Security Awareness

Security awareness and employee engagement are required for a successful implementation of enterprise security plan (Michigan Technological University, 2011). Employees are often dubbed as the weakest link of an organization’s security, which is why it is important to train employees in such a way that they can truly understand the security risks, threats and vulnerabilities associated with information and information systems on a day to day basis (2011)). Usually resource constraints, like time, budget, training material, dedicated security organization etc. hamper the success of security plan, which is why executive level commitment is needed since day one towards the security plan implementation. Trainings are important aspect to educate and increase awareness of security policy, which is why mandatory and time bound trainings with small test or quiz at the end will be helpful in reinforcing the importance of information security in the minds of all employees. Both in-person and virtual mode of security trainings will help in improving the posture of enterprise information security. These trainings needed to be tracked as part of employee’s annual performance assessment, which will ensure full commitment and understanding. In the event of security plan violation, employee will be subjected to strict action, including possible dismissal (State of Minnesota – Office of Enterprise Technology, 2010).

Besides the mandatory training, annual cyber security awareness month will help in employee engagement towards the common business goal of improved security and reduced risks (Michigan Technological University, 2011). Another popular method is to setup annual Hackathons with participation of employees as well as external experts to find holes in the security of enterprise information architecture. Weekly email communication from CSO organization to all employees sharing the latest stories, practices, breaches, incidents etc. will help in employee understanding of enterprise security plan.

With regards to information security program, risk assessment is the initial step to identify potential risks, threats and vulnerabilities followed by internal, preventive, detective and corrective controls enforced by the formalized information security organization (State of Minnesota – Office of Enterprise Technology, 2010). Clear roles and responsibilities will make sure that owners are accountable. Some of the key elements of a robust security organization structure require proper reporting lines, explicit security roles and responsibilities, setting up a security steering committee, executive level involvement to outline commitment to enterprise information security, coordination of information security activities across different departments of an enterprise, and contacts with appropriate authorities (ProServeIT, 2017).

References:

State of Minnesota – Office of Enterprise Technology (2010). Enterprise Security Tactical Plan. Retrieved from https://mn.gov/mnit/images/Enterprise_Security_Tactical_Plan.pdf

Michigan Technological University (2011). Information Security Plan. Retrieved from https://www.mtu.edu/it/security/policies-procedures-guidelines/information-security-plan.pdf

ProserveIT (2017). 5 Tips to build comprehensive information security plan. Retrieved from http://www.proserveit.com/5-tips-information-security-plan/