When planning for information assurance, factor in the people
- By Ben Apple, Special to GCN
- Aug 28, 2009
People are an organization’s most valuable asset. But as long as they are in the enterprise, there will be the risk of insider threats and human errors in following security practices. With everyone interconnected in the enterprise, a threat or risk to just one individual can potentially be shared by all within the enterprise and even extend to external stakeholders.
This is why information assurance is as much a people challenge as it is a technological challenge. The industry spends a great deal of energy and resources in protecting critical systems from the threat of foreign intruders, cyber criminals and other unauthorized users. Granted, that threat is real. However, the threat of wrongdoing by people authorized to access computer systems and data is also real and potentially costly, whether that threat is intentional or accidental in nature.
If an enterprise wants to maintain a culture that encourages online ethics, adherence to policies and good corporate citizenship, it needs to attract, hire and retain people who have good moral and social character.
An organization’s human resources department is responsible for the orientation of new employees, who will be asked to read and acknowledge the organization’s security policies. But even before this, HR teams can help facilitate a reputable IT security culture by implementing well-defined hiring practices that include criminal background checks, credit checks and previous employment verification. Those procedures should be applied not only to direct staff but also to contractors and even cleaning crews. Cleaning crews represent one of the most overlooked areas of risk: They often work in the most sensitive areas during off-hours where there is little or no oversight of their activities.
In addition to establishing good HR hiring standards and practices, organizations must implement ongoing processes for IT security. For example, an organization needs to periodically repeat security checks for employees in sensitive positions.
Because people issues usually trump technology issues, executives need to establish an IT security program that considers the people and the organization’s regulatory environment. Regardless of the level of technology implemented, an information security program relies on each person doing his or her part.
Simply put, all personnel must become familiar with security policies and procedures, without exception. The organization must develop an easily understood and consistently communicated awareness program, which should include annual security training that features a testing component. Because employees and employers are in IT security together, education and training will help achieve an enterprise’s IT security goals and enable both management and IT personnel to understand each other's wants and needs.
The best way to support the security awareness message is twofold. First, organizations can set up supplemental awareness briefings that let employees ask questions. Second, the organization’s information security team can advocate security as a core value of the organizational culture. Other ways to support those initiatives include e-mail tips, posters, letters of support from senior management, self-assessment surveys, an awareness luncheon or creation of a security Web site.
After an organization addresses the people aspect through the institution of practices that will spur operational excellence, an organization should implement auditing. Audits measure the effectiveness of a set of specific controls. Therefore, to measure the effectiveness of an insider threat mitigation plan, an organization must establish an audit plan for those controls.
By implementing best practices for IT security, enterprises will be ready to respond to threats. It is important to note that information assurance is a dynamic process that evolves as new threats surface. Enterprises can handle those threats most effectively through the continuous assessment of their IT security postures and by using best practices.
The success of the IT security program depends on the IT leadership, technology adoption, the enterprise’s ability to innovate and, of course, hiring the best people. Information assurance must be practiced continuously. Put into perspective, organizations are only going to be compliant and effective to the degree that people buy into and implement the proper tools to support the IT security and information assurance compliance program.
Ben Apple is director of IA Business Management at Telos.