CHAPTER 13

IT Security Policy Implementations

INFORMATION TECHNOLOGY SECURITY POLICIES are the foundation upon which you build good security habits. IT security policies define what business and technology risks will be controlled. Users can turn to policies for guidance in their daily work. Policies are a useful tool for creating a risk culture that protects information. The adoption and effective implementation of these policies is evidence to regulators, customers, and shareholders that due care is being taken to protect the company and its customers’ personal information. The stakes are high. Well-implemented security policies build brand confidence and help an organization achieve its goals. Poorly implemented security policies lead to breaches, fines, and damage to brand value, and they undermine confidence in the organization.

Everyone must follow the policies if they are to be effective. A security policy implementation needs user acceptance to be successful. Absent user acceptance, the policies may not be consistently implemented. They may be sometimes seen as optional. You can gain user acceptance, in part, by effectively communicating policies that are also easy to understand. A security awareness program, in addition to other methods, helps users understand policies and why they’re important. The implementation of security policies also requires management support. Thorough planning allows you to overcome challenges and gain that support.

This chapter examines a simple process approach to implementing IT security policies. It walks you through this high-level process and explores the major issues encountered while implementing security policies. You will read how to overcome challenges and the importance of a communication plan. The chapter also examines best practices for implementing security policies. Finally, the chapter presents case studies that reinforce important topics and concepts.

Simplified Implementation Process

There are many approaches to implementing IT security policies. The approach can vary based on any number of factors, such as organizational need, level of technical complexity, industry, culture, and maturity of change process. Assume, for example, you have an organization adding mobile solutions for the first time. This may be a major project for an organization with no prior experience in this area. It should have a detailed IT security plan that includes looking at business risks, cyberthreats, compliance requirements, policy changes, employee awareness, training, policy implementation, governance, and more. The addition of new mobile solutions could be expensive and time consuming.

Now consider an organization with years of experience at implementing mobile solutions. Also assume you wish to make a change to security policies. In many ways the process is the same. You still want to look at the policy change from the perspective of business risks, cyberthreats, compliance requirements, policy changes, employee awareness, training, policy implementation, and governance. However, the scale and effort in the second case would be smaller. Introducing change into a mature organization with extensive mobile experience significantly reduces the time needed to consider the risk and implication of a policy change. In fact, while the thought process may be the same, the experience and knowledge could mean some of these steps are less formal. In both cases, it’s good practice to think through the risks and needs consistently and document them well.

Figure 13-1 shows a simple process flow for implementing IT security policies. As you can see by the figure, implementing a security policy is much more than writing and publishing a document. In fact, writing and publishing a policy document is a small part of a larger process. Creating an IT security policy is less about the document and more about the control environment the policy creates. A policy is a way of implementing a control, such as a way to prevent or detect a type of security breach. So simply publishing a policy in itself doesn’t prevent or detect a security breach. The policy implementation must be a series of steps that ensure the policy is put into practice. A proper implementation process educates, creates support, and integrates the policy into the day-to-day operations. The policy must also minimize costs and impact on the business.

Target State

Target state is a general term used in technology to describe a future state in which specific goals and objectives have been achieved. In security policy terms, this future state generally describes which tools, process, and resources (including people) are needed to achieve the goals and objectives. So describing policy in terms of goals and objectives is important to get agreement on the target state.

There are different ways to describe policy goals and objectives. The value of the policy will often be judged by how well you can describe the goals and objectives. The more persuasive the descriptions, the more people will value the policy. One of the more effective techniques is to describe goals and objectives in the following ways:

•   Business risk—Describes how the policy will reduce risk to the business

•   Compliance—Describes how the policy will ensure the business is compliant with laws and regulations

•   Threat vectors—Describe how the policy will prevent or detect IT security threats

Business risk can be expressed in terms of how the policy either enables the business or reduces business disruptions. This risk can also be described in business risk terms such as described in the risk and control self-assessment (RCSA). The RCSA is typically produced annually by the business and describes its top risks, controls, and barriers to their objectives.

For example, assume a company wants to start selling product over the Internet to overseas customers. In this case, there might be elevated risk of fraud. Some overseas regions, such as Eastern Europe, Africa, Malaysia, Indonesia, Turkey, and Pakistan are considered higher-risk areas. In the event of fraud, options for recovery and legal action by the merchant are limited. Taking additional security measures to prevent or detect that fraud would be seen by the business as added value. For example, a company may choose to limit sales to specific countries or regions where the perceived risk is lower, such as Western Europe or Japan. This can be accomplished, in part, by blocking certain IP addresses.

Compliance relates to the legal and regulatory mandates a business must follow. Certain security policies are required by laws and regulations. Describing how the security policies help the organization to meet legal mandates is another valuable addition to the business.

Threat vectors should be very much a business concern. A threat vector is the way in which an attack is launched. Often these are more technical threats that the business might not understand well. Describing a SQL injection attack, for example, might not have much meaning to the business executive. However, describing the results and impact to the business will be important to him or her. You can explain a SQL injection attack, for instance, as leading to the theft of customer credit card information or the takedown of the company’s Web site.

Regardless of the method used, the target state must describe in clear terms the technology, tools, and resources needed to implement the process. Additionally, to sell the need for the policy, the target state must describe the value in terms of the goals and objectives it will achieve.

Target state describes how policy implementation is closely tied to technology controls. You can have the best policies, but if they cannot be implemented, they’re useless. The following section outlines several common technology challenges that can hinder the implementation of security policies.

Distributed Infrastructure

Security policies apply throughout the enterprise. As such, they rely on a centralized view and control of risks. You design a central set of policies and apply them across the enterprise. However, today’s technology is highly decentralized. Smart devices are mobile. Users’ laptops and desktops have tremendous computing power. Remote offices have servers and complex data closets supporting local networks. These are just a few examples.

All these add up to what’s known as distributed infrastructure. That’s a term for an organization’s collection of computers—including laptops, tablets, and smartphones—networked together and equipped with distributed system software, so that they work together as one, even from various locations.

For many organizations, the amount of technology outside the data center is significant. How do you implement centralized security policies in a decentralized environment? It’s challenging. The target state must describe how to accomplish this. You first look at the administration of the distributed infrastructure.

Fortunately, while many technologies are distributed, many administration tools are centralized. Centralized administration tools allow for policies to be centrally distributed. A classic example is malware protection. Most organizations use a central malware management tool that keeps malware scanners up to date. The updating typically occurs when the desktop or laptop is connected to the network. An agent on the devices communicates with the central server and downloads the latest updates.

A distributed infrastructure is typically managed through an agent or an agentless central tool. An agent is a piece of code that sits on the distributed device. As in the case of the virus scan, the agent software periodically reports back to the central management tool. An agent typically has multiple functions. The most common function is to report the state of the device back to the central server. It also receives commands and updates. In the case of the malware scan, the agent would report any malware detected and receive updates to the scanner.

