Recommended Information Security Policies

Information security policies will vary greatly across organizations because all organizations are different. They have different business goals. Their security needs are not the same. Their cultures are different.

The list of information security issues to address in a policy is endless. However, all organizations face some basic security issues. They should create policies to address these issues. The basic policies that organizations should consider include:

  • Acceptable use policies
  • Anti-harassment policies
  • Workplace privacy and monitoring policies
  • Data retention and destruction policies
  • Intellectual property policies
  • Authentication and password policies
  • Security awareness and training policies

These policies address use of IT resources and the data in those resources. Often information security and human resources (HR) departments will work together on some of these policies. Business and auditing offices might help administer some of these types of policies.

Acceptable Use Policies

An organization uses an acceptable use policy (AUP) to tell employees how to properly use organizational IT resources. Organizations should consider drafting an AUP because IT resources are valuable business assets. They are often expensive to buy and maintain. They also contain data that is valuable to the organization.

Organizations provide employees access to IT resources to support business goals. In addition to system access, many organizations give their employees email accounts and internet access. Some also give their executives mobile devices. Although employees are supposed to use these resources for business purposes, that is not always the case. Employees can use these resources in many non-business ways. Some of these uses include:

  • Sending and receiving personal emails at a work email address
  • Chain mail and hoax email messages sent around the office
  • Non-business internet use (such as online shopping)
  • Accessing social networking sites during work hours
  • Downloading free software (or pirated software) for business or non-business use
  • File sharing throughout a workplace or over the internet

Improper use of an organization’s IT resources can be costly. It can result in information security compromises, introduce malware onto IT systems, or lead to unintentional data loss. An organization might be legally responsible for an employee’s misuse of IT resources in some instances. Non-business use of IT resources can also distract employees and can lead to lost productivity.

An AUP can help prevent some of these issues. An AUP is a code of conduct that states permitted uses of IT resources. It also lists prohibited actions. Finally, it states the consequences for violating the acceptable use rules. An AUP is one of the most important information security policy documents. It can help prevent a wide range of activities that could harm the organization’s IT resources.

An AUP can address several concerns including personnel, legal, and information security issues. HR departments like AUPs because they help promote workplace productivity. They also want to make sure that employees are not accessing or sharing objectionable electronic materials. Such behavior can cause severe disruptions in the workplace. In some instances, it also can subject the organization to liability for its employees’ actions. For instance, an employer can be held responsible in some cases where an employee is using IT resources to harass other individuals. AUPs give HR departments a rules-based reason to terminate employees who use IT resources inappropriately.

Would an AUP Help in This Situation?

The “I Love You” or “Love Bug” worm was discovered in May 2000. At the time, it was thought to be one of the largest and most destructive computer worms ever. It spread via email messages with “ILOVEYOU” in the subject line. The messages included an attachment disguised as a love letter. Once a user opened the attachment (and who would not open a love letter?), the worm infected the user’s computer. It sent itself to everyone in the user’s email address book and destroyed computer files. It also searched for sensitive information and sent it back to its creator.

At one point, industry experts estimated that the worm affected computers at more than 80 percent of U.S. businesses. Could an information security policy have helped stop the spread of the worm? What if an AUP stated that employees could not open email attachments that they were not expecting? What if the consequence for opening that type of attachment included job termination? Would that have helped in this case?

FYI

Lost productivity is not a new issue for organizations. Coffee breaks and water-cooler chats have always been productivity concerns. The internet and ease of access to non-work-related information and entertainment is a relatively new nuisance.

Legal departments use AUPs to help an organization meet regulatory responsibilities. They also use them to help limit an organization’s legal liability. For instance, an AUP can state that employees may not use unlicensed software on their computers. This helps protect the organization from copyright infringement claims. An organization protects itself in these cases by pointing to its AUP and showing that the employee violated it. If the AUP forbids the action, the legal department has evidence that the employee acted in violation of company rules. This helps create a legal defense.

Information security departments also are interested in making sure that an organization has a well-written AUP. Improper use of IT resources can have information security consequences. Employees surfing the internet, exchanging personal emails, or visiting social networking sites are consuming network bandwidth. They may be using valuable network storage space for non-business content such as music or pictures.

Their activities also could introduce malware onto the organization’s IT systems. Malware could compromise data and have wide-ranging consequences. At a minimum, productivity is hampered while IT departments work to remove the malware. At its worst, the malware could transmit sensitive organizational information to external attackers. It also could expose personally identifiable information. The disclosure of that type of information could trigger state breach notification laws.

