Theoretical knowledge is all very well, but entrepreneurial thinking and action are better. In the majority of cases, foundations for an IT security awareness programme already are in place. However, oftentimes, the implementation of such a programme leaves a lot to be desired.
Approximately 10 years ago, a narrated slide show, "Data—as safe as gold," was used to raise awareness of data protection and data security issues among members of staff, and it was complemented by a corporate internal audit presentation on risks and control measures. All SwissLife/Rentenanstalt (SL/RA) Group employees in Switzerland and abroad took part in this programme, which was available in four languages. It has become necessary to step up the awareness programme, due to the increasing use of computers, expanded network connections and increased demands on security and controls.
Ideas for Renewing Awareness
In view of the considerable benefits and work improvements which a meaningful deployment of information technology (IT) can bring, organisations must not allow themselves to lose sight of the associated dangers. A lack of care, or outright negligence, in using this technology can have serious consequences.
One of the prime objectives of the awareness programme at SL/RA, therefore, was to sensitise employees to the issue of IT security, including the following topics:
- The SL/RA Group's IT security policy and management procedures (see figure 1)
- IT security goals and how they can be met
- The obligations of IT users and the designation of those responsible
- Explanation of the basic CIA principles: confidentiality, integrity and availability
- How to recognise the risks and dangers when using IT
- How to treat IT equipment, software and data safely and securely
- How to ensure IT security through awareness and checks
Experience has shown that not enough consideration is given to safeguarding IT security during projects or in day-to-day business, and the matters often are being left to IT users themselves.
Planning, implementing and monitoring an awareness programme is an ongoing management task. It is the duty of each and every member of staff to ensure security at a day-to-day level.
There already is a wealth of information available online on this subject. But, how many people actually have read the IT security vademecum (a standard security guideline for IT end users) from start to finish and understood it all?
The key to success, and the readiness to implement the programme, lies in everyone understanding what the company is trying to achieve (vision statement), what the employees are called upon to do (mission) and what they are expected to accomplish with regard to IT security awareness.
Problems and Dangers
While networking has made a wide variety of information available to a large circle of users, protecting confidential data from unauthorised access or manipulation can present problems.
The complex nature of the problems and dangers (Source: Studie 2002 Kommunikation und EDV-Sicherheit, KES), however, requires complex security solutions whose strength is inevitably dependent on the weakest link in the chain. See figure 2.
According to this study, the danger areas which are becoming evermore important include viruses, hackers, unauthorised access and theft of information.
To perform a task properly, those responsible must ensure that the necessary protective measures are in place at all times. IT security is not something that automatically occurs, it can be achieved only through a combination of technical and organisational measures applied by all employees.
New and Existing Starting Points
Future developments consider past and present experience and future opportunities, linking them for practical purposes whenever possible, for example:
- Targeted expansion of the awareness programme (head office, branch offices, subsidiaries)
- Use of the learning platforms on the existing intranet—CIS (central information system) and VLIC (virtual learning and information centre)
- Preparing, saving and distributing the corporate directions for IT security, the IT security handbook and the IT security vademecum to all IT users
- Continually updating links when new regulations affecting data protection and security come into force
Decisive, supportive commitment on the part of top management is a prerequisite for success in developing and implementing this programme.
The online training course on IT security was launched at the start of 2003 for new and existing SL/RA employees in Switzerland.
From Drawing Board to Implementation
When developing the IT security awareness programme at SL/RA, the many layers of information and the corresponding links had to be generically related to the learning objective (figure 3). The central question was: what does the IT user need to know and observe at the time of training and in his/her daily work?
This issue was consistently addressed each time a new element was added to the training course. At the same time, all related information, such as the contents of the data protection and data security guidelines, explanations from the IT security vademecum, descriptions of the SAVE training programme and the cybertest questions, was harmonised and referenced clearly.
It was particularly important to clarify and make known the organisational structures (for both the preparatory and implementation stages) prior to the launch of the IT security awareness programme on 1 January 2003, along with the allocation of tasks and responsibility for communication and internal checks.
An appeal to all members of staff from the head of IT emphasising the mandatory nature of the awareness programme was of the utmost importance to ensure its implementation as planned. It also was important that management was previously informed and that the training programme was ready to use in four languages.
For employees who are familiar with IT security materials, each stage of the course should take no more than 30 minutes; a total of 1.5 hours without prior study of the IT security vademecum and the SL/RA guidelines. To make it easy to get started on the course, initial information provided helpful pointers on the clearly structured assignment.
The controlling function ensures the test responses, the reminder system and the saving of documents to personal files.
One of the advantages is that corporate internal audit has had active input into the project since its conception. Appropriate monitoring objectives, therefore, can be included in the future audit programme. IT staff resources are to be the prime focus. Spot checks on the following IT processes can be made by way of COBIT:
||Control Objectives for Information and related Technology Evaluating IT Processes|
||Responsibility for physical and logical security|
||Communicating IT security awareness|
||Disseminating security principles and security awareness|
||Operations security and guaranteeing internal controls|
||Proactive involvement of audit|
The necessary security, efficiency and effectiveness can be guaranteed only once an adequate change management has ensured that the IT security awareness programme is always up to date.
Both areas of responsibility, and the most important tasks with regard to maintaining internal controls (including monitoring those in charge), must be defined in the concept.
It is important that conclusions reached and recommendations made by management, the auditors and employees are taken seriously.
This creates the opportunity to localise and analyse new threats and risks, and to pass any feedback on to the IT team members responsible.
If data protection and security measures are insufficient or are not taken, staff motivation and awareness could suffer.
Thanks to the new strategy, the related structure and the transformational leadership at Swiss Life/Rentenanstalt, a project such as the IT security awareness programme can be successfully completed more quickly, in a more straightforward manner and with less expenditure.
This realisation, and an awareness of the need for efficiency and impact, has the potential to increase the confidence of the organisation's 13,000-strong workforce and encourage stability within the active change process in the SL/RA Group as a whole. Another advantage is that the IT security awareness programme can be adapted adequately to the ongoing alignment of international, European and national quality and security standards.
Particular care must be taken to ensure that personnel resources are given priority over all other IT resources and that they are given the required attention. Only then can security indicators be effective in detecting divergences within the framework of an early warning system. Insufficient communication and inspiration could inhibit staff awareness and stifle individual performance.
The successful improvement of the SL/RA Group through the IT security awareness programme will bring the organization one step closer to the ideal of corporate and IT governance.
is a senior information systems auditor in the corporate internal audit department of Swiss Life/Rentenanstalt, where he has worked since 1983. He is responsible for carrying out IT audits, systems and applications audits as well as risk assessment and assurance services throughout the systems development life cycle (SDLC). Wiederkehr has been a member of the board of ISACA's Swiss Chapter since 2002. He is a lecturer in the field of audit and legal aspects for project leaders with WISS (Wirtschaftsinformatik-Schule, Schweiz) and is the author of articles and white papers regarding COBIT implementation, IT governance, e-business risks, privacy and security, as well as auditing throughout the SDLC. He also participates regularly as a guest speaker at national and international conferences.