An agentless central management tool has the ability and permission to reach out and connect to distributed devices. Unlike in the malware example, where the agent software pulls the updates onto the device, the agentless software is centrally housed. It pushes the changes to the device. Agentless management products use standard interfaces within the operating system or devices. They then authenticate, which grants them rights to perform their function. For example, Intelligent Platform Management Interface (IPMI) can be used as an agentless interface to Dell’s OpenManage IT Assistant tool. This tool can be used to monitor and maintain a server’s performance.

A current inventory is key to implementation in a highly distributed infrastructure. You need to know how many devices are on the network. You also need to know which devices adhere to security policies. Many organizations use discovery and inventory tools to capture and track this information. These tools track devices connecting and disconnecting from the network. They can also capture key security control information.

The combination of a good inventory count and good configuration information allows you to implement security policies in a distributed infrastructure. This is because you can assess the population of network devices and compare compliance with security policies. For example, a typical policy might state that all desktops must have updated virus protection. The inventory might indicate 2,000 desktops. The central malware management tool might indicate that about 1,800 desktops have updated malware protection. You can now assess the effectiveness of the security policy implementation. Approximately 90 percent of your desktops comply with the policy.

Outdated Technology

Another challenge for describing a target state is how to deal with outdated technology. Outdated technology is hardware or software that, because obsolete, makes it difficult to implement best practices consistently. Outdated technology generally does not adhere to current best practices. When that occurs, you must decide how to address the lack of security controls within policies. You have four basic choices:

1.  Replace outdated technology

2.  Write security policies to best practices and issue policy waivers for outdated technology that inherently cannot comply

3.  Write security policies to the lowest, most common standard that the technology can support, even if it’s outdated

4.  Write different sets of policies for outdated technologies.

The ideal solution is to replace all outdated technology. However, that’s not always an option, especially in a declining economy when many organizations are cutting costs.

Of the three remaining choices, none is good. Generally, the least objectionable choice is Option 2. The technology that is not outdated will conform to policies. The technology that cannot conform is typically granted a waiver with additional hardening to mitigate risk as much as possible. Waivers provide transparency on the risks the business is accepting. At a minimum, any waiver granted should require annual renewal. This will provide an opportunity to review the waiver and the risk—and the additional cost it introduces into the control environment.

It’s sometimes less expensive to replace technology than to upgrade its security. Figure 13-2 illustrates that point. Assume you had outdated technology in your network. One response would be to improve segmentation controls to compensate. If you had outdated technology in the segment’s network controls, you would place more reliance on operation system controls. If your operating system technology was outdated, you would place greater reliance on application controls. Any combination of the enhanced controls might mitigate some of the risk of outdated technology. Of course, all these additional layers of controls would increase costs to the organization.

Outdated technology creates security vulnerabilities. Vendors usually do not support outdated technology, so new security vulnerabilities will not be patched. Even adding additional layers of security can only go so far. There’s significant risk to having outdated operating systems. Once the operating system is breached, it’s likely the application will be breached.

Lack of Standardization Throughout the IT Infrastructure

Another technical challenge is the lack of standardization within the infrastructure. This can have two causes: 1) a lack of consistency with configurations; or 2) deployment of a diverse population of technologies.

The lack of a consistent configuration is a problem that arises when similar technologies are used in different ways by different lines of business. Each line of business has its own technologists applying different standards to similar technology. Assume, for instance, you have a company with physical stores and an online presence. Both lines of business have an inventory application that the public cannot access. The application may be on the same operating system and perform the same basic functions. Yet the configuration may look completely different if two different groups of administrators maintain the application.

This diversity in security approaches can be overcome in time. But it may create delays in the implementation of the security policies and increase costs. Both administration groups need to agree on a common approach to security. An implementation plan is needed so both types of configurations can migrate to the new policy in an orderly fashion.

When you have a diverse number of technologies deployed, security policies must be more generic. The policies must ensure that as much of the technology as possible can comply. That means that if one set of technologies has a weakness, the policy may choose to apply the weaker standard across the broadest set of technologies. Security policies often consider minimum standards. So, while one set of technologies has a weakness, the remaining technologies can add security beyond what’s called for in the policies. The drawback is that policies are mandatory. By removing a security requirement from policy, there’s no certainty that those additional controls will ever be applied.

Consequently, having a diverse population of technologies creates a set of tradeoffs. You want security policies to be as inclusive of the technology within the organization as possible. That may mean lowering some of the security standards at times. One option is to publish a security policy with an effective date that’s in the future. This gives the organization time to upgrade technology and configurations. Whatever approach is selected, it’s important that security policies be realistic in their expectations. Security policies should not be a theoretical exercise or an ideal state. They should reflect realistic expectations on how the organization needs to control risks.

Executive management support is critical in overcoming hindrances. A lack of support makes implementing security policies impossible. It takes a strong partnership between management and the IT security team to implement security policies. Consequently, it’s vitally important to gather support for the security program by including senior management in building the target state. Listen carefully to the executives’ needs. For example, if executives are particularly concerned about regulatory compliance, be sure the policies address compliance thoroughly. The more you can convey that the policy target state solves real problems for executives, the more likely they will support it.

Executive Buy-in, Cost, and Impact

Ultimately you will need senior managers’ formal buy-in and support for any costs they need to incur. When dealing with executive management, define expectations clearly. Senior executives generally have little time to create specific strategies. They expect well-defined security approaches and recommendations. You might need their input on undecided key issues. However, executives expect you to do your homework and to engage their teams. You should have already spoken to their staffs and worked out most of the details. When a CISO is in front of an executive to talk about implementing security policies against a target state, it should be a short conversation. The conversation should focus on “This is our recommended approach” and “This is what I need.” The executive will want to know the following, at a minimum:

•   The level of commitment being asked of his or her team

•   The impact of the policies on the current environment

•   The value the policy brings; in other words, what risks the policy addresses

•   The metrics of success—how success will be measured

Also, be sure to establish lines of communication. You’ll want to spread the word on both major successes and setbacks throughout the implementation. Keep the lines to executives open. They want to avoid surprises. If something is not going well, they prefer to hear it from you first. They will also use success as a barometer for future requests.

Executive Management Sponsorship

Without executive management sponsorship, users will be less likely to be eager to participate in awareness training and to support the policy implementation. Support for a policy implementation takes time away from an individual’s regular job. Many organizations are understaffed and overcommitted. Security policy implementation may not be seen as valuable or urgent. Executive management sponsorship changes that perception.

You should expect to fund the implementation with a defined budget. Buying tools and creating training materials are start-up costs. These costs may not be in the current budget. Additionally, you should expect a formal communication from management supporting the program. This communication can be a simple e-mail that emphasizes the importance of team participation. This tone at the top is important to overcome common objections, such as, “I’m too busy right now.”

