Implementing a Security-Awareness Program
There are various ways to promote a secure IT environment.
One of the best practices in the IT world that hasn’t received the attention it deserves is the requirement for organizations to have a security-awareness program. Not only is it a good business practice to ensure all employees are regularly updated and kept aware of the importance of security, but it’s also a compliance requirement. Regulations such as the Payment Card Industry’s Data Security Standard and laws such as the HIPAA and the Massachusetts law (201 CMR 17.00) for protecting personal information all require security-awareness training. What does this mean? None of the aforementioned mandates provides details, so you have some leeway. Here are some suggestions for implementing a security-awareness program.
The first key to creating an effective security-awareness program is to understand why it’s important. In addition to being in compliance with laws and regulations, think about how much more effective the efforts to secure the organization’s data will be if the entire workforce is contributing. I believe much data is exposed simply because of employee ignorance.
Topics for Education
You can use several methods and topics to educate your employees. Perhaps the most common are department or team meetings. Keep in mind not all topics should be discussed with all employees. If your topics aren’t appropriate for the audience, you risk having them think that no aspect of security pertains to them. Here are a few topics to consider:
Employee security policy-Many organizations require each employee, contractor and vendor to annually review the employee portion of the company’s security policy. This presents a great opportunity to remind everyone:
comments powered by