the solutions, products and services from Tabaq
Software.
The Human Element of Compliance
Author: Fran Howarth, Bloor Research | Published: 22 December 2009
The importance of employee education for achieving compliance
Given the importance of data to organisations today, organisations must do all that they can to ensure that the sensitive data that they collect, process and store is kept private and secure. There are a wide variety of tools that can aid in data security and in regulatory compliance, such as with data protection mandates.
But business is all about people, process and technology and the three factors should not be considered in isolation. Of particular importance is that employees be educated in the processes that they are expected to follow and the security standards that they must adhere to according to policies set. In today's highly regulated environment, technology tools are available that can automate many of the tasks involved in developing, communicating and enforcing policies to achieve compliance-including the essential task of providing employees with the training and education that is required. Through automation, the cost of providing such training can be reduced considerably and an organisation will be better placed to ensure that all of its employees comply with the demands of the regulations that they face.
Awareness of risks essential for achieving data security
As Howard Schmidt, president of the Information Security Forum, recently remarked, “Data is the gold, silver and diamonds of the modern world and should be given the same level of protection.” However, he then added that “Many businesses, governments and individuals are still unclear of the value of data and where it resides, and who has ownership is even less clear.”
Few organisations will have ever undertaken an exercise to ascertain the value of the data that they produce but, given today's regulatory pressures and the monetary value placed on data by criminals, we are all aware that there is a certain level of risk if data is lost, damaged or stolen. Because of this, organisations deploy any number of technology controls and processes to safeguard information, yet many still overlook one essential element-the security risk posed by people. Security training is not widespread. |
"Implement a formal security awareness programme to make all employees aware of the importance of cardholder data security." PCI Data Security Standards 12.6 |
As well as technology tools and security processes, most organisations put in place policies governing the actions that are expected of employees. Such policies are key enablers of the business and should guide efficient and secure working practices. For security, policies contain critical provisions, such as the duty of employees to keep customer and other personally identifiable information confidential. They will also take into account the provisions of the regulations and industry standards with which the organisation must adhere.
However, it is one thing to put policies in place; another to enforce them. In order to ensure that policies are adhered to, there are two essential elements required-communication and awareness. In today's highly regulated world, organisations are responsible for ensuring that their employees are educated on information security policies and that management monitors and supervises those employees in their compliance with policies and procedures. In fact, some regulations including Sarbanes-Oxley and data protection acts, industry standards including the Payment Card Industry Data Security Standards, and security frameworks such as ISO 27001/2 actually require that security awareness training is given to employees. However, whilst these regulations may mandate security awareness training, there are no formal requirements to ensure that the awareness and training is effective.
Automated tools reduce the burden of training
Given the importance of the information that is being protected via security policies, user awareness of those policies should not be left to chance. This is where automated tools come into play as an addition to training programmes. Such tools aid in the creation, review and publishing of policy documents, with the system being capable of sending out the resulting policy to all employees electronically, providing notifications for management and audit purposes when each user has read the policy. But that does not ensure that they have taken in and understood all elements of the policy and the behaviour that is expected of them. Many courts consider a clear, properly documented policy to be a binding, implied contract between an organisation and its employees and, as a result, a breach of that policy can be considered as ground for terminating an employee who fails to abide by its provisions. However, such decisions can be challenged by the dismissed employee-and those challenges may well be successful if the organisation cannot prove that it had not only clearly documented the policy, but had adequately informed the employee about the provisions of the policy and the consequences of violating it.
To ensure that users are adequately aware of the provisions of policies set, user training is required. This can be done through e-learning, testing and evaluation modules of policy compliance automation tools. Such tools use libraries of questions that aim to educate employees about the provisions set and the behaviour expected of them, which can be used to test their level of knowledge and to ascertain whether or not further awareness training is required. Users can take the courses and tests at times set by the organisation, or can complete them in their own time, with notifications sent to their managers when courses have been successfully completed. Automation of such tasks also allowed an audit trail to be generated that can be used to prove that policies have been adequately communicated and that users understand their provisions.
The benefits of automation
The benefits of using automated tools for policy management and user training are many. Organisations can prove through audit that all employees have read and understood policies, and that they therefore understand the requirements of their role. With a greater awareness of the security issues facing them and the behaviour that is required to meet regulatory requirements regarding security, the likelihood of incidents and security breaches will be reduced. For example, if the policy states that all data on removable media must be encrypted, the likelihood of a data breach occurring should the device be lost or stolen will be reduced considerably.
By providing training as part of an automated process, the costs of providing ad hoc training will also be reduced. According to SAI Global, a risk management organisation, online training costs around ten times less than training conducted offline. It also has the potential to provide significant cost benefits in terms of reducing security incidents and of clearing up after them because fewer incidents are likely to occur. But it still remains an area in which organisations are not investing enough. The 2009 CSI computer crime and security survey published recently found that 54.9% of respondents feel that the end-user security awareness training that they provide is insufficient. As a result, 46.1% stated that providing extra security awareness training was one of the main actions taken following a security incident-second only to patching applications and systems. To achieve higher levels of security, training should be provided as part of any regulatory compliance and policy enforcement programme and should be considered as an integral part of any risk management and business protection strategy.