Efforts to gather support should not be limited to a single executive. A security policy implementation spans the enterprise. This means you should seek multiple executive supporters. Remember, awareness is ongoing and extends well beyond the classroom. Awareness and a communications plan should be executed throughout the policy implementation process. For example, partnering with corporate communications or marketing departments allows the security message to be included in company newsletters and bulletins. The IT security team provides the content, whereas the communication and marketing department professionally packages the message. Executive sponsorship in those areas can extend the message’s reach. These executives can advise the IT security team on how best to market through existing communication channels.

Overcoming Nontechnical Hindrances

It’s not just technical challenges that can delay security policies from being implemented. It’s important to remember that human factors matter, too. Success depends on how well people accept the policies.

Distributed Environment

Many organizations operate in a distributed environment. Organizations are typically divided by lines of business, product, or geography. In a distributed environment, an organization is run by different individuals with different business objectives. Therefore, different parts of an organization can have different views of risk. This diverse set of leaders can delay security policy implementation.

The first challenge is to get senior leadership to agree on a common set of security policies. The second challenge is agreeing on an implementation timeline.

User Types

A diverse set of views is not just reflected by leaders. The organization’s general population also harbors a diverse set of views. The workplace has many types of users. Remember that you operate in an existing culture. That culture might not share the principles stated in the security policies. Even in the best of circumstances, it takes time for security policies to change the culture. In the meantime, you must recognize the type of culture and users that exist at the time the security policies are being implemented.

This sometimes means working in a culture that thinks of information security as an afterthought. Users in this environment may do the minimum to get by. You have to educate them on security policies and help them shed bad habits. Security awareness that targets specific habits can help. It’s important that these users and habits be identified early. Plan specific communication events that focus on policy value and awareness training to change existing habits.

Some users think information security is a technology problem, not their problem. They might not object to the rollout of new policies, but they might undermine the policies’ effectiveness by doing the bare minimum. This type of user attitude can best be managed through effective leadership. When a user knows that his or her job responsibility includes implementing security policies, such attitudes begin to change.

Organizational Challenges

Organizational challenges depend on the culture and industry. For example, the financial services industry puts significant resources into implementing security policies. In these organizations, the focus is on how to implement security policies to meet compliance laws and regulations.

Other, less-regulated organizations may question whether they should implement security policies at all. Understanding and overcoming these objections is an important part of obtaining buy-in. The following is a list of organizational challenges you might face when implementing security policies:

•   Unclear accountability

•   Lack of budget

•   Lack of priority

•   Tight schedules

Management is ultimately accountable for protecting information. Thus, management has a key role to play in implementing the proper policies. Implementations require management to be accountable for their success. The challenge is when leaders perceive policy implementation as an IT function. Leaders must support the implementation and provide the right message to all their subordinate teams.

Another organizational challenge is a lack of budget. Implementing security policies across the enterprise requires resources and funding. It may be a challenge to obtain funding without management support. The implementation of policies is more than sending out e-mails and posting a policy on a server. It takes time and funding to create training programs, to brief departments, to train users, and to hold town hall meetings. A town hall meeting is a gathering of teams to make announcements and discuss topics. These types of efforts take time and funding on both the IT and business side. It’s even more challenging when the business is asked to allocate funds from its own budget. Competing for limited funds is always a challenge in an organization. Information security has to compete for organizational priority.

Implementing security policy is no different from any other activity. An organization faces many conflicting priorities. It may face business challenges that drive its priorities. For example, a priority may be to expand customer services. An organization may need to reduce defects in its product line. The key point is that organizations have limited resources. Often, there are more priorities than resources available. The challenge is to avoid security policies becoming low-priority items. Ideally, security policy should be seen as supporting or enabling the business’s highest priorities.

For the implementation of security policies to be effective, it must be taken as a serious organizational commitment. You accomplish this in part by avoiding direct conflicts with other priorities. You should time the implementation of security policies so it doesn’t conflict with other events. For example, assume you know over the next three months that a new product will be released. You may want to hold off implementing major security policies until after the product launch. Companies in this situation may not have the bandwidth to deal effectively with both efforts.

Yet you don’t always have the luxury of waiting to implement policies. You may be under a regulatory requirement to meet specific timelines. When you do have flexibility, plan the timing of the implementation to ensure the organization can properly focus on the effort. Even in the best of circumstances, you often face tight implementation schedules. Once an organization has agreed on the content of security policies, the tendency is to implement them quickly, so the organization can move on to other priorities. Tight schedules may also be a byproduct of how well you communicated the benefits. For example, an organization that is facing significant audit findings may view the implementation of security policies as an important step in controlling those risks. This results in significant pressure to implement quickly. It’s important that an implementation plan recognize the time and effort required to reach and train everyone involved in the changes.

Policy Language

Writing policy statements is like writing a legal contract. First, two parties must agree on what they want to achieve, and then they must put it in a contract. If the two parties can’t agree on what they want to achieve, they can never agree on the contract language. In writing security policies, too, this first step is often missed. When this occurs, the resulting policy language can lack context, and the goals may seem confusing. In contrast, following an implementation process (as previously depicted in Figure 13-1) means getting agreement on a target state with funding and executive support.

Writing policies supporting an agreed-upon target state is much easier and provides a way to quickly gain approval for supporting policy language. Still, don’t underestimate the time it takes, especially in a large organization. Words can have different meanings to different people. You want to create a clear and concise policy in language that is easily understood.

Don’t use imprecise language such as “should” or “expected.” For example, consider a policy that states, “You should use an eight-character password.” Do you have to? It sounds more like a suggestion than a rule. A clearer policy statement would be, “You must use an eight-character password.”

Be sure to assign clear accountability to specific roles. You must assume at some point that a policy will not be followed. The language must indicate who is accountable. For example, assume the policy language states, “Management is responsible to review an employee’s access every 90 days.” Who is “management”? The manager? The line supervisor? The executive over the department? This language can be confusing. A better policy language statement would be, “All employees with direct reports must review their direct reports’ access every 90 days.” You can now go to a system of record (such as a corporate directory) and determine who should be performing what reviews.

Be sure to be precise about which resources the policy covers. Avoid requiring specific products in a policy. Policies should focus on what needs to be achieved and not how. Often, technology policy can have broad implications across multiple technical environments. A lack of precision and a failure to state a solution can be confusing and limiting. For example, assume a policy states, “All servers must use EFS when storing credit card information.” Encrypting File System (EFS) is a feature of Microsoft Windows that can be used to encrypt information on a hard drive. This policy is not precise and limits encryption to a specific vendor product. It’s not unusual to put technical limits on solutions, such as requiring a minimum of 256-bit encryption. But it’s not a good idea to require specific vendor products in policy.

Here’s why not: First, EFS is a Windows product. How do you store credit card information if you’re using a Unix or Linux platform? Second, the policy objective should not be the use of EFS. The objective should be the encryption of the credit card information. This allows the flexibility to use the appropriate solution or tool.

