Information Technology Reference
In-Depth Information
such as HIPAA for health care and FISMA for federal civilian agencies. Industry
standards include:
n
n
n
NIST SP 800-12 and SP 800-50 to develop a SETA program
ISO 27002 to determine best practices
SSE-CMM to develop quality, repeatable results
8.7.3
SETA Deployment
Security awareness deployment is part of a larger SETA deployment effort. Security
education provides insight into the whys of security; security training provides the
how-to skills of security; security awareness is information about security.
Security
awareness is critical for all personnel that lack a basic understanding of security. For
the initiated, it may take their awareness to a new level; it will at least reinforce an
awareness that turns “recognition of events that could indicate a security incident
into reflex.”
8.7.4
Commentary
Although the Employee Security Awareness Evaluation is an excellent part of the
overall vulnerability assessment process, it will fall short without an in-depth assess-
ment of the social and individual psychology that results in a focused IA policy dis-
semination campaign. Section 8.6.2 offers insight into a more in-depth, focused
approach to achieve security understanding and compliance.
Now that employees are aware of the policies and know where to get them,
do they understand them? How do you promote understanding?
Understand-
ing
is the goal of the training program, that is, conveying the message so that
the employee gets it. Given that the employee is now aware, possesses a copy,
and understands the policy, there remains the need to ensure he actually com-
plies with it. Conveying compliance expectations is part of policy, including very
clear sanction policies for noncompliance. Monitoring and tracking addresses the
occurrence and effectiveness of the IA solutions with respect to the business and
technology drivers behind them.
8.7.5
Effectiveness Metrics (Tracking)
Compliance verification ensures the IA solutions work as intended and as prescribed
in the compliance requirements documents. The IA
2
Framework includes filtering
Paraphrased from Trygstad, Ray,
Security Policy
, Illinois Institute of Technology, p. 50.
Randolph, K., Warshawsky, Gale, and Numkin, Louis,
Security Awareness
, p. 2.