AUPs also address internal employee threats. For example, employees can potentially use their access to IT resources to snoop, spy on, or steal from the organization. They also could spy on other employees. Disgruntled employees could use their access to sabotage IT resources and data. An AUP specifically prohibits these actions. An organization can fire an employee for violating an AUP.

AUP Terms

An organization protects against these concerns by having a written AUP. Some general terms that you see in AUPs include:

  • IT resources are provided for business use only.
  • Employees must use IT resources and data on them for business purposes only.
  • Employees must not tamper with IT resources or data on those resources.
  • Employees should not access any data they do not have a business reason to see.
  • No personal use of organizational IT resources is allowed.
  • Do not use IT resources to circumvent security measures.
  • IT resources may be monitored to ensure employee compliance.
  • Use of IT resources is evidence of the employee’s consent to the terms of the AUP.

AUPs may also include terms about a particular type of IT resource, such as email or internet use. Some organizations include these terms in one broad AUP. Other organizations may create a separate AUP for each type of technology. Common email and internet AUP terms include:

  1. Do not send email with sensitive organization information to external recipients.
  2. Do not send email with sensitive organization information to internal recipients unless they have a business need to have that information.
  3. Do not send email with offensive text, pictures, or links to offensive websites. Content is offensive if it is demeaning based on race, gender, national origin, disability, religion, or politics.
  4. Do not open email attachments from unknown senders. Do not open email messages with unexpected attachments.
  5. Do not click on embedded links in an email from unknown senders.
  6. Do not download files from the internet without permission from a business supervisor and the information security department.
  7. Do not use file-sharing applications or services without permission from a business supervisor and the information security department.
  8. Do not use IT resources to access the internet to view offensive material.
  9. Do not use IT resources to access the internet to visit social networking sites.
  10. Do not use IT resources for online shopping or any other personal activity.
  11. Do not use IT resources to engage in activity that violates the law.

Mobile devices such as cell phones, smartphones, and personal digital assistants (PDAs) pose special information security threats. They are small, pocket-sized computing devices. Use of mobile phones is rising. A 2019 Pew Research Center report found that 96 percent of U.S. adults have cell phones or smartphones. Thirty-eight percent of U.S. adults mostly use their smartphones to access the internet.6

Many people buy their own mobile devices and use them for work purposes, although organizations sometimes give their employees mobile devices. These devices pose security threats because they can access or store an organization’s sensitive information. Employees can use these devices to browse the internet, send and receive email, and view documents. The computing capacity of these devices continues to grow. They can store large amounts of data. Many of the same types of malware that infect larger IT resources also can harm these devices.

Mobile devices also are a vulnerability because of their portable nature. People can easily lose or misplace their mobile devices. They are also easy to steal. A lost or stolen mobile device can put an organization’s data at risk.

An AUP places controls on the use of mobile devices for business purposes. In addition to terms about email and internet use, an AUP might have specific terms about mobile devices:

  • Mobile devices that are used to access organizational resources or data must be password protected.
  • Mobile devices (whether provided by the organization or purchased by an employee and used for business purposes) must not store sensitive organizational information.
  • Employees must immediately report the loss of a mobile device used to access organizational resources.

Organizations typically make employees aware of their AUPs when the employees begin employment. They may print it in an employee handbook. Organizations may ask employees to read the AUP. They also might ask employees to sign an acknowledgment form that states the employee understands and agrees to follow the rules in the AUP. The acknowledgment also might state that an employee understands the consequences for failing to follow an AUP.

Organizations should require employees to review the AUP yearly. They also must require that employees review the AUP any time it is revised. They may ask employees to sign a new acknowledgment form at that time. This helps the organization make sure that employees are aware of their responsibilities.

Enforcement

The 2007 Electronic Monitoring and Surveillance Survey found that 28 percent of employers have fired employees for email abuse. The same survey said that of those employees fired for email abuse, 64 percent were fired for violating company policy.7 An AUP must specify the consequences for violating it. Consequences for violating an AUP can include:

  • Suspension of access to IT resources
  • Limited access to IT resources
  • Employee reprimand
  • Employment suspension
  • Employment termination
  • Referral to law enforcement

Modest AUP violations may result in a reprimand or retraining on the AUP terms. In some cases, an organization may choose to suspend an employee’s access to IT resources for a period of time. Suspending access to IT resources can be a drastic response to a violation if an employee’s job role requires IT access. An organization could fire an employee for a particularly harmful AUP violation. AUP violations that amount to criminal conduct should be reported to law enforcement. For example, an organization should notify the police if an employee uses its IT resources to launch a malware attack.

