S 2.198 Making staff aware of IT security issues

Initiation responsibility: IT Security Management Team

Implementation responsibility: IT Security Management Team, IT support

Experience shows over and over again that a large proportion of security incidents relating to the use of IT facilities are caused not by outsiders but are the result of inappropriate conduct by an organisation's own staff. Improvement of employees' knowledge of IT security and giving greater responsibility to each IT user can be a particularly effective and relatively inexpensive way of increasing the level of IT security. Again, if security-relevant incidents are to be detected promptly as such, it is important that knowledge of IT security is good. All staff should have an adequate knowledge and understanding of IT security matters and be aware of the risks which exist in their everyday use of IT. This objective can be achieved through a combination of an IT security training concept (see S 2.197 Drawing up a training concept for IT security) and repeated sessions given by those responsible for IT security, line managers and colleagues aimed at raising the awareness of IT security issues of all staff.

IT security awareness training should be geared towards the objectives contained in the Information Security Policy. All members of staff must be made aware that adherence to the security objectives, the conscientious implementation of security measures and maintenance and enhancement of the security level achieved are basic duties they are expected to perform routinely within the company/agency.

Effective ways of making staff aware of IT security issues include:

• staff workshops on the subject "What part does IT security play in our work?

• times at which the IT Security Officer is available for consultation,

• setting up a "security forum" on the Intranet,

• publication of "IT security reports" on the Intranet,

• visible promotion of IT security way of thinking by Management;

• placing information (from the press) on IT security incidents and approaches to solutions on noticeboards,

• placing specialist publications on IT security in a prominent place,

• discussions at the workplace and during work breaks on the subject of IT security.

To maximise acceptance of the IT security process of the whole, it can be a good idea to present the IT security awareness sessions as an informative, discussion among colleagues rather than in the form of authoritarian lectures. To this end it is very important that every employee has someone he can turn to close by without having to worry about loss of face. This is particularly important when it comes to reporting any security-relevant incidents that have been detected. It also means that any shortcomings in the security awareness of individual members of staff should not immediately lead to embarrassing reprimands but should be handled locally and with as little fuss as possible. Only if this approach repeatedly fails should further measures (including measures affecting staff) then be rigorously adopted.

It is critical to the acceptance and credibility of IT security awareness promotion measures that all those responsible for IT security and also Management act as role models as regards their own awareness and, especially, their own rigorous implementation of the security measures.

Additional controls:

• Are specialist publications on IT security available to those responsible for IT security and, if appropriate, to all staff?

• Are staff informed in a suitable form of IT security incidents which have occurred either within the organisation or which have become public knowledge, and are they told how to avoid them?

• Do generally accepted and used forums for in-house communication on IT security issues exist?

• Are those responsible for security sufficiently versed in the psychology of how to give motivating talks?