“Playing by the rules” - an information security awareness and training module for July
Background and scope
Both the organization as a whole, and individual workers, are expected to comply with various
rules concerning information security. At face value, compliance is a binary condition – one either fulfils applicable information security-related obligations or does not. However, it is
not that simple in practice.
Compliance requirements vary in nature from “absolutely mandatory, no question
whatsoever” down through “advisory”, “discretionary” or “good practices” and social
pressures (such as “ethics” and “culture”) to purely individual matters (“morals”, “beliefs” and “habits”).
There are degrees of compliance in the sense that one may comply fully and unreservedly
with the obligations, perhaps exceeding them in various respects, or one may barely and reluctantly comply “in principle” or “under sufferance”. Likewise with non-compliance:
flagrant, frequent or shameless disregard for the obligations clearly suggests more substantial issues than minor, occasional or accidental infractions. The severity is greater if
there is evidence or reasonable suspicion of malicious intent, arrogance or a patent lack of respect for authority, hinting potentially at an even bigger issue.
Furthermore, most laws, regulations, contracts/agreements, standards and corporate policies
impose several distinct requirements, hence it is possible to comply with some but not necessarily all of them, while different parts of the organization may comply to different
extents that may vary over time.
There are differences between obligations imposed by the authorities (e.g. laws and
regulations), by business partners (contractual terms, Service Level Agreements), by management (policies mostly), by peers and society (ethics and social norms) or self-imposed
by individuals (beliefs and values). In particular the penalties and other consequences of noncompliance vary, along with the likelihood of noncompliance being detected.
In short, there are information risks here.
Generally speaking, we need to be made aware of the rules, helped to understand and appreciate
what is expected of us, and motivated to comply ...
which is of course where NoticeBored comes into play. Simply publishing a few policies is nowhere near good enough. Telling employees to “comply, or
else!” doesn’t really achieve much either. We can, and must, do better.
July’’s awareness and training module:
Makes workers broadly aware of their own and the organization’s compliance obligations and expectations relating to information security;
Helps everyone appreciate that we are all expected or obliged to behave in certain ways, and that doing so has benefits going beyond the
individual (hinting at the purpose of having ‘rules’);
Mentions that compliance is actively monitored and checked, alluding to the possibility of enforcement actions and penalties for noncompliance
- without being too heavy on the threat;
Supports and encourages management’s efforts to clarify, promulgate, monitor/endure compliance with and when necessary enforce corporate
security policies, procedures etc.;
Distinguishes authorized from unauthorized noncompliance, using the specific terms “exemptions” and “exceptions” respectively;
For professionals, discusses the instrumentation and monitoring of systems, networks and processes in order to identify, flag and deal with
noncompliance at the earliest opportunity, before things get out of hand – including the possibility of someone undermining or disabling the
alarms and alerts in order to conceal nefarious activities.
Consider your learning objectives in relation to information security-related compliance, in particular any specific compliance challenges or issues that
are worth emphasizing this month.
As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content. Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee
induction or orientation purposes.
Tag along with us on NBlog as we work on the next awareness topic. In addition to clues about what’s coming up through NoticeBored, we often share
creative hints and tips on making security awareness and training even more effective.