It can sometimes be hard for organizations to enforce their AUPs because many AUPs require employees to change their behaviors. AUPs are especially hard to enforce if an organization has no technical methods to monitor compliance. Most organizations depend on employees to police their own behavior. They may have a procedure for employees to report AUP violations.

Anti-Harassment Policies

Workplace harassment is a serious issue. Harassment is unwanted verbal or physical conduct that demeans or threatens a person. Some examples include:

  • Telling lewd, sexist, or racist jokes
  • Making racially derogatory comments
  • Making remarks about body shape, looks, or clothing
  • Staring at people in a suggestive manner
  • Making negative comments about a person’s religious beliefs
  • Threatening a person or his or her family with harm

Workplace harassment can violate federal law. This happens when the unwanted conduct is based on certain characteristics. The main law in this area is Title VII of the 1964 Civil Rights Act.8 It forbids workplace discrimination based on race, sex, religion, disability, and ethnicity. These are called immutable characteristics. A person cannot change them.

Title VII applies to most public and private employers. Employers with 15 or more employees must follow it. The law states that employers have a duty to prevent workplace discrimination, and to stop it if they know about it. Workplace discrimination and harassment claims are often tied together.

Workplace harassment has always been a major issue for employers. The rise in internet and email communications in the work environment adds extra complications because they introduce a new way for harassers to communicate with victims. Emails shared among employees that have offensive, explicit, or violent content could lead to harassment claims. So could viewing offensive material from a work computer screen in a public area. Employee-downloaded screensavers on an organization’s computers can be a problem if they are offensive.

These activities raise legal liability when other employees are offended or feel harassed. Employees also could make tort claims against an employer for intentional infliction of emotional distress.

Employers use anti-harassment policies to help limit liability for workplace harassment. Many organizations develop no-tolerance policies. They often use their AUPs to forbid offensive use of IT resources as well. Many organizations do this. However, the issue is serious enough that organizations should have a separate anti-harassment policy. Although an anti-harassment policy is not specifically an IT policy, the use of IT to harass another must be addressed in an anti-harassment policy. In addition to forbidding in-person harassment, the policy should state that an organization’s IT resources cannot be used to harass others.

Anti-harassment policies should contain the following elements:

  • Definition of harassment—It should define inappropriate conduct. This includes in-person and electronic interactions that are threatening, intimidating, or offensive in nature. Conduct is offensive if it is demeaning based on race, gender, national origin, disability, religion, or politics.
  • Reporting—The organization must give employees a way to report harassment. The reporting method must include alternatives if the alleged harasser is a victim’s direct supervisor.
  • Investigation—An organization must investigate harassment complaints. They must stop harassment when they have reasonable evidence that it is occurring.
  • No retaliation—The organization must make sure that it does not retaliate against employees who file harassment complaints. Retaliation is an adverse employment action made for a non-job-related reason. An organization may not take an adverse employment action against an employee who files a harassment complaint just because that employee filed a complaint.
  • Sanctions—The policy should state the consequences for violating the policy.

Information security personnel may participate in a harassment investigation and investigate whether the organization’s IT resources hold evidence related to the claim.

Decorative image NOTE

In 2000, Dow Chemical Co. fired 74 employees for sending emails with pornography and violent images. It also disciplined more than 400 additional employees for similar actions. Dow had policies that prohibited employees from sending such emails.

The law allows victims to recover damages from their harassers. They also might be able to recover damages from the harassers’ employers if they failed to respond to harassment complaints. The law allows victims to receive compensatory damages. They also can receive punitive damages in some cases, which can be substantial.

Workplace Privacy and Monitoring Policies

Workplace privacy addresses an employee’s privacy rights at work. It is a controversial issue, because employees do not want to have their activities monitored. It can create feelings of distrust in a workplace.

Workplace privacy and monitoring is an area of law that is changing rapidly. For the most part, however, U.S. employees have few privacy rights in their use of an organization’s IT resources. An organization may monitor an employee’s work email and internet use in many instances. Monitoring is usually allowed if there is a legitimate business reason for it. Legitimate reasons to monitor email and internet access include:

  • Assessing employee productivity
  • Monitoring operational use of IT resources
  • Monitoring policy compliance
  • Monitoring the use of the organization’s intellectual property
  • Investigating allegations of wrongdoing
  • Managing risk and protecting against legal liability

The information security department is often involved in workplace monitoring activities. This department has the knowledge and ability to carry out an organization’s desire to monitor IT resource use.

