Importance of security awareness and training
Security awareness and training is very important in any particular company and organization. In most cases, there are limited numbers of security professionals in an organization and therefore the need to train and create awareness to the company's employees is very important so as to have a joint effort when dealing with matters of security. Also specially in networking, one should be aware that what are the moves which can help someone set up some better security and here are some important factors which can help one dealing in such environment;
Security policy training and procedures Role-based training
Being a security professional in an organization is quite a tall order. This is due to the fact that one are the one who is entitled with the mandate to come up with all security policies and strategies that are to be followed in the organization. However, making the organization's members about the security policies is almost as difficult as developing them. This is due to the fact that people will not read them if they are in the intranet because at times, the policies could be made up of numerous pages of security information that can be very tedious to read. With respect to this, it therefore becomes a challenge for one as the security professional to create awareness about the policies.
One way through which one can create the attention is by having mandatory and compulsory training sessions on the security policies. For this to be of much effect, it is one's responsibility to ensure that all people show up for the training without failure. One can also take advantage of other compulsory meetings in the organization such as staff meetings where one can be allocated some minutes to tell people about one's policies. In these meetings, make sure one have given a detailed overview and outline of one's security policies. One should also administer questionnaires which should be highly interactive so as to inform the people in one's organization about one's position and roles. Make an effort of showing up in person so that all the organization's employees get to meet one and interact.
In such meetings, one should make sure that one has relayed all one's general security best practices. This should entail giving valuable information on how to deal with some common security related problems such as how to deal with a virus attack in the organization's computer systems. In addition, one should inform the company members of how to implement the security policies in case there are visitors so that each and every individual in the company is conversant with the importance of these policies to the company.
Another activity one can engage in is having highly specific security training for individuals who are in very unique environments such as people who are highly mobile. In such a case, there are some security measures to be enacted especially if the individual has a laptop such as encryption of the hard drive so that people outside the company may not access the information in it. One can also choose to have one's training offered on the basis of the departments in one's company. Such departmental training can be of much importance in cases where the security issue is highly centred on the activities of the department.
Personally identifiable information classification
High: Personally identifiable information being classified as high generally means that it is information that is considered to be of high value. In case of a company, such information could include the company's security policies. This is information of high value since it plays a major role in the maintenance of a company's security. Such information can only be accessed by top security personnel in the company. Such information can contain strong firewall protection and very complex encryptions so as to make it very difficult to access. In most cases, this information is stored in a centralized database or server.
Medium: Medium personally identifiable information is one whose access and availability is not greatly restricted. However, it is information that cannot be accessed by some people in spite of it not being treated with high security. In a company for instance, this information cannot be accessed by subordinate staff such as cleaners and cooks.
Low: Low personally identifiable information is one whose security measures are less strict. In this case, it means that this is information that can be accessed by all members of a particular company. In most cases, this information is not usually highly sensitive hence making its accessibility and handling quite easy for all the company's personnel.
Confidential: Confidential personally identifiable information is basically information that can be accessed be a specific individual or user. This means that it is information that cannot and should not be shared by any individual to another since it is only meant for a particular person.
Private: Private personally identifiable information can be regarded as a general term to stand for information or data that is only accessible to people within a particular organization or company. In this case, this is information that cannot be shared or revealed to people outside the organization. Exposure of such information can be regarded as violation of the company's policies.
Public: Public personally identifiable information on the other hand is basically information that can be shared with other people outside the company; that is the general public. This can include information such as the company's financial returns if it's a financial organization.
Data labelling, handling and disposal
Many at times, one may walk around one's company and come across CD-ROMS and DVD-ROMS that have been stored somewhere for later use. Some of the storage media may contain important company details and therefore one need to go an extra mile and label the storage media. Proper documentation should also be done so as to ensure that one is able to keep track of the documents. Apart from document labelling, one should also label and document all one's information backups so that in case of a loss, one can easily determine the information that was present.
Data disposal can also be a sensitive issue for an organization especially if it is a health care organization. This is because some of the information should not be disposed in spite of it being so old. One should be extra cautious with data disposal and especially if it is critical information since haphazard disposal of such can lead to the information being accessed by other people outside the organization. In a case where one want to recycle some information some precautionary measures should also be taken so as to make sure that the same information does not get into the hands of other people. One should first shred the material before sending it off for recycling.
