The company had access to personal information. The CIO knew that banks were under federal regulation to protect this information and that meant making sure his company protected it too.
The CIO went to his internal audit group for assistance. The company did not have much of an information security program and he needed guidance. What he found was that internal audit had received similar questionnaires from other clients. Worse, not knowing what to do with these devices, audit just sat on them without alerting him or the company CEO.
The CIO immediately knew he had a big problem. Failure to complete these questionnaires — tools clients were using to evaluate a vendor’s risk — could easily lose these clients. Furthermore, reviewing the questionnaire made it clear to him that the company’s infosec activities were severely deficient. There had to be change.
Information security awareness is about changing behavior in an organization. It is not just about making members aware of threats, but motivating them to add into their regular routine the behaviors that provide corrective action.
What’s striking from an awareness perspective is how well these questionnaires work to achieve the goals of awareness.
In the above example the questionnaires received by the marketing company brought to the CIO: awareness of client needs and expectations with regards to security; awareness that his company needed drastic improvement in this area; and motivation to take corrective action – change behavior.
The questionnaire served as a roadmap that laid out in detail exactly what was needed to satisfy long-term expectations.
If you think about it, the assessment tool in itself arises from the bank’s desire to learn more about the vendors it hires. In essence it is trying to improve its own awareness with regard to how safe bank outsourcing activities are.
Consulting with others in IT security we decided to leverage the self-assessment as a tool to improve awareness and compliance of security policy among network staff. Beyond periodic audits on cross-sections of the network it was not clear how knowledgeable staff was with regards to the full body of policy and how consistent they were applying it to the devices they managed.
In our own organization, we distributed the tool in phases. In the first phase we targeted just administrators who managed SOX servers and applications as it fit in with the company’s overall Sarbanes-Oxley initiative. Eventually, every network administrator received a self-assessment that measured compliance with all policies covering the network.
The questionnaire was mapped to each individual policy, which was placed in the first column of the questionnaire. Each device that an administrator managed headed the columns that followed. For each policy the administrator had to answer yes or no in the appropriate cell if that device complied with the policy. This made it relatively easy to measure compliance, as we just needed to flag all the no answers.
The results of the self-assessment were passed to IT audit who utilized the results to improve compliance prior to an upcoming external audit. While the self-assessment may originate with the infosec awareness group, down the road it is more appropriate for IT audit to become custodians of the data and oversee future self-assessment activity. The good news is that as far as awareness is concerned the learning effect will occur even if the awareness team detaches itself from the project completely. Now if we can only fool — err, convince IT audit to do all the work.
<Richard Menta is information security awareness officer for a leading telecommunications company.