IT GRC Services: Security Education and Awareness

Contego's Services Contego recognizes that people are in many cases the last line of defense against threats, such as malicious code, disgruntled employees, and malicious third parties, which introduce costly tangible and intangible losses to organizations, therefore; people need to be educated on what your organization considers is appropriate security-conscious behavior, and also what security best practices they need to incorporate in their daily business activities. An Information Security Education and Awareness Program (ISEAP) can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is an organizations' inability to hold their personnel accountable for their actions due to not executing information security and awareness programs to address what they do not know or understand.

Information security awareness, education and training is one of the most critical aspects of any organization's information security strategy and supporting security operations. For the most part we find that IT Departments are the ones that get the responsibility of developing, designing, executing, and providing ongoing maintenance of these programs. This brings many challenges to a predominately technical mind set of most IT organizations. A comprehensive ISEAP should include content that can be easily understood by the entire organization. Learning and training skills, graphics, media information and interactive content should also be included. Most IT organizations do not have these skill sets readily available. Therefore a comprehensive, sustainable, program needs to be implemented that will resonate across the entire organization.

To further support IT professionals with the process of establishing and executing ISEAPs, Contego has created an approach to developing, managing and maintaining an ISEAP in "everyday business." These cost effective courses can be taken online and at the pace of the individual.

Tenets of Learning

When developing a strategy to increase the level of information security awareness, subject matter expertise, and the ability to apply principles and concepts to common business activities among your organization's workforce, it is critical to understand the two tenets of learning: a) awareness; and b) training. These two tenets of learning should always be applied to the ISEAP. The ISEAP process begins with establishing awareness. The primary objective of establishing information security awareness is to change your employee's behavior by reinforcing acceptable security business practices. This objective is achieved by imparting an understanding of information security considerations and enabling individuals to apply them accordingly in all settings.

A role-based information security training process follows the completion of the information security awareness process. The skills that are acquired during information security training are built upon a foundation that was acquired during the information security awareness process. The primary objective of role-based information security training is to impart relevant and necessary information security skills and competencies to your employees, regardless of whether their professional responsibilities involve information security. The most significant distinction between information security training and awareness is that training focuses on teaching skills, which enable employees to perform specific functions, while awareness directs an employee's attention on a particular issue or series of issues.

The ISEAP needs to be an ongoing process for two primary reasons. The first reason is information security threats continue to evolve. In order to effectively react to evolving threats, new technologies and operating procedures are developed, therefore requiring ongoing information security learning practices. That is, new information security considerations and subject matter will continue to surface, therefore requiring an ongoing learning process. The second reason is it is impractical to expect employees to consume and absorb all aspects of information security within a concentrated amount of time; information security principles, considerations, concepts, techniques, and technologies need to be delivered methodically at a pace that is comfortable for all audiences.