Defining our Security Education Program
Information Security education initiatives are vital for Information Security group’s effort to be a successful partner within the company culture. Establishing a formal program that articulates our strategy and approach with respect to security education as the Information Security Education Program (ISEP) will be the first step towards effectively providing and measuring successful behavior change metrics in our goal to create a culture of security here at company. This will allow us to better understand requirements, identify gaps, and focus on initiatives to be able to better plan resource allocation and needs, assemble our team, and utilize our branding (email templates,
…show more content…
It is crucial for the success of this program to define our initiatives and ourselves as in support of and in collaboration with communications stakeholders.
With minimal resources to execute the program it will be important to build strong relationships, engage influencers, and nurture those connections. The team will consist mostly of identified IT leaders from all BU’s and segments, as well as volunteer employees worldwide who have a passion for security. The global team would help to identify the program’s worldwide goals, and then introduce initiatives on a local, regional basis, allocating communication andd local resources as needed. All local initiatives follow the agreed upon existing global branding, to help ensure a consistent, coherent look and feel for all security deliverables. (Get yourself a logo and make it your brand with consistent recognizable fonts/messages).
Foundational Activities - Assessing your culture
Most security risks result from human behavior. Our cast members & employees take unsafe measures to save time and effort, and may lack awareness about the security risk involved.
An information security cultural assessment will be required to implement the program. Its purpose is to identify any unknown security risks threatening the Disney environment. Implementing a re-occurring information security cultural assessment and using interviews and focus groups, we will ask each group of employees the following questions:
• What do
* Set up training program for all employees on network security policies and any new changes to network security.
D 'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79-98
Security and ethical employees will continue to be a vital aspect of ensuring the success of an organization. There will always be a need for ethical IT security professional as hackers will continue to force organizations to make adjustments in their business models to protect their employees, data and customers. Many organizations and managers believe application security requires simply installing a perimeter firewall, or taking a few configuration measures to prevent applications or operating systems from being attacked. This is a risky misconception. By understanding threats and respect impacts, organizations will be equipped to maintain confidentiality, availability and
The purpose of this qualitative study is to identify the IT leaders who have successfully implemented security policies and procedures. Using the quantitative methodology would not be appropriate because the collected data will not be in the form of numbers and/or statistical results, and the statistical findings will not generalize the real-world problem that needs to be resolved. (Creswell, 2014). Quantitative methods are used mainly to find out the who, what, when and where and the results numerical descriptions provide where the researcher needs more of a detailed narrative (Sutton, & Austin, 2015)
To understand the role(s) of a Security Manager, a person must know what security is and what it means to an organization. According to Ortmeier, “security may be defined as a public or private service-related activity that provides personnel, equipment, and creates policies and procedures designed to prevent or reduce losses. These losses, caused by criminal action as well as by noncriminal events resulting from human error, emergencies, man-made and natural disasters, and business intelligence collection by competitors”. (2009).
Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risk from employee sabotage?
Think of your organizational assets from the eyes of an attacker motivated by crime, espionage, hacktivism and even warfare. In other words, what are our Top Threats and how do we know? Interview the Chief Risk Officer and Business Unit leadership and ask them “what keeps you up at night?”. Then tie these answers to Corporate objectives and strategies in a Risk Register.
13. Which members of an organization are involved in the security system development life cycle? Who leads the process?
Technology has grown tremendously over the past few decades. Everyday businesses, governments, and everyday people rely on technology for things from banking to communicating with loved ones and business associates. Disrupting this technology can cause major losses monetarily and in the sense of information. According to Information Security Curriculum Creation: A Case Study, “A survey of undergraduate degree programs in Computer Science, Information Technology, Management Information Science, and others show a lack of emphasis on security issues in their curriculum.” There is a strong need to secure and protect information for many, many reasons and as such it is important that an undergraduate curriculum provides a comprehensive approach to teaching information security concepts to its students.
The first challenge is in the user domain. We must train our employees to ensure they are aware of the security policies. Employees need to understand the policies and how it aligns with business goals and mission statement. Another challenge in this area is handling of sensitive information and non-public customer identifying information. In order to be compliant we must have a training program in place that is in line with the regulations.
The purpose for an IT security policy is to provide “strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure” ("Cyberspace policy RevIew", 2016).
In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of (1) the board of directors or trustees, (2) the senior organizational executive (i.e., CEO), (3) executive team members, (4) senior managers, and (5) all employees and users. This important document can be found at the Information Systems Audit and Control Association (ISACA) Web site at www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997.
Consequences of failing. The goals set the vision, and the objectives are the specific results that must be obtained to achieve success. Regardless of what the business assets that are to be secured, information or technical assets, physical plant, personnel, the organization must have a security strategy that can be implemented, measured, and revised as the business climate and operational environment change ( Caralli, 2004). Failing to ensure the safety of secured information can have devastating consequences. One great example, on September 16, 2010 one of the most prestigious hospitals in the
The connection between our company’s network security and end users is clear with data that has been reported. We should not only provide antivirus software, but create an education program emphasizing prevention, detection and adopting a “security” way of life. Everyone, at all levels, is responsible for our security.