Do you have a formal plan for educating employees about ongoing IBM i and IT security threats?
This article is excerpted from IBM i Security Administration and Compliance: Second Edition, chapter 20.
A security awareness program is an official or recognized project, typically under the “jurisdiction” of the Chief Security Officer (CSO), that is created for the purpose of educating individuals such as the organization’s employees, contractors, vendors, and volunteers about the organization’s security policies. The education should explain how the policies relate to each individual, and it should be performed on an ongoing basis.
A security awareness program is a requirement of many laws and regulations. But, beyond that, it simply makes good business sense to develop a security awareness program. By training your organization, you are mobilizing your entire workforce to help fight the security compliance battle and help you wage the war against inappropriate use of data.
Security awareness training typically starts the day an employee is hired, a contractor begins a project, or a volunteer starts. This is when the employee portion of your organization’s security policy is explained and the person is required to read and sign it, acknowledging that he or she understands its contents and meaning. Although many organizations take advantage of this initial opportunity, that’s often where the security awareness training stops. Everyone in the organization needs to develop a security “lifestyle.” To ensure that this happens, security awareness training should take place on a regular basis, so that people receive periodic reminders of the organization’s security requirements. They should also receive the appropriate training if they change positions and the requirements of the new position differ from the previous one.
Another reason for ongoing education is because new threats arise, and new technology is developed. For example, when you first started working with email, did you have to worry about users downloading and subsequently leaving unencrypted confidential or private information on their mobile devices? Did you have to concern yourself with whether people were blogging during work hours or inappropriately posting statements as representatives of the organization? Without an ongoing security awareness program, you have no effective way of communicating the requirements of new or updated policies.
Another reason for periodic education is to update those in the organization about new or changed laws or regulations that affect the organization. For example, California expanded its breach notification law to include the loss of email addresses if the data lost also contains the answers to the security questions that are asked when someone loses their password. Privacy laws in Europe are becoming more restrictive in regard to the use of peoples’ private data, how long it can be retained, and the purpose of retaining the data. The expansion of laws and regulations may be known to your compliance team, but unless the rest of the organization is educated, it’s very easy for an organization to unknowingly be out of compliance. Educating your workforce is key in helping detect fraud and other situations that can damage or otherwise put your organization out of compliance.
What Method Do I Use to Communicate?
Because we don’t all learn in the same way, your security awareness program should include all types of learning. Giving security awareness training and tips using audio, graphics, and text will provide opportunities for everyone to absorb the information.
I’ve seen some of our clients use posters to communicate a “security slogan” of the month. The posters are often of high quality, featuring professional-looking images that capture the eye and draw you into the message. Other clients have used a lighter approach; their posters feature a cartoon conveying the message of the month through humor. In both cases, the companies obviously know their “audience” and the type of messaging their workforce responds to. Because messages get stale and people start to ignore them, most organizations change their security message about once a month.
For the technology learner, you can have short YouTube videos that illustrate the security tip or message. This method works well in the high-tech industry and any organization that hires Millennials. For more “traditional” or staid organizations, provide material for managers to present at their next department or team meeting.
As for the folks who read everything that comes their way, you can send out a monthly newsletter. Another approach is to change the network or IBM i sign-on screen to reflect the current month’s security emphasis.
Finally, it’s a good practice to have each employee annually review and re-sign the employee security policy. To accomplish this, some organizations use a secure website on their intranet where employees can read the policy and then digitally sign to indicate that the policy was reviewed. I’ve also seen organizations require management to present the policy to each employee individually or to the entire department during an in-person or online department meeting. Regardless of the method, I highly recommend that you obtain some type of proof indicating that employees received the education and understand the updates and new requirements.
Getting Started with Security Awareness
If you need help getting your security awareness program started, look to the Internet for help. There are companies that provide security awareness training packages—videos, posters, newsletters, monthly security themes, and so on. In addition, organizations that focus on training for security professionals often have online security awareness training courses that you can buy. Both provide good places to start.
Whether you use one of these resources or create your own program, I encourage you to make your training “real.” Provide scenarios that are meaningful to your organization, so that the workforce can more easily relate to the concepts being explained. In addition, make sure you provide the right training for your audience. Talking about data classification and proper disposal of media containing private data will make the manufacturing worker’s eyes glaze over! However, such employees do need to understand that the proper use of social media—that is, whether they can post comments about the company, watch YouTube videos or play online games during work hours, and so on.
In addition to addressing topics that the entire organization will benefit from, it’s important not to ignore the education aspects that should be targeted to a specific audience. For example, I believe it’s vital to educate programmers and developers about the current and upcoming laws and regulations that affect your organization’s data. Engaging these individuals as soon as you’re aware of a new compliance requirement lets them better plan for application changes. In addition, if you see trends—such as the potential for healthcare information to be encrypted—you should warn them that this requirement might be coming. When equipped with this type of information, your programmers and developers can design their architecture to accommodate the requirement should it become law. In addition, engaging them early has the potential to make them feel as if they are part of the information security team rather than having requirements foisted upon them without any input or warning. Most programmers have no interest in security—they feel it’s an impediment to getting their work done. So the sooner you can engage them, the more successful the project will be.
Carol Woodbury is President and CTO of DXR Security and has over 30 years’ experience with IBM i Security. She started her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies – SkyView Partners and DXR Security. Her current company - DXR Security - specializes in penetration testing for IBM i. Her practical experience together with her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known world-wide as an author and award-winning speaker on security technology, specializing in IBM i Security topics. She has written seven books on IBM i Security. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
IBM i Security Administration and Compliance: Second Edition Get the must-have guide by the industry’s #1 security authority. List Price $71.95 Now On Sale
|
|
||
 |
|
IBM i Security Administration and Compliance For beginners to veterans, this is the definitive security resource. List Price $69.95
Now On Sale
|
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online