Sister CISA CISSP

Nov 17 2008   9:42PM GMT

Educating Users (Yes, I Know….)



Posted by: Arian Eigen Heald
Tags:
Admins and Auditors
Compliance
Data Breaches
IT audit
Security

I can hear the collective eye-rolling from here. But guess what! New federal regulations are requiring security education from organizations as part of compliance:

SEC regulations for financial institutions http://www.sec.gov/index.htm
NERC regulations for utility organizations http://www.nerc.com/files/RSAW-CIP-004-1-060608.doc

According to a study just finished by Cisco, “Data leakage often results from risky behavior by employees who are unaware that their actions are unsafe. Some of this problem can be attributed to a lack of corporate policy or inadequate communication of corporate policies to employees. In other cases, IT professionals simply expect some degree of professionalism, security awareness, and common sense precautions on the part of employees-and don’t get it.

• 43 percent of IT professionals said they are not educating employees well enough.
• 19 percent of IT professionals said they have not communicated the security policy to employees well enough.”

The SEC regulations affect publicly traded companies, so if you regularly undergo SOX audits, this will definitely be part of the package. PCI has also had a requirement for quite some time. So, in short, you cannot escape. And besides, I suspect there are some things YOU can do to improve the understanding of your users. They are a very important part of YOUR network.

Who does your information security training? Have you taken a look at it lately? Is it any good, or just “CYA” material? See any improvements after training on the part of your user base? If not, maybe it’s time to change it.

How “user-friendly” is your organization/department for employees that want to ask computer-related security questions?

Are chronic problem users tracked, and their managers notified? (I love this idea…)

There is a rising tide of studies confirming that internal data theft and loss is far more costly to business than external attacks. All it takes is one user clicking on one phishing email to compromise company information (even a corporate email list is important). A monthly email from you explaining a topic, and inviting questions might result in a LARGE saving of YOUR time dealing with infections and information compromise.

And hey, you’ll be compliant! Auditors love you!

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Suzanne Wheeler
    I thought all I had to do was fill the USB ports with hot glue and I was covered! Man, you security audit types are so demanding!!!
    360 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: