Information Security Awareness Implementation Checklist

Download Free Information Security Awareness Implementation Checklist

Best to get them when they are fresh
Most companies have an induction process whereby they give new employees pension details and show them where the toilet is.Try and get information security included in the induction process. My last few organizations offered:

A short (one hour) “first day” induction session by HR
Get a five-slide show together on passwords, viruses, and the like and then coach the HR people on how to deliver it.

A company induction day, conducted with a group of new employees a couple of months after hire
This “getting to know the company” session is good practice. Get a half-hour session there.Talk about the cost of security. Ask employees if they think they should be fired and prosecuted for viewing illegal pornography in the workplace—that focuses the mind.

Focus on the IT department
The IT department can be the greatest ally or the worst offender (every server administrator will know more about it than you), but the distinct areas must be treated differently according to their roles:

Help desk and first-line support
These are the guys that get calls from social engineers about viruses and about things not working the way they should, which could be an indication of an upcoming attack. Getting these guys on your side is important; as long as you can teach them something, they will usually reciprocate. Teach them about incident response and intrusion. Tutor them on the importance of not sharing passwords.This team will know if there is a new contractor in the building who hasn’t got a badge or a system account.

Technical support
Tech support staff can provide insight into operating system security. Ensure that they buy into the standards for the operating systems. Be prepared to change the standards in deference to their expertise. Help them fight a few battles. Conduct a vulnerability scan of pre-hardened and post-hardened hosts, then present the results to them.

Application development
Get security consultancy written into the development process so that every new system development starts with business impact assessment on data CIA. This way, risks and countermeasures can be designed into new applications.

Execs and board members Getting and keeping sponsorships.
A lot of managers believe security is a waste of time, but you need to keep their attention, so try the following:
. Keep security war stories about competitors flowing to them.
. Make sure that your security dashboard emphasizes how well you do in areas where you have had budget. Make sure it shows the potential improvement where you haven’t.
. Ongoing Conduct brown-bag sessions over lunch about latest issues. If nobody turns up, eat your sandwich and tell everyone it was great success.
. Don’t display posters with padlocks Or a pink elephant called Snorky who tells you not to write your password down. Both look dorky.