Compliance with laws, best practices and standards
There has been the emergence of numerous compliance regulations and security concerns wrapped around compliance in almost all parts of a particular organization. For instance, there are some compliance issues relating to finance and health care of which one must comply with failure to which can lead to fines and jail term sentences. It is therefore importance that matters of compliance are not taken lightly. For instance the Sarbanes-Oxley Act which is the public company accounting reform and investor protection act of 2002. This is an act that creates some compliance requirements on how an organization deals with the finances, the assets and how they run their books. Private and public companies normally experience a great problem in trying to maintain accounting reforms and also make sure that investors are protected.
In the health care sector, there is the Health Insurance Portability and Accountability Act which are standards for storing customer health care information, using the information and also transmission of the same information across networks.
Failure to comply with some of these standards comes along with some very hefty penalties such as fines and jail sentences. The magnitude of the penalty mainly depends on the class of the felony committed and the offence committed. It is therefore of much importance that a company shows top notch compliance to some of these standards.
As a security professional, it is one responsibility to keep in mind all the activities one undertake internally and their effect on the compliance with some of the set standards and requirements.
At times, users have bad security habits and it is one's responsibility as the security professional to make them aware of all the things happening in the company. It is one's responsibility as a security professional to ensure that the appropriate user habits are followed by the company employees.
Password behaviours: It is quite common to come across sticky notes on computer monitors displaying various passwords and other identifiable information on them. Such behaviour should be highly discouraged and it is one's responsibility as the security professional to inform them of the inappropriateness of such behaviour.
Data handling: Data handling is another important area when it comes to security and especially in storage of data. For instance, if one store data on the network, one should not keep it in a public folder where anyone on the network can access it. One should set up private folders for such data so as to have different rights and permissions for different end users in the organization.
Clean desk policies: The clean desk policy is also another important aspect when it comes to security. This is a policy where one ensure that when one leave the office, one have left no papers on one's desk. One should also have one's computer locked and shutdown.
Prevent tailgating: Tailgating is an instance where an individual getting into a building makes an excuse of supplying doughnuts and sweets in the company. One should not easily allow such people in. Make sure that they have a company badge, prompt them to sign in or even follow the appropriate and standard procedure to get into the building.
Personally owned devices: Personally owned devices are considered third party devices that can take private company information out of the company. Such devices could include mobile phones, tablets and laptops. With reference to this, there should be security policies wrapped around this so as to offer some good management of such third party devices.
New threats and new security trends/alerts
New viruses: End users also need to be conversant with security threats such as viruses. As a security professional, keep one's users updated with all the latest viruses since it can be very difficult for one to handle such a menace all alone. One should also inform them of new technologies to identify and eliminate these viruses.
Fishing attacks: Fishing attacks are normally traps used by computer hackers and cyber-criminals to obtain our information. For instance one may be prompted to enter one's credentials on a webpage that appears to be Facebook but in real sense, one are giving one's credentials to a cyber-criminal. When entering one's login credentials, make an effort of ensuring that the webpage is legit and not one clicked from an email link or internet ads.
Zero-day exploits: The zero-day attack is a specific kind of situation where a particular software becomes vulnerable to an attack. This is a criterion that cyber-criminals are using to access information in one's computer. This can be prevented by obtaining a security patch for the same software so as to have optimal protection.
Use of social networking and P2P
Social networking and peer-to-peer networking are technologies that can be very crippling to one's organization and can easily get one's company's private information easily accessible. Installation of peer-to-peer software makes every computer a server hence leading to exposure of all one's content. One should also be extra cautious about the people whom one trust in one's social network.
Follow up and gather training metrics to validate compliance and security posture
Once one have come up with all the security policies and enacted them, it is now one's responsibility to make a close follow-up. This is basically a practise where one checks to ensure that there is full compliance with the policies. Through this, one can boast of being successful in the implementation of security policies.
Generally, matters of security are issues that should be treated with top level seriousness and should not be taken lightly. Some penalties should also be inflicted on people who tend to breach the laid out security policies. Hence by adhering to all these rules, one can make sure to avoid some security threats and can prepare himself if any threat happens.