Additionally, the policy as written is unclear. Does it allow credit card information to be stored on laptops? If a server is the only place you are allowed to store credit card information, the policy must state that clearly. A better policy statement would be, “Only production servers may be allowed to store credit card information. Additionally, all credit card information must be encrypted when stored.” You can still limit which technologies can be used by adding, “Only an approved encrypted solution may be used.” That addition allows control over which specific encryption products can be used by calling for a defined approval process.

The key point is to be sure that there’s clear agreement on the target state. Use that agreement to write the supporting language in policy. When writing policy, use precise language that clearly defines the outcome and assigns accountability.

Employee Awareness and Training

The goal of employee awareness and training is to ensure that individuals have the knowledge and skills to needed implement the security policies. The primary objective of a security awareness program is to educate users. A well-executed awareness and training program can do much more. Some additional benefits include:

•   Reinforcing core organizational values

•   Giving management an opportunity to demonstrate support

•   Creating opportunities for employees to acquire new skills, leading to increased job satisfaction

Awareness includes teaching employees about policies and core security concepts. Effective security awareness helps drive acceptance. When users understand policies, they can be held accountable for observing the policies. This promotes a long-term security culture shift. With so much at stake, it’s important to have a well-thought-out approach to education.

Typically, an organization offers security awareness training. This is broken down into two components:

•   Awareness—to raise understanding of the importance and value of security policies.

•   Training—to provide the skills needed to comply with security policies.

Awareness should be an ongoing effort that reinforces key concepts. The awareness component is important, because it sets the tone and goals for security policy implementation. By setting realistic goals, you build credibility for the policies. Awareness also promotes candid conversations. Security awareness is, in part, about effective marketing and messaging.

The training component is more straightforward than creating awareness. In security training, you review security policies in detail. You discuss how the policies apply to individual roles. You set expectations on behavior. Security training focuses on mechanics—what is expected to be done and when. Often, in security policy training, you will discuss the supporting processes. For example, you might discuss restricting security administrator accounts. This can lead to a discussion on how to grant rights.

Organizational and Individual Acceptance

Users are more likely to accept what they understand. Security awareness is the first step in getting people to think about security. Security awareness training gives you an opportunity to explain the value of security policies. When security policies help users do their work, they are more likely to consider the policies to have value. Consequently, the goal of the security awareness program should be to gain support as well as to teach material. You need to tailor training to the users. For example, the type of training senior leaders receive would be different from individual user training.

Collectively, user behavior defines the organization’s acceptance of security policies. When security policies are widely accepted, they become part of the culture. That tends to reduce risk, resulting in a lower number of security incidents. The converse is also true. When security policies are not widely accepted, there’s an increase in security incidents. It’s important that users embrace security policies to ensure the policies are used and thus effective.

Motivation

Ideally, awareness should excite and inspire, as well as train. But motivation is a broader topic. How individuals are motivated varies by person. One clear motivation is self-interest. When management rigorously enforces security policies, that becomes a powerful motivator. This can be demonstrated by how management holds users accountable for failing to follow policies. Users need to know that management is serious about implementing security policies. This clear message of rewards and discipline is important in motivating users.

Untrained or unmotivated employees can make poor decisions. Poor decisions can lead to security incidents, even when individuals are trained. Poor decisions can occur anywhere within the organization. A user can fall prey to social engineering pretexts. A user can fail to report a control weakness. Management can fail to act when a report is received. Risk experts can fail to correctly assess the extent of the vulnerability. Senior leaders can fail to fund the mitigation. Regardless of the failure, there’s a danger that polices will be perceived as ineffective when security incidents rise.

The key point is that effective security policy implementation depends on acceptance. Acceptance depends on the individuals who perceive value in the policy. Ultimate acceptance depends on the value being demonstrated by lowered risk to the organization. Security awareness and training is an opportunity to communicate value and get employees motivated.

Developing an Organization-Wide Security Awareness Policy

Effective security awareness training must reach everyone in the organization. This includes anyone with access to data, including employees, contractors, and vendors. The form of security awareness training may vary depending on the type of user. For example, security awareness training for a vendor might be handled by its parent company. The contract with the vendor should specify the type of awareness training the client requires. Typically, the vendor is responsible for training its employees. This is different from contractors. Contractors usually go through the same type of training as the contracting company’s regular employees. In this case, the contracting organization is responsible for security awareness training.

Contractor training may be condensed, however. If a contractor will be on-site for a only short time—three weeks, for example—it does not make sense to require weeks of security awareness training.

The security awareness policy ensures that education reaches everyone. For example, the policy might require that all users receive security awareness training before being granted access to data. This might include completing basic security awareness training during employee orientation. This ensures newly hired individuals receive training before handling sensitive information.

The security awareness policy typically outlines the frequency and type of training required. Awareness training is conducted at least annually. A security awareness training policy may require the following types of training:

•   New employee and contractor—At time of hire before access to data is granted

•   Promotion—As individuals are promoted into significantly different roles

•   All users—Annual refresher training

•   Post-incident—After major security incidents, when lack of education was noted

•   Vendor—As defined in the contract

It’s important that you know your audience. You should tailor training to resonate with them. For example, humor is often an effective tool in awareness training. Humor can capture an individual’s attention. It can also elicit cooperation and make the topic fun. Although that may be appropriate in larger audiences, it may not be the best choice when training executives. As a general rule, you want to tailor your approach on the basis of:

•   Job level—The higher people are in the organization, the more strategic their training needs to be.

•   Level of awareness—Some users need more training on basic security concepts.

•   Technical skill level—Individuals who are technically savvy may be able to understand threats more easily.

The security awareness policy determines the type of awareness training that’s provided. The policy also defines the audience that receives the training. For example, the policy could require senior management to receive strategic security and policy training. Middle management might be required to take policy and basic security training.

Training should focus on individual roles and responsibilities. Middle managers need to understand basic security concepts and the risks they may encounter running daily operations. Senior managers are less likely to encounter those risks when they focus on strategic issues in running the organization. Basic security training might include discussion of how to implement encryption methods. This is a real issue that middle management may face. Senior management would have little interest in, or bandwidth for, dealing with basic security issues.

The scope of security awareness training is not one-size-fits-all. One approach to security policy awareness training is to define the user population and types of security awareness training offerings. This allows you to require specific training to address individual needs. Table 13-1 is a simple example of this concept. Notice that there are four basic user types defined. The security awareness policy would define each of these user types to ensure individuals in these roles can be quickly enrolled in training. The columns represent the type of training offered. The type and level of training would vary depending on the organization’s needs. Notice the emphasis on reporting suspicious activity. This is reflected by the fact that all users are required to receive this type of training.

In many organizations, this type of training is tracked through an online course registration tool. The application allows an individual to enroll in available training sessions. The application can also automatically assign required courses to individuals and track attendance. Online course registration tools help enforce the security awareness policy. These tools can also show evidence of enforcing the policy.