Does Cyber Monday Pose a Productivity Problem?

Black Friday, the day after the U.S. Thanksgiving holiday, is the traditional start of the winter holiday shopping season. Stores and retailers often have sales on this day to encourage shoppers to visit stores and spend money.

Cyber Monday, the first Monday after the Thanksgiving holiday, is the cyber-equivalent to Black Friday. Many retailers noticed an increase in online sales on this day. They suggested that this was because employees used their employer’s computers and high-speed connections to shop online when they returned to work after the holiday. The National Retail Foundation reported that 83.3 million shoppers shopped online on Cyber Monday in 2019.9

How should an organization deal with Cyber Monday? What are the problems that it poses for productivity? What are the problems that it poses for information security?

Employers usually win employee legal challenges against monitoring of business email and internet use. To win these challenges, organizations must show that they had a legitimate business reason for monitoring IT resources. They also must show that they conducted the monitoring in a proper way.

Workplace privacy and monitoring policies are often combined together. They inform employees that:

  • Their use of IT resources is not private.
  • Their use of IT resources is monitored.

Well-written policies give employees clear notice that they have no expectation of privacy in an organization’s IT resources. They give an employee notice that their use of IT resources will be monitored. They also might state why an organization monitors its IT resources. Finally, they should state that an organization does not waive its right to monitor IT resources even if it chooses not to do so all the time.

Data Retention and Destruction Policies

Data retention and destruction is a hot topic for many organizations. Data retention policies state how data is controlled throughout its life cycle. Laws and organizational policies help determine retention periods.

Data destruction policies state how data must be destroyed when it reaches the end of its life cycle. Organizations must destroy paper and electronic data when it is no longer needed. For electronic data, this means destroying it in primary and backup storage systems.

For both types of data, it means destroying it in such a way that it cannot be recovered. Data destruction policies are influenced by federal and state laws.

These policies help organizations cope with the large amounts of data that they use and produce. Without these policies, records management can be difficult. An organization might not know what types of data it has. It might not be able to find data when it needs it for business reasons. It might use too many resources to store data for longer than it must. Storage space for both paper and electronic data is a valuable resource.

Even if an organization has information security controls in place, data is still a vulnerability. It is vulnerable to external threats such as natural disaster or hackers. It is also vulnerable to unintentional acts committed by employees. For instance, employees can easily delete emails that they should keep. They also can save email that should have been deleted because there was no business reason to retain it.

In order to create data retention and destruction policies for electronic data, an organization must know how its IT resources work. They must know what data is stored on its IT systems. They also must know how to retrieve that data from these systems. Finally, they must know how to remove data from these systems.

Employee awareness is critical for successful data retention and destruction policies. Employees need to be well educated on data retention requirements. They also need to know how to properly file and maintain data that the organization must retain. Finally, they need to understand proper destruction methods. This is very important to avoid accidental disclosures of either paper-based or electronic media.

Data Retention Policies

Data retention policies define the types of data that an organization has. They also address where data is stored and how it is protected. They specify how long different types of data must be retained. These policies also are called document retention policies.

Different types of data have different retention periods. This period is usually driven by a combination of federal and state laws. It is also influenced by business needs. Externally, many federal and state laws govern what organizations can do with their data. These laws also state how long certain types of data must be kept. For example, organizations that are subject to the Health Insurance Portability and Accountability Act (HIPAA) have to retain certain types of data for 6 years.10

Laws are not the only factor affecting data retention. Organizations also have to think about data retention if they become involved in a lawsuit. Most federal and state courts have procedural rules that require organizations to maintain data if they are party to a lawsuit. This rule might apply even before an actual lawsuit. For example, an organization must retain paper and electronic data in situations where litigation against it is reasonably anticipated. If an organization does not maintain this data, it can be sanctioned by a court. Maintaining electronic data for this purpose can be very difficult. There are special rules to follow to maintain electronic evidence that might be used in a lawsuit. They are called E-discovery rules.

Decorative image NOTE

State laws might require governmental agencies to retain financial or other types of data for different lengths of time. This is to meet state auditing requirements or comply with open records laws.

In addition to legal requirements, organizations keep data for business purposes. They keep it to conduct business, market products, or to recover from a disaster. Organizations also preserve some types of data indefinitely. This might be because it has legal, fiscal, research, or historical value.

