consumers and industry, and to realize the intent of
Congress and the regulators who put these protections in place, the NAIC
formed a subgroup, the Privacy Notice Subgroup, whose task was to draft
a plain language model for privacy notices. The Privacy Notice Subgroup
began working closely with interested parties to draft samples that make
privacy notices more understandable for consumers, while ensuring a high
degree of uniformity and compliance with the requirements of the NAIC
model privacy regulation for industry. At an annual meeting held in the
fall of 2002, the Privacy Notice Subgroup distributed a draft report to the
Privacy Issues Working Group and urged recipients to examine the report
and submit comments to NAIC staff for inclusion the final report. The
draft report outlined specific suggestions to improve privacy notices,
including use of simpler sentences, clearer terminology, and easy-to-read
formatting. The NAIC has been a vanguard in establishment of privacy
protections and will continue to do so for some time.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act [20] (GLBA) was enacted as Public Law 106-
102 on November 12, 1999. This law was intended to enhance competi-
tion in the financial services industry by providing a prudential framework
for the affiliation of banks, securities firms, insurance companies, and other
financial service providers. The GLBA is enforced by several different agen-
cies, depending on the type of financial business involved. Most depository
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.