Conducting Security Awareness Training Sessions

The goal of formal security awareness training is to build knowledge and skills to help workers perform their roles in a way that protects assets and complies with policies. Security awareness training is not just about echoing back the trained material. The measure of success is how effectively the workers apply their training on the job.

There are two common ways of formally delivering security awareness training: in the classroom and through computer-based training (CBT). Both methods are widely used and both have strengths and weaknesses. Large organizations often use a combination of methods. There are also a host of informational methods. They can be as simple as a manager e-mailing a policy to the team, asking everyone to read the material. Information dissemination methods are discussed later in this chapter.

In the classroom setting, a trained instructor usually conducts security awareness training. The advantage of having an instructor deliver the training is flexibility. Suppose some training materials were developed under the assumption that the audience has a certain technical skill set. If a session is delivered and the audience doesn’t have the necessary background, an experienced instructor can adjust the delivery accordingly. An instructor in a classroom can answer questions and connect with the class.

There are also drawbacks to a classroom setting. The first is cost. Classroom sessions can be expensive, because of facility and travel costs. You need to find a suitable classroom and arrange for everyone’s attendance. Conference rooms can be effective but are sometimes a poor choice, depending on class size and number of interruptions. It’s not uncommon for individuals to be pulled out of training sessions held within the office setting. Alternatively, arranging for a conference room at a local hotel or alternative location comes at a price. Attendance could mean flying individuals to a training location or flying an instructor to remote offices. Another issue is the skill set of the instructor. Experienced instructors are typically in short supply. It takes a specific skill set to facilitate a training session.

The CBT approach can be a lower-cost alternative to classroom training. A number of factors can drive a cost difference between CBT and classroom training. Some of these factors are size of the organization, location, and travel. Larger organizations can find it expensive to hold enough classes to cover enough of the employee population to be effective. Besides, the cost of travel and classroom space at some remote office locations can be difficult. With CBT you can reach an unlimited number of workers with a consistent set of messages. Online courses also allow workers to learn at their convenience. This can include taking a course at night or on weekends, away from the pressures and distractions of the office.

Online courses offer quizzes throughout each session to automatically score competency. An online training tool can also require review of material the attendee found challenging. CBT offers statistical tracking of who takes courses and which part of the material individuals are struggling with.

The CBT approach has drawbacks, though. It can only measure what individuals know about the material. Unlike an instructor, it cannot measure how well the material is being accepted. A strength and weakness of CBT is the consistent format in which it’s presented. The message in the material is consistently delivered. However, some CBT has limited or no opportunity to tailor the message to a specific audience. Finally, CBT is impersonal. Unlike classroom instruction, CBT offers little opportunity to connect with others in the organization.

It’s important to get feedback on the training by the attendees as soon as possible. This feedback should focus on how well the material is being accepted beyond what knowledge was conveyed. In other words, it’s more important to know the attendee is using the knowledge than simply memorizing the material. Some suggested ways of getting feedback include:

•   Anonymous surveys after the session

•   Focus groups

•   Interviews of attendees

•   Exit interviews of individuals leaving the company

•   Monitoring compliance through incident reports

Human Resources Ownership of New Employee Orientation

New employees can often be reached through the human resources (HR) department. The HR department usually manages the onboarding of new employees. HR usually has an array of employment documents new employees must complete, from benefits forms to ID badge acknowledgments. HR also provides a series of training sessions to help new employees ease into the organization’s culture. Most organizations add security awareness training to the list of items the HR department provides to new employees. It’s cost efficient, because it simply adds material to new employee training HR conducts. You don’t have to pull new employees offline into a separate training session. It’s also practical from a timing perspective. You don’t want new employees to access sensitive data until they receive training. You want to get to the employees as early as possible.

Review of Acceptable Use Policies (AUPs)

A core topic in security awareness training is reviewing the acceptable use policy (AUP). It’s not uncommon to require employees to sign the AUP. This acknowledges they have received and read the policy. The AUP clearly defines what’s considered acceptable and unacceptable use of technology. The AUP, for example, specifies that the organization’s computers should be used for business purposes only. It may also exclude specific types of usage such as gambling or accessing offensive material. The AUP also defines personal responsibilities, such as that of protecting one’s own password.

One of the more critical training points in an AUP is to prohibit sharing of an individual’s ID and password. Sharing such information can place sensitive data at risk from unauthorized access. It also undermines the concept of nonrepudiation. Assume a supervisor asked a user to share his or her password. This is a violation of the AUP by both the employee and the supervisor. In the real world, if the employee promptly reported the violation, no action would be taken against him or her. Although it may be a violation by the employee, the supervisor is the source of the breach. It’s not always reasonable to expect an employee to stand up against a supervisor, manager, or executive. However, failure to report the violation might be considered significant cause to discipline the employee. In either case, the supervisor should be disciplined for requiring the employee to provide that information. The level of discipline depends on the organization. If the violation leads to a fraud or security breach, there’s a strong case to be made for terminating the supervisor.

The AUP does more than protect passwords. It also addresses other high-risk behaviors, which should be included in security training:

•   Handling and sharing of sensitive customer information

•   Transmission of information outside the company

•   Handing of company intellectual property

Information Dissemination—How to Educate Employees

Educating users can be a formal or informal process. Formal methods are those that communicate policies in a formal training environment, such as a classroom or CBT. The advantage of formal training is that you know who’s taking the training, and you can measure to some extent its effectiveness.

Remember that people learn in different ways. It’s a good idea to select multiple methods to disseminate security policy messages and materials. Because people learn differently, this increases your odds of reaching everyone. For example, those that find computer-based training less appealing may find a department newsletter more relevant to their job.

It’s also important to understand the culture and the audience in the organization. If an organization has many remote offices, face-to-face presentations of the material will be less practical. In addition, some organizations distribute too many newsletters. Some users simply stop reading newsletters due to the volume. As a consequence, newsletters may not be the best choice for communicating critical information. The following is a list of potential ways to disseminate security policy information:

•   Telephone town hall meetings

•   E-mails

•   Newsletters

•   The company intranet

•   Posters

•   Face-to-face presentations

•   Giveaways such as pins, mugs, sticky notes, and so on

•   Contests that include prizes

Any communication method that keeps the security message “alive” is effective. You are usually limited by time and money. However, communicating the policy message does not have to be expensive. It’s limited only by imagination. You could sponsor a security policy awareness contest. It might be as simple as asking individuals to answer security policy trivia questions online. The winner gets a basket of goods worth less than $20. For just a few dollars, you can apply creative ideas to engage employees and reinforce key messages.

To successfully disseminate security policy messages, you need a communications plan. A communications plan outlines what information is to be shared. A communications plan defines the message, the people, and the method of delivery. By laying out an entire communications plan, you can quickly assess if the right message is reaching everyone.

When developing a communications plan, you should ask yourself the following key questions:

•   Who communicates—Are the right people delivering the message to build credibility for the effort?

•   What is the target audience—Is everyone receiving the appropriate message?

