Introduction
Training people to adopt security-conscious behaviors and establishing policies for maintaining a secure environment go a long way towards improving an organization’s overall security posture. The next sections cover policy aspects of information security training within an organization faced with an insider threat.
Personnel and training
Insufficiently trained personnel are often the weakest security link in the organization’s security perimeter and are the target of social engineering attacks. It is, therefore, crucial to provide adequate security awareness training to all new hires, as well as refresher training to current employees on a yearly basis (Gibson, 2015).
Cyber security policy
The corporate security policy expresses the management’s commitment to securing critical assets and provides the framework for developing, implementing, and enforcing security controls (Gibson, 2015). The policy document(s) must be available to all personnel who are required to comply with its requirements. Review and update of the policy should be done periodically. The following checklist summarizes the various security best practices and controls that should be implemented.
Security policy elements
Policy management
Personnel and training
- Personnel risk assessment
- Security awareness program
- Cyber security training
Critical asset management
- Methodology for identifying critical cyber assets
- Inventory and classification of cyber assets
- Information protection and data privacy
- Cyber vulnerability assessment
- Access control, monitoring and logging
Physical security
Electronic security perimeter
Incident reporting and response
Security awareness and training
The organization should establish a training program that includes the following:
- The proper use of critical cyber assets
- The policies, access controls, and procedures developed for critical cyber assets
- Action plans and procedures to recover or reestablish critical cyber assets, and the required access to these assets, following a cyber security incident.
| Risk | Potential Impact | Mitigations |
| Inadequate security training and awareness. | An inadequately trained workforce will not be aware of the policies and procedures necessary to secure organizational information and equipment, resulting in the potential for weaknesses to be exploited. | Ensure that all employees undergo security training when hired and at least once a year thereafter. The degree and nature of security training for personnel may vary based on their job function. |
| Insufficient identity validation, background checks. | The human factor must always be considered the weakest element within any security posture; identity validation and background checks are measures that are imperative in managing this risk. | Institute appropriate procedures to conduct background checks of all new hires. |
| Inadequate privacy policy. | Insufficient privacy policies can lead to unwanted exposure of employee information, leading to both business risk and security risk. | Ensure that the privacy policies adequately cover all aspects of safeguarding access to private information. |
| Improper revocation of access. | Failure to ensure that employee access is revoked when no longer needed may result in unauthorized access. | Ensure that employees have access to resources and systems only as needed to perform their job function and only for the duration that this need exists |
Conclusion
The organization must establish, document, implement, and maintain a security awareness program for all personnel. The awareness program describes common security risks and how to avoid them. Awareness reinforcement should occur at least quarterly. For personnel having authorized cyber access or authorized unescorted physical access to critical cyber assets, the organization should establish a training program. Diligence in the hiring and personnel review process is crucial. It is important to define and document a risk assessment program for personnel with authorized cyber access or authorized unescorted physical access to critical cyber assets. Grant each employee the lowest levels of access to cyber assets and other privileges needed to do his or her job efficiently (Gibson, 2015).
References
Gibson, D. (2015). Managing risk in information systems. Burlington, MA: Jones & Bartlett Learning.