Data retention policies help an organization manage these competing concerns. A cross-functional team helps review and determine data retention requirements. This team should include experts who understand the legal requirements. Experts who know how the organization creates data should be on the team as well. The team must include experts who know the organization’s IT systems. This team must understand how the organization uses data and threats to that data.

Data retention policies need to include the following elements:

  • Types of organizational data
  • Where that data is stored
  • How that data is protected
  • Legal, business, historical, or other reason for keeping that data
  • How long the data should be retained

A data retention policy must be matched with a data destruction policy. An organization must destroy data that it no longer must keep for business, archival, or historical purposes.

Data Destruction Policies

An organization creates data destruction policies to make sure that it destroys data properly. An organization’s data destruction process must work hand-in-hand with a data retention policy. The data destruction policy must include the following:

  • Identify data ready for destruction.
  • Specify proper destruction methods for different kinds of data or storage media.
  • Provide validation procedures to make sure data is properly destroyed.
  • Provide consequences for improper destruction.

Legal requirements can influence an organization’s data destruction policy. For example, the Gramm-Leach-Bliley Act (GLBA) requires that paper documents holding customer information be destroyed.11 It also states that data must be destroyed in such a way that it cannot be read or reconstructed. The law also requires that electronic data be destroyed or completely erased. State laws also may require organizations to destroy data in a certain way.

Data destruction policies must be consistently followed. This is important for normal maintenance reasons. It is easy to destroy data when it is done on a regular basis. Following a consistent process is critical if an organization is involved in a lawsuit. It helps protect an organization from claims that it intentionally destroyed evidence.

State Law Data Destruction Requirements

Some state laws require specific data destruction methods. The State of Indiana has this type of law. All business in the state must follow the law requiring that they properly dispose of the unredacted personal information of their customers. This information includes a customer’s Social Security number (SSN) or certain types of financial account information. The law applies to both paper and electronic information.

The law requires that information be disposed of in a way that makes it unreadable or unusable. It says that proper disposal methods include shredding, incinerating, mutilating, and erasing.

The state can fine a business that does not comply with the law, imposing fines that range from $500 to $10,000 per violation. You can read Indiana’s data disposal law at http://iga.in.gov/legislative/laws/2019/ic/titles/024#24-4-14.

Intellectual Property Policies

Intellectual property laws protect people’s or organizations’ ownership rights in their creative ideas. It gives them the right to protect their ideas and profit from them. These rights are exclusive to the owners of intellectual property. They can act against people who violate these rights.

Intellectual property policies are very important for most organizations. There are two main reasons why an organization should consider an intellectual property policy. They are:

  • To protect its own intellectual property
  • To make sure that its employees respect the intellectual property rights of others

Organizations have large amounts of data that they use in carrying out their business. This may include information protected by patents, copyrights, and trademarks. It also can include information protected as a trade secret. Because it is important to the viability of the organization, an organization must protect it.

An organization uses a policy to specify the intellectual property that it owns. As in an AUP, so too in a policy governing the use of its intellectual property; an organization will want to state its expectations:

  • That the organization’s intellectual property may be used only for authorized business purposes
  • That the organization’s intellectual property may not be disclosed outside the organization
  • Whether the intellectual property may be removed from the building, copied onto removable media, or stored in cloud computing infrastructure
  • What the rules are for using the organization’s name or trademarks in correspondence

There is an information security component to protecting the organization’s intellectual property. For example, an organization’s electronic proprietary and trade secret data must be secured against internal misuse. It also must be secured against external attack.

The second reason for an intellectual property policy is to make sure that an organization does not violate the rights of others. An organization can be held liable for the infringing activities of its employees. For example, an organization will want to make sure that its employees honor software licensing agreements. It will want to make sure that employees do not use software without a valid license to do so. It also must make sure that employees do not copy or distribute unauthorized copies of software. The organization also will want to make sure that employees do not share or download pirated software onto organizational computers.

Authentication and Password Policies

Authentication controls are among the most basic types of information security controls that an organization can use to protect its IT resources. Authentication is the process whereby a user proves his or her identity to access an IT resource. Good authentication provides controlled access to an organization’s IT resources.

The user does this by presenting credentials. User credentials are used to access IT resources. They usually include a username and one of the following:

  • Something a user knows—This includes passwords, passphrases, and personal identification numbers (PINs).
  • Something a user has—This includes tokens, smart cards, and digital certificates.
  • Something a user is—This includes biometric data such as a fingerprint or retina scan.