•   What is communicated—Is the right message being delivered?

•   How is it communicated—Are we delivering the message in the most efficient manner?

•   When is it communicated—Is the communication well timed?

•   What collateral is used—Is the message being consistently delivered?

•   What objective is achieved—Are specific goals being achieved?

Table 13-2 depicts a simple communications plan that has two events. Both events are to be communicated by senior management. The first communication event prepares middle management for the announcement to staff. One can anticipate questions during a policy launch. Leadership needs to be well prepared to answer questions from staff, which makes the policy rollout more effective. The second communication event is the actual kick-off of the security awareness effort.

A communications plan can help rationalize the implementation strategy. For example, your strategy may call for everyone to receive at least three communications during the first six months of the security awareness program. If that’s the case, by scanning the Target Audience column in the communications plan, you can quickly determine if the goal is being achieved.

Hard Copy Dissemination

Hard copies of policies are rarely sent out today. The challenge in sending out volumes of paper is the cost and accuracy of the material. All of the security policies, standards, processes, and guidelines in an enterprise can be thousands of pages long. That doesn’t include the supporting materials, such as executive summaries, slide decks, and spreadsheets. Consequently, it’s not practical to disseminate the material in print form. Printing costs would be high, and it would take time, money, and effort to disseminate. In addition, as soon as changes to the material are made, the printed material is out of date.

Posting Policies on the Intranet

The best method for communicating security policies is through a document-handling server such as an intranet. These servers offer multiple benefits, such as:

•   Costs to disseminate material are low.

•   Policies are kept current.

•   Policies are searchable.

•   Changes to policies can be highlighted.

•   You can link to supporting material.

Many organizations already have an intranet. Consequently, the incremental costs for housing security policies are minimal. Centralized security policy management helps you keep policies current.

A significant advantage of electronic over hard copies is the ability to search for documents. Anyone who has browsed the Internet is familiar with search engines. You can enter key phrases and get a list of related documents. The same technology applies to an intranet. Your internal policies can be quickly searched for key phrases. In seconds, thousands of pages can be searched. For example, assume a business has decided to work with a vendor to process sensitive information. A quick search of policies using the keyword “vendor” may return a half-dozen documents. The topics may range from the need for a vendor assessment to secure connection requirements.

Another powerful tool of document-handling servers is the ability to track changes. When a modified policy is released, it’s helpful to know the exact wording that was changed. Policies often include a high-level explanation of the changes but few details. The ability to view the actual word-level changes in the policy is a powerful tool. This allows you to better assess the impact of the change on your existing controls.

Another significant benefit is the ability to link policies to supporting materials. The supporting materials can be executive summaries, slide decks, or a wide array of educational material. You can link any supporting material that makes it easier to understand the policy. For example, suppose you are reading a security policy on database logging but you don’t quite understand the material. You notice a slide deck linked to the policy. After clicking on it, you are presented with a tutorial created by the database administrator explaining how to apply the policy.

Using E-mail

Although the level of sophistication on how policies are disseminated varies between organizations, most organizations still rely on e-mail. Organizations depend on e-mail to approve policies and keep management informed on implementation activities.

E-mail also plays a central role in most communications plans. E-mail allows you to notify a large population about major events. It also allows you to track everyone who has read the notification. This is a good tool for ensuring that individuals are properly notified of policy releases. E-mail also allows you to send out surveys and follow up on how well the implementation is being perceived.

Brown Bag Lunches and Learning Sessions

A brown bag session is a training event. An expert on a topic is invited to share his or her thoughts, ideas, and experiences. The term “brown bag” came about because sessions were usually held at lunchtime, and people brought their own lunches in brown bags. Nowadays these sessions may or may not be held over lunch, and if it is, lunch may even be catered. As a broad term, “brown bag” can be applied to a wide variety of less formal training situations.

The core concept of a brown bag usually applies to a small group of people that has access to one or more experts. Participants ask the experts questions. The experts guide the conversation. There may or may not be a formal presentations. The key idea is that the sessions are less scripted than a formal classroom setting.

How successful these sessions are depends on the expert. A brown bag session provides an opportunity to persuade and influence both the experts and the attendees. Regardless of your position on a topic, a brown bag session is a good opportunity to create a personal connection.

Brown bag sessions can also be divided by type of security policy. For example, a new policy on acceptable e-mail use might be of particular concern to customer service. A security team member might be the selected expert to help explain why the new policy has been implemented and talk through how e-mail communication with customers might change.

Policy Implementation Issues

When implementing policy, it’s important is to consider the organization’s structure in relation to its business, size, and technology. Another important consideration is the fit to its leaders. If a leader holds team meetings or town halls, the implementation plan might consider using these events to discuss the policy change. A different leader may be more hierarchical in his or her approach, holding a series of group meetings. What’s most important is recognizing these differences and adjusting your security policy approach accordingly.

Depending on the policy change, one method is to find an early adopter. An early adopter implements the security policy ahead of rollout as a type of pilot. In this way you can demonstrate the value of the policy and use the positive experience of the early adopter to overcome concerns and objections. An early adopter of security policies will help lead an organization’s successful implementation. Early adoption of security policies can be a source of pride for both an individual and the team.

When you navigate an organizational structure to build support for implementation, keep in mind that you are talking to people, not boxes on an organizational chart. It’s important to listen, accept suggestions, and realize you will need to overcome concerns and user apathy towards information security. It will be important to build support with executive leaders throughout the implementation process; especially with those with differing views of risk and different management styles.

Encourage management to be personally involved in the implementation. They know their teams. A good manager will listen to the employees’ issues and feed back to the security team concerns and ways to overcome objections. Security awareness and messaging is not a one-time event. It’s important to reinforce the message as much as possible. If you can engage employees and show them why security is relevant to their jobs, there’s a greater chance employees will adhere to policies. Security awareness programs help keep workers engaged with the information security message, thereby helping to prevent apathy.

Remember, motivating employees is as important as mastering a technology. A motivated employee can deal with the unexpected. This is particularly important when dealing with unexpected security incidents.

Changing an organization’s culture and users’ perceptions is not a one-time event. Simply releasing security policies does not change attitudes. Security is a tough sell because the benefits are not always obvious. Cultural change comes from having a clear value message that is demonstrated daily. It also requires collaboration and an understanding of the business. Culture is changed in small increments. That’s why you need a well-planned step-by-step approach to implementing policies. Three common messages during an implementation to deliver are:

•   Personal accountability

•   Directives and enforcement

•   The value of security policy

While “selling security” has an upside, security is in the end mandatory in most organizations. A soft sell only goes so far in motivating employees. Although this technique has had some success, it can go only so far, because the consequences may not seem real. The more abstract the perceived argument as to why information security is important, the less convincing it becomes.

It’s important to discuss personal accountability and the consequences of not implementing policy. The consequences can range from loss of data to lack of regulatory compliance. This message can resonate with executives, especially those who operate in a regulated industry. In highly regulated companies, executives can be held personally accountable for failure to implement effective controls. The Sarbanes-Oxley Act is an example of this type of regulation.

