Part 2 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171
In nearly every data breach that occurs, there is a human failure somewhere in the chain of events. Human errors include mistakes like sending sensitive information to the wrong person, publishing private data to a public website, insecure disposal of sensitive information, or failing to comply with internal policies. Other incidents that are officially categorized as malware or hacking are also often due to a human failing to install updates or patches, programming errors that allowed access into a network, or clicking a link in a phishing e-mail.
All staff members, employees, temporary employees, and third-party vendors and contractors with access to your environment, should receive information security awareness training to help protect your organization from threats and safeguard your operations. Users are the single most important group who can directly impact the security of your environment by reducing errors and potential vulnerabilities. It is critical for you to educate your users so they are aware of actions they should or should not take to better protect sensitive information. But how do you implement an effective information security awareness program?
Below are some best practices for planning and implementing a program within your organization:
While training is a requirement in NIST SP 800-171, there are no prescriptive controls defined. Organizations can determine the appropriate level and methods for providing awareness training based on their specific business, the types of critical data that users have access to, and the information systems that staff are accessing. Consider referring to the NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, for guidance on how to build an effective training program. This document will walk you through four critical steps, namely Program Design, Material Development, Program Implementation, and Post Implementation.
Program Design and Delivery:
Whether you are designing a new program, or updating your current one, you will want to be sure that the training addresses two basic questions:
- What behavior do we want to reinforce?
- What skills do we want the users to learn and apply in their daily roles?
The content must be relevant to the users and they need to be able to integrate this information into their daily work. Tailoring the training so that it clearly relates to their individual roles and responsibilities will make it more applicable and valuable, and avoid the feeling that this is just another checkbox requirement taking time away from their day. If users can reference the training back to specific job scenarios or things they have seen before, they will be more likely to remember and follow through with the recommendations when they are confronted with a similar threat in the real-world.
Technologies and risks are constantly changing, and the old risks aren’t exactly going away, so the options for security training topics may seem endless. Below are some general topics that we recommend that you include:
- Access Control
- Password Usage and Management
- Identity Theft
- Incident Management/Reporting
- Desktop Security
- Mobile Devices
- Data Recovery/Backup and Storage
- Information Disposal
- Violations of Security Policy
- Internet Usage
- Viruses and Malware
- Anti-virus Protection
- Vulnerability Patching
- Secure messaging/e-mail
- Social Engineering
- Insider Threats
- Physical Security/Visitor Management
You can train your users using a variety of methods. Comprehensive training should be initially conducted when a new team member is hired and annually for all staff. But you should also provide updates throughout the year as new risks emerge, new phishing schemes target your industry, etc. Share information from online security news websites, industry-hosted newsletters, professional organizations and vendors, periodicals, conferences, seminars, etc. Post reminders or posters in the breakroom. Varying the method of communication, and doing so throughout the year, will help remind staff of the on-going importance of information security awareness and emphasize the lessons learned during their training. Consider conducting social engineering tests (i.e. phishing or tail-gating attempts) to validate the training and identify any potential weaknesses that need to be addressed.
When launching your training initiative, be sure to clearly articulate expectations of each user, expected results of the program, and reasons why it is being implemented. As much as possible, tie the requirements back to existing policies and procedures. Support from your executive leadership team and their inclusion on communications to managers and employees can help achieve buy-in across the organization. Management should set an example for proper behavior by promoting and completing the training. Funding details should be addressed with department managers so they are know whether the training is funded by the central organization or if they will share in the expense for their employees.
In addition, schedules and completion requirements must be communicated. Clearly define due dates, provide reminders, and explain the consequences for failing to comply. Verify that your teams have the tools for accurately tracking progress and then documenting all user completions.
Once your information security awareness program has been implemented, processes must be put in place to monitor compliance and overall effectiveness. Training should be conducted upon hire, and at least annually. Ensure that the training materials continue to be updated as new technology and associated security issues emerge. This will keep the subject matter fresh and relevant, and avoid your staff from dismissing the value due to stale content. Continuous improvement should always be the goal for security awareness and training initiatives to avoid the most common vulnerability – human error.
Some additional guidance from the CRM Team below:
[Rivkin]: The basic security requirements from the NIST SP 800-171 covering Awareness and Training (Requirements 3.2.1 and 3.2.2) state that your organization should “ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
When an institution is implementing security and compliance training, all people, processes, and technologies all must be considered. In my experience, it’s evident that consistent communication with employees and students around the importance of PCI compliance is especially important given the unique environment of higher education. Establishing a structured PCI training program is essential to ensuring everyone on campus abides by university expectations and policy, remains up to date on industry changes and related risks, and is prepared to handle incidents if and when they arise.