Organizations can implement authentication methods in many ways. Some ways are more complicated and expensive than others. For example, biometric authentication can be very expensive. Organizations also can choose to implement multifactor authentication. This type of authentication requires employees to use two or more different types of credentials to access IT resources.

Many organizations choose to implement passwords. This is because they can easily implement them. They also are relatively inexpensive to use. Employees generally are familiar with using passwords. Employees may be unfamiliar with other types of authentication methods, such as using biometric data.

There are several problems with using passwords as the only authentication method. An organization’s IT resources are vulnerable if a password is compromised. A password can be compromised if an employee shares his or her password. It also can be compromised through a phishing or dictionary attack.

Decorative image NOTE

A dictionary attack tries to crack passwords by running through words or phrases listed in a dictionary. Strong passwords help combat dictionary attacks.

Organizations implement authentication and password policies in an attempt to reduce risk caused by password use. Sometimes these types of policies are stand-alone policies, but they also can be included as a policy statement in an organization’s main information security policy if it has one. These types of policies state the user credential rules that employees must follow. Some policies state that an organization’s IT department will never ask employees to share their passwords. These policies often include password creation rules. For example, they may state the number of characters that a password must have.

Would You Share Your Password for Chocolate?

Researchers at the University of Luxembourg studied whether or not people would be willing to exchange their passwords for chocolate. In a fascinating social engineering study, they found that the timing of the gift (before or after the request to share the password) and gender of the recipient were important. Men were more likely to share their passwords if given chocolate right before being asked to share their passwords. About 30 percent of the participants in the study shared their passwords with the researchers.12 The study did not verify whether people were sharing valid passwords. It is possible that the survey results could be influenced by chocolate lovers sharing fake passwords.

Other common password policy statements include:

  • Passwords should not be written down. If they must be written down, that paper should be stored in a secured place.
  • Passwords must never be shared with anyone, including trusted colleagues, friends, or family members.
  • Passwords must not contain dictionary words.
  • Passwords must not include a user’s name or parts of his or her name.
  • Employees must create strong passwords that meet the organization’s character and complexity requirements.
  • Passwords expire after a certain period and must be changed.
  • New passwords must be different from the previous password or parts of the previous password.
  • Passwords may not be reused for a specified period.
  • Passwords must not be inserted into email messages or other forms of electronic communication.

Information security departments also can create their own policies for how passwords should be used within IT resources. For instance, they might specify that passwords should never be stored in IT resources as cleartext. These policies might require that system authentication take place via encrypted channels. These also might specify that a password cannot be displayed on screens as cleartext when an employee enters it. This would help prevent shoulder surfing attacks. Where possible, passwords should expire automatically, and employees should be prompted to create new ones.

Security Awareness and Training

A 2016 survey asked about corporate information security policies. A total of 8,000 people participated in the survey. Of these, 88 percent of the employees surveyed did not know about their organization’s information security policies. 13

An important part of any information security program is the training and awareness component. This is because employees play a large role in meeting information security goals. Employees often view information security training as a waste of time. As one author writes, “Given a choice between dancing pigs and security, users will pick dancing pigs every time.”14

Employee behavior can help protect data and IT resources. It also can be harmful. Employees who are not aware of their responsibilities pose a threat. They may engage in risky online activities that could harm the organization’s IT resources. Their actions also could disclose data. They can subject an organization to liability. Training and awareness activities help reduce this threat.

A high-level awareness and training policy or policy statement lets employees know that the BOD supports information security educational activities. Similar to authentication policies, sometimes these types of policies are stand-alone policies, or they can be included as a policy statement in an organization’s main information security policy if it has one.

Creating an Information Security Awareness Program

Many organizations struggle with information security training and awareness. This includes the U.S. federal government. FISMA requires federal agencies to implement security awareness training as part of their overall information security programs.

The National Institute of Standards and Technology (NIST) created guidance for training and awareness activities. NIST Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” was published in 2003. It steps organizations through how to design and implement a training and awareness program. It also discusses how to develop training material. Finally, it provides advice on how to review the program’s effectiveness.

Any organization can use the NIST guidance to help create an information security awareness program.

An information security awareness and training policy or policy statement should include the following elements:

  • Why security awareness and training are important
  • Who has overall responsibility for the policy
  • Who provides training and awareness activities
  • Which employees must take part in training activities
  • How often training must take place
  • What the consequences are for not participating in required training

BOD support of training activities is vital. It makes sure that employees understand that training is important and makes them take it seriously.

A variety of training and awareness events are necessary to reach employees. Organizations can use multiple training tools to help their employees know about security policies.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.181.21