After a period of “selling” the implementation, there often comes a management directive and enforcement. Management will require policies to be implemented. Management sets the tone within an organization through how it enforces its policies. Inevitably, someone will fail to follow policy. The level of tolerance and how aggressively policies are enforced sets the tone. It also shapes whether policies are perceived as important.

Mandates by management and aggressive implementation are often needed to meet tight deadlines. This is particularly important in meeting regulatory mandates. For example, in banking strong authentication for some transactions is a legal mandate. This might translate into requiring two-factor authentication to access a bank account online. The implementation of these policies can help the online banking manager achieve his or her goals of reducing online fraud and becoming compliant with regulations.

Finally, keep in mind that the business and the IT team are both often overworked and overcommitted. Information security is sometimes seen as an additional layer of complexity. Some people perceive security policies as a roadblock to the delivery of services. These perceptions of security policies are inaccurate. Security policies can enable organizations to expand by creating reliable controls that protect vital systems and applications.

Implementation is as much about changing attitudes as it is about implementing controls. Overcoming perceptions and changing culture are goals of security policies. In other words, it is about implementing in a way that wins hearts and minds. You need to be transparent about what risks security policies can and cannot reduce. Most important, security policies need to be viewed as a useful tool.

President Theodore Roosevelt’s famous counsel was “speak softly, and carry a big stick.” This is good advice for implementing security policies. Do everything possible in the early stages to win the hearts and minds. In later stages, you need clear and concise statements of management mandates and of accountabilities.

Governance and Monitoring

The COBIT 5.0 framework defines governance thus: “Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives.”

Governance policy ensures that policies are used, adopted, and effective. To monitor policy adoption and effectiveness, organizations should create a governance policy committee, usually made up of security teams and business-side leaders. Typically, governance is organized around a series of regularly scheduled committee meetings. A policy governance committee might meet weekly or monthly; there is no set standard. A governance committee must meet as often as needed to ensure “that enterprise objectives are achieved.”

Monitoring performance depends on the types of reports and information the committee is provided. If there’s a lack of adoption, you would expect to see that reflected in the type of audit findings issued. If there’s a lack of awareness, you might see that in annual awareness testing or survey scores. Ultimately, effectiveness might be measured in how many breaches have been successful, or, conversely, in how many security attacks have been successfully defended against.

Regardless of the effectiveness measurements used, governance is an ongoing evaluation of stakeholder needs, conditions, and options to achieve desired policies. This means that governance sets direction through prioritization and decision-making. Remember, a governance meeting is typically made up of management leaders. These leaders can act when policies are not working as designed. They can also act should new threats emerge. That’s why most implementation processes (such as in Figure 13-1) take the lessons learned from the monitoring to reassess business risk, compliance, and threat vector. This reassessment of the organization’s needs can lead to changes in the target state and thus changes in the IT security policy.

As a management group, the governance committee can help drive organizational and cultural change. The upside is gains in efficiency, coordination, transparency, and agility. It can be hard to standardize business processes across a company. But if you do, you can drive efficiency and predictability companywide. This can simplify your environment and make responding to attacks much easier.

For policies to prevent security breaches, everyone must follow them. This requires that everyone in the organization be accountable for implementing security policies. This requires executive commitment. It will be a cultural change for any organization that views security policies as an abstract concept or an additional layer of complexity. Security policies that hold everyone in the organization accountable help promote this cultural change. For this to happen, the goal should be to make security policies:

•   A routine part of daily interaction

•   The recipient of support from organizational committees

•   A matter of instinctive reaction

These goals are measurable indicators of a shift in organizational thinking and risk culture. Security policies cannot outline every potential situation. You cannot expect people to memorize volumes of material. Information overload is a real concern when implementing security policies. When information security policies are large, complex documents, they become hard to understand. They are also hard to teach. So security policies must include core concepts that can be applied to a wide range of situations. In this way, the policies’ tenets can be easily recalled.

The advantage of core values that management understands well is that they can be applied to unexpected situations. You can measure (and thus, monitor) routine daily interaction to see if policies are being followed. For example, you can review business deployment plans. Usually it becomes obvious if security policies were clearly considered in these plans’ formulation. When security is considered as a bolt-on, or afterthought, cultural change has not occurred. You can also gauge the level of interaction based on the number of requests from the business side to interpret security policies. When information security is at the forefront of everyone’s mind, the business side often asks for clarification on policy details when implementing new processes. The natural source for this interpretation is the IT security team. If the volume of requests for interpretation is low, it’s a good indicator that active conversations on security risks are not occurring. When you have a large number of initiatives, you should expect lots of questions on policies.

You can measure committee support by the conversations that occur between members. A quick indicator is to look at the minutes of committee meetings, such as the operational risk committee or the audit committee. Such committees should all be dedicating time to discussing information security and policies. These committees should also be discussing enforcement. They will want to know how to manage overall risk to the organization. If these committees spend little or no time on these topics, it’s a good indicator they have delegated the conversation to lower ranks. A risk-aware culture has senior management equally engaged in these discussions. The chief information security officer (CISO) can help overcome organizational apathy toward security policies by attending key committee meetings. The CISO can promote candid discussions on policies and risks.

A culture shift occurs when users instinctively react to situations consistent with the core values of the security policies. This personal accountability can help promote security thinking across a broad range of situations. It could be as simple as asking a stranger in the office for his or her identification. It could be questioning the need for access, even though a procedure allows it. This can be measured in several ways. For example, an organization with a high number of security policy exceptions might not appreciate the importance of security.

Best Practices for IT Security Policy Implementations

A proper implementation process educates, creates support, and integrates the policy into day-to-day operations. Having a standard process approach that ensures that business risks, compliance, and threat vectors are considered in all policy changes is a best practice.

The goal of employee awareness and training is to ensure that individuals have the knowledge and skills needed to implement security policies. The primary objective of a security awareness program is to educate users. Creating awareness should be an ongoing effort that reinforces key security concepts. The awareness component is important because it sets the tone and goals for security policy implementation.

In writing policy, don’t use imprecise language such as “should” or “expected.” Assign clear accountability to specific roles. Specify precisely which resources are covered by the policy. Avoid requiring specific technologies in a policy.

As noted earlier, implementing a security policy is much more than simply writing and publishing a document. In fact, writing and publishing a policy document is but a small part of a larger process. Creating an IT security policy is less about the document and more about the control environment the policy creates. A policy is a means of implementing a control—such as a way to prevent or detect a specific type of security breach. So simply publishing a policy in itself doesn’t prevent or detect a security breach. The policy implementation must be a series of steps that ensure that the policy is put into practice.

Case Studies and Examples of IT Security Policy Implementations

The case studies in this section discuss various issues with implementing security policies. They all highlight the importance of having security policies and a strong security awareness program. These case studies also highlight related challenges and issues.

