Tuesday, January 4, 2011

Seven Step to Information Security Awareness

Are you maybe thinking about running a security awareness program but are not quite sure where to start? This article offers some pragmatic hints and tips on applying the seven key steps of a typical IT procurement process to the selection and launch of an awareness program, based on our experience of occasionally being the ‘driver’ of the process and often the ‘driven’.

1. Specify your requirements
The first step is to establish the need. Think carefully about what you are really trying to achieve through security awareness. Until your objectives are clear, you will have problems planning and organizing the awareness program, let alone evaluating and choosing the products and services you may need to deliver it.
Then ask yourself some rhetorical questions:

Do you have an information security awareness program already running, or is this an entirely new concept for the organization? If not information security, are there other awareness programs running that might act as role models?

Does/should the program involve awareness, training and education, or only one of these?
What topics does/should the program cover? Are other aspects of information security important to your organization? to mention a few.

2. Prepare your plan and evaluate your checklist
Awareness programs do not run themselves, especially as many organizations start from a fairly negative position. It will take concerted effort to overcome that inertia, get the organization up to speed on information security, and then keep it rolling. In other words, you need to develop a plan to establish the program and then manage it on an ongoing basis in order to deliver the projected benefits.

If you have a lot of ground to cover (e.g. “the whole of information security”!), one will recommend planning to cover it in discrete sections or chunks spread out over time, and wherever possible framing those chunks in terms that make sense to your target audience/s. Take, for example, the virus problem: anyone who uses an IT system should have a basic understanding of viruses. In explaining about viruses, you may want to mention issues such as configuration management, network/systems access and so on, but you need not go into depth on all of these at the same time. It’s perfectly acceptable to say “We will tell you more about this later” or even “Call the Help Desk or the Information Security Manager for more information”. That way you can maintain a focus on the key messages without overloading people.

An ideal way of crystallizing your thoughts from step 1 above, in parallel with developing your plan and addressing every part of your mind-map, is to prepare a product evaluation checklist containing:

Rows for each of the criteria that are important to you;
Columns for the criteria and their weightings (e.g. 3 = essential, 2 = important, 1 = nice-to-have), and then further columns for comments and scores against each of the products you are evaluating.

As you work through the checklist, you will in effect be defining and refining your requirements for the program, making it easier to develop the associated plan. That’s why we treat these two activities as one step.

3. Secure funding and management support
Getting your senior management on board with the whole idea of an awareness campaign is, I humbly suggest, by far the most important thing you can achieve in the next few months and will pay big dividends in the long run. How you actually achieve this is down to you.

Depending on the corporation, you may or may not need to make a strong financial case for the investment - some senior managers respond better to gut feel than raw numbers. Work with your CIO or IT Director, for sure, and ideally other influential managers who have an interest in seeing the awareness program succeed. You will often find friends in functions such as Internal Audit, Regulatory Compliance, Facilities, Legal, Risk Management, HR and Finance. Time spent privately and patiently explaining your plans to these key stakeholders will help (a) refine your plan; (b) identify any concerns; (c) deflect criticism and (d) line them up to support your program openly, especially during the early phases of the delivery. This is YOUR investment in the awareness program!

By the way, it’s often worthwhile getting explicit management support for information security during this process, meaning at least one quote from a senior manager which unequivocally mandates compliance. You may need to draft the actual statement for the CEO but her signature on the bottom will add weight to your awareness program way beyond its apparent value. Believe me, clout works!

During step 3, do not be afraid to continue refining your plan and requirements. All the time, you are thinking about it and learning about the possibilities. Don’t waste that brain energy!

4. Identify and shortlist possible solutions

Now you are in a good position to go looking for what you might need. Start by looking within your own organization for suitable resources, for example in your IT, HR, Internal/Corporate Communications and Training and Development functions. Take advice from colleagues running other internal awareness/training/educational programs (such as Health and Safety or IT training). Simply asking your colleagues for advice is worthwhile as it may help get their support for delivering the program later on, whereas not asking them may inadvertently set them against it.

Now go through your list of internal and external resources and home-in on those parts which you think may suit your needs. By all means discard the others but be careful - it is easy to overlook useful resources that are badly marketed, incompletely described or simply unknown (often because they are new). If you have the time and energy, it may be safer to shortlist most if not all potential suppliers at this stage and trim the list later. There is no harm in contacting companies for initial information at this stage but be wary of overt sales pitches: the next step works best if you approach it objectively on your terms, not theirs.

5. Evaluate potential solutions
For commercial offerings, this is the conventional tendering sub-process:

You prepare a formal Request For Proposals containing your requirements derived from your dreaming, planning and evaluation criteria (which you probably do not want to disclose to the bidders);

Your Procurement people should be falling over themselves to help you with the tendering process, especially if there are substantial sums of money involved. They will want to ensure that the process is fair, objective and entirely above-board. This is their profession: take their advice!

For in-house and free offerings, the shortlisting, evaluation and assessment process is similar. It is entirely possible that you may wish to take advantage of commercial and free awareness materials, for example, and combine them with internal resources. It’s your choice.

6. Select and procure chosen solutions

The end result of step 5 is usually but not always a single winning bidder. Sometimes you may have selected different bidders for separate parts of your requirement, sometimes you will have been unable to decide between a few bidders. Step 6 generally involves a bit of negotiation with the suppliers, perhaps some clarification of the price, the terms of the offer, and another hard look at what they offered. Finally you make the decision, prepare a Purchase Order and move on. This is known as doing the business.

Time for a brief comment from the other side of the fence: please try to make the time to contact each of the failed bidders to let them know why they were not selected, or at least invite them to ask for more information. Preparing a formal proposal involves an intensive effort on their part. If you feel certain aspects let them down, letting them know about it helps them do better next time, assuming they are open to criticism. [If they don’t even want to hear from you, you know you made the right decision!]

7. Implement and launch the awareness program

Let the fun commence! Whilst the previous 6 steps may seem like a rather bureaucratic and pointless diversion, you may well find the opposite in practice. Just as with a software development project, time spent deciding the requirements, designing the solution and testing the system pays off in the end with a smoother and more effective implementation.

You have a well-written plan, the management support and the necessary resources to deliver it. Now is the time to call on your internal colleagues and chosen suppliers to build and deliver the awareness program of your dreams.

In this article, I have given a flavor of what is normally involved in launching a structured security awareness program.

For more educative articles and online money making click here.


No comments: