Playing by the rules” - an information security awareness and training module for July

Background and scope New this month

Poster thumbnailBoth the organization as a whole, and individual workers, are expected to comply with various rules concerning information security.  At face value, compliance is a binary condition – one either fulfils applicable information security-related obligations or does not.  However, it is not that simple in practice.

Compliance requirements vary in nature from “absolutely mandatory, no question whatsoever” down through “advisory”, “discretionary” or “good practices” and social pressures (such as “ethics” and “culture”) to purely individual matters (“morals”, “beliefs” and “habits”).

There are degrees of compliance in the sense that one may comply fully and unreservedly with the obligations, perhaps exceeding them in various respects, or one may barely and reluctantly comply “in principle” or “under sufferance”.  Likewise with non-compliance: flagrant, frequent or shameless disregard for the obligations clearly suggests more substantial issues than minor, occasional or accidental infractions.  The severity is greater if there is evidence or reasonable suspicion of malicious intent, arrogance or a patent lack of respect for authority, hinting potentially at an even bigger issue.

Furthermore, most laws, regulations, contracts/agreements, standards and corporate policies impose several distinct requirements, hence it is possible to comply with some but not necessarily all of them, while different parts of the organization may comply to different extents that may vary over time. 

There are differences between obligations imposed by the authorities (e.g. laws and regulations), by business partners (contractual terms, Service Level Agreements), by management (policies mostly), by peers and society (ethics and social norms) or self-imposed by individuals (beliefs and values).  In particular the penalties and other consequences of noncompliance vary, along with the likelihood of noncompliance being detected. 

In short, there are information risks here.

Generally speaking, we need to be made aware of the rules, helped to understand and appreciate what is expected of us, and motivated to comply ... which is of course where NoticeBored comes into play.  Simply publishing a few policies is nowhere near good enough.  Telling employees to “comply, or else!” doesn’t really achieve much either.  We can, and must, do better.

Learning objectives

July’’s awareness and training module:

  • Makes workers broadly aware of their own and the organization’s compliance obligations and expectations relating to information security;
  • Helps everyone appreciate that we are all expected or obliged to behave in certain ways, and that doing so has benefits going beyond the individual (hinting at the purpose of having ‘rules’);
  • Mentions that compliance is actively monitored and checked, alluding to the possibility of enforcement actions and penalties for noncompliance - without being too heavy on the threat;
  • Supports and encourages management’s efforts to clarify, promulgate, monitor/endure compliance with and when necessary enforce corporate security policies, procedures etc.;
  • Distinguishes authorized from unauthorized noncompliance, using the specific terms “exemptions” and “exceptions” respectively;
  • For professionals, discusses the instrumentation and monitoring of systems, networks and processes in order to identify, flag and deal with noncompliance at the earliest opportunity, before things get out of hand – including the possibility of someone undermining or disabling the alarms and alerts in order to conceal nefarious activities.

Consider your learning objectives in relation to information security-related compliance, in particular any specific compliance challenges or issues that are worth emphasizing this month. 

Module 195 listing

 

As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content.  Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.

What’s next?

Tag along with us on NBlog as we work on the next awareness topic.  In addition to clues about what’s coming up through NoticeBored, we often share creative hints and tips on making security awareness and training even more effective.

Home > NB this month >

Copyright © 2019 IsecT Ltd.