The first line of defense for an enterprise is its employees: Their actions and inactions can lead either to an effective defense or huge vulnerabilities of which attackers can take advantage. This includes protection not only from threats such as email malware, but can also provide assurance that the company remains compliant with industry standards such as HIPAA, PCI DSS and NERC CIP.
With this philosophy in mind, I have always been keen on employee training and frequent engagement. So, here are some examples of how to enlist the first line of defense to enhance compliance and cut down on an overworked security team's duties.
New employee orientation
First impressions always count, especially when a new employee arrives at the company. This is the time to let the employee know about the corporate expectations for information security and appropriate use of technology. During these sessions it's helpful to have a message from the chief executive to the employees explaining the important role they play in the security of the company. This can be a video recording or streaming video, but, of course, a face-to-face talk from the CEO in this regard would be preferred.
In addition to the CEO's message, the CISO should articulate the particular security requirements the employees are expected to follow. As such, the presentation should include the following:
- Summary of external laws and regulations driving information and physical security requirements. For example, this would include HIPAA for medical facilities, Sarbanes-Oxley for publicly traded companies, Payment Card Industry Data Security Standard (PCI DSS) for credit card-handling organizations, and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards for utilities.
- Detailed review of the appropriate use policy. An emphasis on email and Internet use is critical to ensure employees don't wander off to gambling or social networking sites if they are prohibited by corporate rules.
- Review of expectations for use of access badges. These expectations could include mandates such as not lending badges to other employees.
- Explanation of who to call if their badge, laptop or cell phone/smartphone goes missing.
At the end of these sessions it is advised to give each employee a copy of the corporate appropriate-use procedure, along with a signature receipt page where the employee must sign off that he or she now has a copy of the procedure. This signature could be especially useful later on if an employee violates an appropriate-use procedure and claims ignorance of the requirements.
'Brown bag' training sessions, aka Lunch & Learn
One approach to training employees on good security practices that are both low-cost and engaging is through "brown bag" or "Lunch and Learn" sessions. To boost attendance, these gatherings should work on the "What's in it for me?" principle. Essentially, this is a bit of a marketing technique: The lunchtime training sessions should focus on subjects the employees may find useful.
For example, training might focus on home computer security. The guidelines discussed would still essentially be those of the appropriate-use policy, but with the intent of teaching employees how to protect themselves and their home computers. Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment.
Executive training or communications
Executives are users too, and keeping those individuals, such as the CIO, CFO, treasurer, business unit executives, etc., informed on contemporary security issues is also essential; it can be an effective way to make them aware of data security and head off compliance issues , and it doesn't take much time.
For instance, perhaps there has been a major information security event noted in the news (e.g., the TJX Companies Inc. or Heartland Payment Systems Inc. breaches, or a local company that loses a laptop with large quantities of personnel information on it). These are opportunities to meet with the executives and provide a 10-15 minute briefing on the event. If executives don't have time for a briefing, then write a short –- one page or less -- white paper summarizing the event and send it to them.
For these briefings or white papers, here are some key points to include:
- Brief summary of the event.
- Short explanation of why the same event could or couldn't happen at your company.
- A list of protections that are in place to prevent such an event from occurring or an explanation of how a similar event at your company could be prevented by implementing changes to a current policy or practice.
- An offer to provide the executives with more details or a personalized briefing on the event if they would like.
Running information security training exercises every six months or so can be fun and quite rewarding if done well. For instance, a past practice I have done with some success is to establish a scenario with a sequenced PowerPoint presentation where I would have photos of the event in progress for the employees to view. In one case I ran an exercise where a server failed, and, as the employees troubleshot the event, they found that the server failed in part due to an employee falling off of a ladder and ripping cables out of the servers and rack-mounted equipment. So, the slide deck showed different photos or diagrams for each sequence of the troubleshooting and diagnosis.
The idea behind these exercises is to get everyone's ideas on how to make current processes better and more useful should real events like this occur. The exercises are also more holistic and include non-information security issues, too.
Focused work groups
During the early days of PCI DSS at one of my employers, it was obvious that our security posture for handling credit cards was less than optimal. Rather than do a massive broadcast to the employees on the issue and begin expensive corrective actions, I instead began work on the issue by forming a PCI DSS committee, which included the affected managers and employees. We met weekly, and, with each session, there was a training briefing on particular elements of the PCI DSS "Dirty Dozen" (or, the 12 requirements of PCI DSS) and then a discussion on particular actions that needed to be taken to ensure compliance.
Creating a work group can be helpful in that it both engages employees to help solve corporate problems and relieves a stressed security team from feeling as though it bears the entire compliance burden.
The feedback from many of the committee members was that this approach was not only useful in terms of becoming compliant, but also made the crisis more understandable. Additionally, by training the committee on all parts of the PCI DSS, they could assist with enforcement of the regulation in other areas of the company, thereby freeing up more time for the security team to focus on other concerns.
You could also use this approach with HIPAA, SOX or NERC CIPs as a starter.
The underlying theme of these approaches is to educate and train at any opportunity. Recognize that the employees are critical to the successful defense of your company. Also recognize that they can be part of your security implementation program as well as part of your enforcement team, and you're well on your way to a more-compliant organization and a less-stressed security team.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is the founder and owner of 443 Consulting, LLC, an enterprise focused on providing quality thought leadership in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, and research. Most recently, Ernie was Information Security Strategic Advisor in the Compliance Office at Seattle City Light.
This was first published in May 2010