It's all very well installing the latest IT security systems and secure networks, but if you don't communicate your core information security policies to members of staff then those 'rules' will be next to useless. We examine the what, why, when and how of knowledge development in the data arena.
Information security awareness is about making people – in this case employees – aware of information security issues, and spelling out what's expected of them in protecting company data and resources. Information security awareness can be attained in a number of ways, and involves delivering information across a range of media including video, booklets, company Intranet and e-learning.

Why does it matter? Without implementing an effective awareness programme, any information security policy is more or less useless. The best policy in the world will fail if the people who are most affected by it don't even know that it exists!

Making employees aware of information security policies and procedures is a crucial element of any good information security programme. Otherwise, how might employees be expected to comply?

When should an information security awareness programme be implemented? Any organisation that has a clearly defined security policy should implement an awareness programme. Awareness training should be ongoing and include regular refresher courses to remind employees of the key issues, and help maintain awareness throughout the year.

Remember that new recruits will also require some form of awareness training, and this should be included in the organisation's standard induction programme.

Implementing the programme
How do you implement an effective information security awareness programme? A good one will go a great deal further than just making staff aware of a policy's existence. It should also help them to understand information security issues, make them aware of their own responsibilities and highlight the consequences of non-compliance.

Before embarking on the development of an awareness programme it's important that you set clearly defined objectives. You need to highlight individual responsibilities for maintaining information security, help to establish a 'secure culture' within the organisation and explain how and when to ask for help on security dilemmas.

The next – and often most difficult – task is gaining senior management 'buy-in' for your awareness programme. At this stage, it might be useful to present facts and figures concerning internal security breaches (either general industry surveys or internal figures if available) to highlight the exposure to risk. A list of defined objectives should also be included so that the Board can see the long-term benefits to be achieved.

Before embarking on the development of an information security awareness programme it’s important that you set clearly defined objectives. You need to improve employee understanding of information security issues and outline the procedures employees are e

Prior to developing the programme proper, there are also a number of key considerations you need to take into account. Who is the target audience? For example, will it be general employees, senior management or both? Will the content/messages need to be adapted for different business levels? Does the organisation operate in different countries, and will the programme have to be delivered in various languages?

What are the key messages? These should be based around the organisation's information security policy, and aim to bridge the gap between the policies themselves and their application on a day-to-day basis.

What delivery method is to be employed? This will depend on the objectives set, the size and location of the target audience, the budget agreed and the availability of internal resources. In larger organisations, a corporate Intranet is recommended as this provides flexibility and convenience, consistency of content and delivery and ease of updating and maintenance. It can also prove highly cost-effective in reaching large numbers of employees. For smaller end user organisations, internal workshops are the better option.

How can you make the message stick? The information should be presented in a way that's easy to understand and apply (ie written in jargon-free language). It should also be interesting, including case studies and practical examples, quizzes and tests that will encourage employee interaction.

Assessment and evaluation time
There should always be some form of assessment and evaluation. This can be done in a number of ways depending on the type of delivery method chosen. For example, if internal workshops are used, employees could be asked to complete a small written test. If using the corporate Intranet, information on user progress and performance should be provided in an online tracking system.

Any assessment will generate valuable information that can be presented to senior management, such as the number of users who've completed the awareness programme, the average level of awareness achieved and the identification of knowledge gaps where further awareness is required. Such information may also be included in an annual information security audit.

Source

SMT

Postscript

Terry Hancock is chief executive officer at the Easy i Group (www.easyi.com)