Private Sector Case Study

A case study describing the implementation of a targeted security awareness program at Northrop Grumman Corporation was presented to the 13th Colloquium for Information Systems Security Education conference in June 2009. The case study was entitled “Using Security Awareness to Combat the Advanced Persistent Threat.” The case study detailed the need, challenges, and steps taken to successfully implement a security awareness program.

The case study noted that the company is a global leader in providing technology products to private companies and governments. The company has 120,000 employees worldwide. The company is the nation’s second largest defense contractor. As such, the company is a target for what it terms a “persistent threat.” The company defines this persistent threat as well-funded entities attempting to penetrate its infrastructure. The company also identifies its senior leaders and administrators as prime targets.

Although the company has extensive technology controls, it also recognized the need to focus on the “human factor” to protect its systems, applications, network, and data. The security awareness program was designed to address many of these human issues.

The company developed its security awareness program around the concept of a “campaign.” Some of the key steps the company took included:

•   Obtaining leadership sponsorship—The study emphasized that buy-in included both funding and participation of senior leaders.

•   Creating policy and strategy—The company aligned the awareness training with security policies and targeted training based on geographical needs.

•   Assembling a campaign team—The company formed a team to manage the awareness campaign. This included identifying roles and responsibilities such as a formal approach to approving and disseminating awareness material.

•   Performing a needs assessment—A needs assessment was used to identify individual training needs, including those for management and administrators.

•   Developing a communications plan—The company developed a detailed communications plan.

•   Branding the campaign—The company used an advertising approach with short “one-line” education taglines that could be reused in various materials.

•   Identifying information sources—The company identified subject matter experts that can be used in various training events.

The detailed communications plan included the following communication channels:

•   Intranet Web site—An intranet Web site was developed to provide access to awareness material, answer questions, and convey the latest awareness message.

•   Monthly communications—A monthly one-page awareness newsletter was sent out to reinforce the awareness message.

•   Audio vignette—A five-minute multimedia message was created to introduce key concepts about what a “persistent threat” is and how to defend against it.

•   Audio message from the vice president and CISO—An audio message from senior management was created to elevate the importance of the topic and of training.

•   Management briefing—Canned slide decks of awareness materials were developed for management to use when delivering the awareness message.

•   Incorporation into existing communications and training events—

Key messages were incorporated into existing awareness training for new employees, administrators, and management. The study illustrates how to build a structured approach to security awareness. This includes the need for executive participation. Notice that executive involvement included participation in the form of a personal audio message.

Another important part of the campaign’s success was the needs assessment. This helped target specific training needs for different types of users. In this case, particular emphasis was given to management and administrators. There was also a training component geared toward everyone in the company.

A communications plan was a critical part of the campaign’s success. Management recognized that everyone learns differently. As a result, they used multiple communications methods, including the intranet, newsletters, and multimedia. The study indicated that management was sensitive about information overload. Messages were tailored in short bursts that reinforced a common message such as one-page newsletters and five-minute audio messages.

Public Sector Case Study

In November 2012, South Carolina state officials disclosed a massive data breach at the Department of Revenue. Few details on the breach were disclosed. But it involved exposing more than 3.6 million taxpayers’ personal information records and 650,000 business tax–related records. The breach occurred in September 2012. It’s clear that massive amounts of personal information were stolen.

A former top official with the FBI estimated the cost to the state at more than $350 million, based upon past FBI experience, including the cost of offering free credit monitoring to affected individual taxpayers and businesses.

The root cause of the breach cited in news reports was the lack of mandatory security policies across 100 state agencies, boards, commissions, and colleges and universities.

All state agencies have some type of computer security system in place. It’s fair to assume they all have some level of security policy in place. But it is clear these policies were discretionary. That meant an approach to information security across state government that was at best inconsistent. Nor did the state appear to have a comprehensive approach to sharing best practices for information security or for coordinating response to these types of data breaches.

In the case of the South Carolina Department of Revenue, the policies clearly were neither adequate nor consistent. Additionally, reports indicate the source of the hack was in Eastern Europe. The hacker or hackers gained access through a phishing e-mail. Phishing e-mails try to trick a user to open an e-mail and execute a link or program with malware. Security awareness is a strong control that educates users on how to protect themselves from such attacks, including how to recognize such attacks and why not to open suspect links. If a phishing e-mail was a source of the attack, it might be an indication that the security awareness program at this state agency was inadequate.

CHAPTER 13 ASSESSMENT

1.  Which of the following indicate that the culture of an organization is adopting IT security policies?

A.  Security policies are part of routine daily interaction.

B.  Security policies are supported by organizational committees.

C.  Security policies’ core values are demonstrated in workers’ instinctive reactions to situations.

D.  All of the above

2.  Effective security policies require that everyone in the organization be accountable for policy implementation.

A.  True

B.  False

3.  A control environment is defined as:

A.  An inventory of the security policy controls

B.  A well-defined framework to track control exceptions

C.  A term describing the overall way in which the organization’s controls are governed and executed

D.  None of the above

4.  Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed.

A.  True

B.  False

5.  Which of the following is not an organizational challenge when implementing security policies?

A.  Accountability

B.  Surplus of funding

C.  Lack of priority

D.  Tight schedules

6.  Which type of plan is critical to ensuring security awareness reaches specific types of users?

A.  Rollout plan

B.  Media plan

C.  Executive project plan

D.  Communications plan

7.  Why should a security policy implementation be flexible to allow for updates?

A.  Unknown threats will be discovered.

B.  New ways of teaching will be introduced.

C.  New technologies will be introduced.

D.  A and C

E.  All of the above

8.  Which of the following is the least objectionable when dealing with policies with regard to outdated technology?

A.  Write security policies to best practices and issue a policy waiver for outdated technology that inherently cannot comply.

B.  Write security policies to the lowest, most common security standard the technology can support.

C.  Write different sets of policies for outdated technologies.

D.  All of the above

9.  What is a strong indicator that awareness training is not effective?

A.  A firewall breach

B.  Sharing your password with a supervisor

C.  Sharing a laptop with a coworker

D.  A fire in the data center

10.  A target state is generally defined as:

A.  A term used in technology to describe a future state

B.  A way to describe specific policy goals and objectives

C.  A way to describe what tools, processes, and resources (including people) are needed to achieve the goals and objectives

D.  All of the above

E.  None of the above

11.  Classroom training for security policy awareness is always the superior option to other alternatives, such as online training.

A.  True

B.  False

12.  To get employees to comply and accept security policies, the organization must understand the employees’ ________

13.  A brown bag session is a formal training event with a tightly controlled agenda.

A.  True

B.  False

14.  What is the best way to disseminate a new policy?

A.  Hardcopy

B.  Intranet

C.  Brown bag session

D.  All of the above

15.  A formal communication plan is ________ when implementing major security policies.

A.  Always needed

B.  Optional

C.  Never needed