Question

• How do you respond to users within your company who think that security measures just get in the way of their work?
• What could you do to help users view security policies in a more positive manner?

200 words or more, please.

Answer 1

The way I will respond to the users within my company who thinks that security measures just get in the way of their work is The most important aspect of awareness training and education is to accentuate the need for information security. If the users do not understand the necessity of information security from the outset, then any information security awareness drive is destined to failure.

For users to realize this importance, top management need to be involved in and support the program. They themselves need to understand how critical the significance of information security is for the organization. To do this, those that make the corporate decisions need to be educated in the indispensability of information security awareness training for all users.

Once top management recognise the essentialness of an information security program, measures can be taken to integrate information security awareness into the organization. This is done by means of information security policies, stipulating a formal information security awareness program for all users.

By committing themselves, it shows that the senior employees of the company regard information security as crucial and that all users should make a conscientious effort at protecting the valuable assets of the organization.

Implement a Program in Which Every User Accesses the System by Means of an Individual Account:

• Limit user access to only those files they need to do their jobs: Providing access that is not needed greatly contributes to risk without a corresponding increase in benefit. Why bother?
• Avoid shared accounts: Individual activity cannot be differentiated unless there are individual accounts.

Require Users to "Authenticate" Themselves in Order to Access Their Accounts (i.e., make sure that they prove that they are who they are representing themselves to be.

Establish Standard Account and Authentication Procedures (known as log-in procedures):

• Limit users to acceptable log-in times: There is no reason for an average day-shift employee to be able to access the system in the middle of the night.
• Limit users to acceptable log-in locations: There is no reason for an average employee with a terminal on his or her desk to access the system from his or her supervisor's desk.

The steps for the Information Security Awareness Model could be as  -

1. Educate top management in the necessity of information security awareness within the organization.

2. Make use of the international information security standards as a guideline for the information security policies of the organization.

3. Top management utilises the standards to create the information security policies of the company. This includes pledging commitment to information security awareness.

4. The ISO reviews and maintains the information security of the organization.

5. A formal program for information security awareness is implemented by the ISO practising the information security policies and procedures of the organization.

6. The main section of the program addresses general security measures applicable to all users in the organization. 7. The program should also cater for specialized roles within the organization and provide guidelines on the protective measures within specific departments.

Thankyou