Features: September 24th, 2010

By Robert O’Brien

The loss of information by public sector organisations is a continuing saga, but it can be prevented. The author describes the vital role that users play in the data protection process and he explains how technology can ensure that they are aware of their responsibilities and fully engaged in carrying them out.

The latest breach from West Berkshire Council, where a memory stick containing personal information about children was misplaced, proved to be the second data security incident reported by the council within six months. The Information Commissioner’s Office (ICO), which enforces the Data Protection Act, found that the Council’s data protection processes were inadequate and lacked proper user awareness training programs.

User awareness is fundamental to any organisation’s information assurance objectives, because critical information within an organisation and the systems and networks that manage it must be reliable, secure and private. In addition, measures and processes must be in place to counter malicious electronic based attacks. The requirements for automating this area of information assurance have been mainly driven by the increasing importance of data handling and data security for which a number of legislative and regulatory initiatives have been introduced including the Government Connect Standard (GCSx), PCI DSS, ISO27001 and adherence to the Data Protection Act.

Employee awareness is the single biggest differentiator between nominal and best practice information governance programmes, and is an essential factor in maintaining regulatory compliance and IT Assurance. Traditional methods of communication, such as email and corporate intranet, simply will not deliver the necessary levels of awareness that are required. Organisations must look to specialist compliance automation tools to ensure that they develop an educated, vigilant workforce that properly utilises, values and protects the data held within its perimeters.

A good user awareness campaign

Almost all of the major legislation and regulation in the area of information assurance has user awareness as part of compliance requirements. A good user awareness campaign should utilise all communication and education options available. These options can be separated into optional and mandatory compliance activities and the methods deployed by the organisation can be deemed to be active or passive. An example of an active compliance deployment would be the use of an electronic policy communication tool to enforce a response from a user, used in the area of mandatory compliance communications such as third party access. An example of a passive compliance deployment would be the use of posters illustrating the importance of physical security for users to see.

It is vital to have the organisation’s key compliance and IT security policies defined and documented and this should be the first step to successful user engagement. The next step should be to ensure that every relevant employee and third party contractor is signed up to these policies. In order to demonstrate best practice, an organisation’s employees must fully understand the policies to which they are agreeing. This can be achieved by requiring the user to provide answers to questions on policies that are relevant to them.

By taking a blanket communication approach to policy communication via email or intranet, all policies tend to be treated as equal and all users are given the same level of attention, thus weakening the process. Users will take information security more seriously if they have to sign and confirm they have read and understood key compliance messages. Today, organisations must also be able to produce evidence that policies are being adhered to in order to achieve full compliance. This is an impossible task without the help of automation.

Effective communications

In order to effectively communicate more informative messages that will aid the user’s understanding, most organisations will invest in an E-Learning Management System (LMS). Many organisations state that a new user must complete a series of online courses, whilst others have annual refresher content in place that users must undertake. In order for a LMS to be successfully taken on board by users, the e-learning content must be of a high standard. Poorly designed or boring content can undermine the success of a user awareness campaign. E-Learning, like policy communication, must be appropriately targeted to individual user groups and roles.

Integrating e-learning content with policy management communication will reinforce key user awareness messages delivered by either medium. Using assessments at the end of e-learning content has the additional benefit of providing another set of metrics with which to measure progress towards changing IT Security culture within the organisation.

Awareness activities provide the necessary platform for user engagement and understanding. The most important aspect of this is policy communication and management to promote user engagement and provide a baseline for an organisation’s duty of care. A powerful user awareness campaign is created from the different communication methods that are blended together. User awareness activities are entirely different to training activities, despite the objectives for delivering information assurance awareness being similar to training options. The options and methods for awareness activities are typically different to classroom training, in that they should be less formal, quicker, more memorable and fun. In the end, they should provide the organisation with auditable and demonstrate compliance programme.

Reducing the data breach risk

The risk of a serious data breach can be significantly reduced by self certification technology that places the responsibility for the security of information directly at the feet of the employee. Organisations must ensure that the correct user awareness communication or policy is deployed or targeted to the right user or group of users. This is critical to the credibility of any compliance regime, and senior management must be able to see that investments in awareness activities are providing a rapid return on investment.

In order for this to happen, organisations should provide comprehensive reporting based on regular assessments and measurements of user populations, responses to the policy and user awareness campaigns. Areas of concern within an organisation, highlighted by risk assessments or incident reporting, should be targeted with remediation that would include additional awareness activities like e-learning and a more forceful poilcy communication approach.

Fundamentally, the awareness goal at the decision making level is to convince the audience that information assurance and risk management is achievable. Awareness goals at the end user level should be to help them to understand the key information security and compliance risks and the activities to reduce them; in addition they should develop a culture of best practice information assurance.

By changing the security and risk culture, combining it with trusted user awareness technology, an organisation can considerably mitigate the major reputational and financial risks associated with the types of data loss incidents that were experienced by West Berkshire Council.

Robert O’Brien is a Director at MetaCompliance. http://www.metacompliance.com/