In order to create and foster a security conscious culture within our organizations it is essential that we first lay the foundation for which to build upon. Just like we would not build a house or a building without a solid foundation to place the remaining structure on we shouldn’t try to create a security culture without first laying that foundation. For some organizations that foundation may already be built; however, for many organizations it’s not. So, what is this foundation I am talking about? I am talking about a security strategy. The organization must first and foremost develop its overall security strategy before we can start building its security culture. This includes creating and implementing security policies, procedures, and guidelines that are aligned with industry best practices and that adhere to any pertinent laws and regulations. It is this overall strategy that in the end depicts our intended security culture and it will be the responsibility of the Security Awareness or Security Culture Program to help grow or foster that intended culture. A well-developed security strategy will have produced two documents that are key when it comes to security culture. These are the organization’s Information Security Plan and the Acceptable or Authorized Use Policy. The first outlines the organization’s approach to Information Security, while the other provides a regulatory framework for acceptable and unacceptable behavior. Let’s take a look at both of these two documents to better understand their purpose and how they contribute to the foundation that is so necessary for creating a security culture.
The first document is the Information Security Plan. As mentioned, this document outlines the organization’s approach to Information Security and as thus provides insight into the organization’s security strategy. A good plan should outline what it is that we are trying to protect, why we are protecting it, and how we plan on protecting it. It may be clear to the organization’s staff without much explanation why we are protecting our information assets, but it may be less clear to the staff what those assets are and how we plan on protecting it. The latter is dependent on the type of organization and what laws and regulations the organization must comply with. For example, private organizations may choose to voluntarily align their security strategy with ISACA’s COBIT framework or international standards such as the ISO/IEC 27000 series from the International Organization for Standardization and the International Electrotechnical Commission. For many organizations the choice might not be voluntary. If you are in the health care industry your organization will have to comply with the Health Insurance Portability and Accountability Act (HIPAA), if you are a publicly traded company you will have to comply with the Sarbanes-Oxley Act (SOX), if your organization accepts credit card payments you will have to comply with the Payment Card Industry Data Security Standard (PCI-DSS), if your organization offers financial products and services you will need to comply with the Gramm-Leach-Bliley Act (GLBA), and if you are a federal agency you will have to comply with the Federal Information Security Management Act (FISMA). All of which outlines required security controls and all contain requirements for Security Awareness training. The Information Security Plan should also define the authoritative security policies that govern the organization. The Authorized Use Policy is definitely one, which we will discuss further, but your collection of policies may also include policies on access control, information classification, backup and recovery, data transfers or file exchange, and others. Key to this component is to assign owners to each policy. These owners become responsible for the periodic review and maintenance of their respective policies, which ensures that your policies don’t go stale. And lastly, the Information Security Plan should define and include a list of the various security roles and responsibilities within the organization. All of your employees have to some degree a responsibility to ensure that the organization stays secure. Some employees might have special security roles and responsibilities such as evaluating risks, accepting residual risks, or even to deliver Security Awareness or Security Culture training. But, all of your employees have, at minimum, a responsibility to be familiar with the organization’s security policies that are relevant to their role; a responsibility to comply with the policies, and most certainly has a responsibility to report security incidents and weaknesses.
The second document that is key to Security Culture is the Acceptable or Authorized Use Policy. As mentioned, this document provides a regulatory framework for acceptable and unacceptable behavior and as such outlines what your employees are allowed to do and what they are not allowed to do when using your organization’s electronic resources. In other words, the Authorized Use Policy helps identify desired behaviors, which we want to reinforce as part of a Security Culture Program, and it helps identify undesirable behaviors, which we want to use the Security Culture Program to help mitigate.
Both of these documents contribute greatly to defining the overall security strategy of the organization and depict the organization’s intended security culture. It is this overall security strategy that decides whether the organization wants a relaxed security culture or a highly secure and structured culture. For example, an organization that have not aligned their security program with a security framework will likely want a more relaxed security culture, an organization that have aligned its security program with a security framework such as the ISO/IEC 27001 standard will want a more secure and structured security culture, and an organization who has aligned its security program with a security framework and that have to comply with a set of laws and regulations such as HIPAA or PCI-DSS will likely want a highly secure and structured security culture. Whatever the organization’s intentions are it is by way of a Security Culture Program that the intention is delivered to the members of the organization with the goal of creating and fostering that intended or desired security culture.
With the foundation now in place, you may now begin the journey of building your Security Culture. To help with this you can look to the Security Awareness Cycle. Building a Security Culture within your organization can be a challenging task, but with the right foundation and the right process methodology to help you along you’ll be equipped with the tools you need.
The next article in the series is The Security Awareness Cycle.
Tom Mannerud is an Information Technology Manager, Security Researcher, and Educator living in beautiful Tampa, Florida. He has held a wide variety of IT management and security leadership roles for global organizations and has experience both leading and working with multi-national teams both on land and at sea. He holds a Master of Science in Information Security and Assurance and is a GIAC Certified ISO-27000 Specialist from SANS. Tom is also a member of the FBI InfraGard and the Information Systems Security Association.