How Users Can Play an Active Role in Security

During World War II, the United States was worried about German spies

obtaining details about shipping routes and schedules to Europe. That’s

when they came up with the security awareness campaign — ”Loose Lips

May Sink Ship”.

It was both a dramatic illustration and held an obvious truth: If you

don’t watch what you say, unintended people may pick up on the discussion

and take advantage of it — maliciously.

I thought of the saying after listening to a very loud person — a senior

executive, I am pretty sure — discuss his business plans with an

associate. Given how he projected his voice when he talked, a person two

rooms down could have listened in, as well, while he discussed what firm

was failing, who they planned to acquire and so on.

In our rush to implement technical solutions for security, it’s

imperative not to forget the role of users and the responsibilities that

go along with it.

There are two parts to this. First, users need to understand their role

in security. Secondly, there must be an on-going awareness campaign.

Responsibility

Employees must understand that in order to have an effective internal

control environment and security, they must play an active role. The

formal responsibility and any specifics need to be outlined in each job

description. The phrase ”responsible for adhering to corporate policies

and procedures” is an important addition. This way the policy and

procedure documentation can be updated and the job descriptions left

alone. The employee should sign and date the form attesting to his/her

understanding of the position and compliance with the requirements.

The next step is to cover the policies and procedures during new hire

training.

Formal classes should cover what processes and controls are relevant and

then the employee should date and sign a statement noting that the

classes were conducted and that he/she attended the training and

understood the material presented. Management should consider the use of

professional trainers to ensure that the lesson plans are correctly

assembled and communicated to maximize efficacy.

Annually, refresher training should be given. This is an ideal time to

cover any new changes to job descriptions, policies and procedures, etc.

The intent is to again formally go over what is expected, hear any

concerns and obtain signed and dated review forms.

Be prepared for questions and objections.

Inevitably, issues arise during these reviews. There needs to be a

defined process to discuss and resolve, when possible, disputes. Note

that standards cannot be infinitely flexible. In some cases, tough

decisions will be made as to whether to support a standard or the person

in question. Trying to do both constantly, while giving concessions, will

make the standard collapse and send the wrong message.

Awareness

The intent of awareness programs is to keep responsibilities and issues

at the forefront of peoples’ minds. It is not a replacement for training

programs, but rather a supplement to training intended both to inform and

remind.

There are a great many ways to enhance awareness. The type of program

followed depends on company culture and resources — notably time and

money. In the same way defenses are layered, consider layering your

awareness programs to try and maximize their reach. Potential avenues

include: