The Binomial Bookstore

BUILDING AN INFORMATION SECURITY AWARENESS PROGRAM
by Mark B. Desman

- - - - - - - -
-

- Provides off-the-shelf solutions for developing an information security
awareness
program
- Presents step-by-step methodology for developing, distributing, and
monitoring
an
information security awareness program
- Includes detailed instructions on how to communicate the message: what
media
to
use and where to locate it
- Describes how to use outside sources to maximize the impact of a small
staff
while
keeping costs reasonable
- Discusses how to evaluate the program-where and how to make updates

- - - - - - - -
-

“In his latest book, a pre-eminent information security pundit confessed
that he
was
wrong about the solutions to the problem of information security. It's not
technology that's the
solution, but the human factor-people. But even infosec policies and procedures
are
insufficient if employees don't know about them, or why they're important, or what
can
happen to them if they ignore them. The key, of course, is continuous awareness
of the
problems and the solutions.

“Building an Information Security Awareness Program addresses these
concerns.
A
reference and self-study guide, it goes step-by-step through the methodology for
developing,
distributing, and monitoring an information security awareness program. It includes
detailed
instructions on determining what media to use and where to locate it, and it
describes how to
efficiently use outside sources to optimize the output of a small staff. The author
stresses
the importance of security and the entire organizations' role and responsibility in
protecting it.
He presents the material in a fashion that makes it easy for nontechnical staff
members to
grasp the concepts. These attributes render Building an Information Security
Awareness
Program an immensely valuable reference in the arsenal of the IS professional.”

- - - - - - - -
-

EXCERPT:
FROM THE INTRODUCTION

“The layout of the book is such that one can follow it end to end in establishing and
augmenting a program or go to a specific chapter to gain insight into a single facet
of the
overall program. In all cases, we will try to provide a means for measuring its
effectiveness.
Finally, we will discuss the means necessary to make the auditors willing
co-conspirators in
the implementation of your program. I speak not only of the internal audit staff, but
the
third-party auditors, as well. If you are in the financial trades, the measures noted
work with
examiners, the Federal Home Loan Bank Board (FHLB), the Federal Reserve, or
the
Comptroller of the Currency. Each will provide you with the keys to getting your
program off
the ground. All you have to know is how to gain their cooperation and complicity.

“Note: Although this passage suggests subterfuge at its worst, it is in no way that.
The
reviewers, be they internal or external auditors or regulatory agencies, will be
looking for
specific weakness in your schema of protection. Using that information in
expanding your
program is your task. If they can get their concerns met, then they have
accomplished their
goals. If you can get the required funding or resources to address their concerns,
you win, as
well. Hardly cause for concern.

“I have arranged the chapters in the book in a continuum of how I would go about
establishing
a program were I starting from scratch within an organization for which I worked,
either as an
employee or a contractor. In most cases, the reader will have some subset of
these
provisions already in place. Perhaps they are functioning well, or perhaps they
could use a
tuneup. Hopefully, we will present the subject matter in a manner that will (A) allow
for an
evaluation as to how the measures are working or (B) offer some hints that might
enhance
their functionality.
The book is presented in four sections, with a subset of chapters within them. It
begins with
the very basis of a program and moves on into more and more complex issues.
Specifically,
the sections are:

“Section 1: Getting Started

“In this section we discuss getting the lay of the land. Somebody saw an issue,
which is why
you have been put into this position. Did they just decide that everyone else has
an
information security officer, so they should too, or was there recognition of a
potential
weakness in protecting corporate information assets? If they recognize the need,
they have
most certainly made some effort, no matter how basic, to install a program.
Section I
discusses how to find out what has been done, who is responsible for its inception,
and the
likelihood of its expansion into a viable program. It also discusses how to find out
who the
movers within the organization are. Sometimes it is easy to tell from their titles.
Other times,
it is not so clear. Once this is ascertained, there has to be participative buy-in by
those
same leaders. We will look at the ways to gain their trust and support.

“Finally, in Section 1, we will look at ways to get the message out. No need to
reinvent the
wheel if there are vehicles already in place. For instance, no matter how you plan
on putting
your documentation together, there are no doubt company standards as to how the
final
product should look and what people should be in place to make sure that it
happens. These
folks will not only give you a product that is acceptable to the company, but will be
a
tremendous source of assistance throughout the process - a perfect example of
leveraging
other department capabilities toward accomplishing your goals.

“Section 2: Establishing a Baseline

“Somewhere, often in dusty loose-leaf binders on forgotten shelves, is a set of
company
policies, procedures, guidelines, and directives. They may be woefully out of date,
but they
are there somewhere. We are going to ferret them out and see what parts we can
use. We
are then going to set about making them both current and useful (these are not
interchangeable terms!). We will get the documentation in place, get it blessed by
the
powers that be, and get it to the general audience, the people who need to know.

“This section will, at times, wander from the limited discipline of information
security. This is
with cause, as the techniques that are most effective are effective in a number of
other areas
as well. However, there is much to be gained by using the techniques covered, as
they will
shorten the path to your ultimate goal.

“Section 3: Communications

“In every company there is someone who knows the whys and wherefores of every
action the
company has taken. That person will be sought out by any and all who desire to
know
anything about the past. For whatever reason, this human archive can lead you to
it. Cultivate
this person, but understand why he or she is so rare. For whatever reason, the
greater part of
the population of the organization is not aware of all of these things. We will seek
to make
them aware of all that is in our purview. We will explore means of communication
that are
available, discuss how to generate new ones, and review a number of means to get
your
message heard.

“Section 4: Evaluation

“This might be the toughest one of all. Now that we have gotten the message out,
how do we
verify that it has been received? We can do a lot of the work ourselves, but there
are others
charged with doing just that. We will discuss verifiable ways to test our program's
effectiveness and whether or not it is reaching the masses.

“In structure, this book allows you to go from end to end to develop the tools to
build a
working and effective program. No guarantees here - just the foundation upon which
to build.
By the same token, if you have begun building your program, you can go to a
specific
chapter for some hoped-for insight as to how you can do that specific thing better.
Whichever
your need, we hope we can provide some direction.

“What I would be looking at in the overall perusal of this book is whether the steps
that you
already have in place have the foundation mechanisms to support them as well.
Procedures,
for instance, are of little value without underlying policy. It would pay to review
steps that
precede the measures upon which you have already embarked, to see if they can
assist you
in moving forward.

“Are the measures outlined the only way to go? Of course not. However, they do
provide a
baseline from which variance can be controlled and evaluated. In fact, I urge you to
strike out
on your own and hope that some of what you read leads you to just such actions.

“No matter what your specific need, I hope that this book aids you in attaining
those goals.
That being the case, I will have succeeded in what I set out to do.

“You will find that a great deal of this book is based upon a philosophy that I have
held for
many years, that: information security is not a technical issue, but a people issue.
We
simply use technical tools to resolve the problems we encounter. If we cannot
speak and be
understood, we will never reach our desired goals. As with the philosophy of
democracy, if
we do not gain the right to govern from those being governed, we will not. If we do
not gain
the cooperation of the rest of the company, nothing we do will come to fruition.

“The objective of any awareness program is to draft a plan that defines exactly how
corporate
information assets are defined, who uses them, and what steps must be taken to
protect
them. To make it work, it must get across to every person that comes into contact
with
those assets. That, is the subject of this book.

“Each individual in the organization may be a threat to the sanctity of company
information.
On the other hand, each can also be an ally in the struggle to make certain that
the
information is safe. Once they know the value of the assets to the company and
then, by
extension, to themselves, they can act as eyes and ears to you. What we will take
the next
few hundred pages to explain is how to construct the message and then, how to
communicate it. Some of what you read may be old hat to you, but read on as a
lot more
may be new and useful.

“My hope is to give you information you can work with in building your program.
Not all
suggestions will work in all environments and not all information will be spanking
new.
However if something said sparks an idea for you, then I have accomplished my
mission.
Learn and grow, but most of all, enjoy!”

- - - - - - - -
-

CONTENTS

GETTING STARTED
Reviewing the Provisions the Company Now Has in Place
Learning the Players-Where the Power Resides
Learning the Corporate Culture-What Can Work Here, What Cannot
Obtaining Management Buyoff - How to Present the Case
Finding Communications Vehicles Currently in Place

ESTABLISHING A BASELINE
Review All Company Polices, Procedures, Standards, Guidelines That Even
Remotely
Address Information Security Issues
Identifying What Can Be Updated
Identify Documentation Needed
Prepare Documentation
Prepare Forms
Obtain Management Support for Documents-The Seal of Approval
Distribution

COMMUNICATIONS
The Media Available Through the Company
New Technology (Video Taping, Streaming Video, Etc.)
Class or Presentation Design
Inclusion of HR Based Communications
Leveraging Resources
Locating Additional Resources
Placing Your Shots-Getting the Most Bang for Your Buck

EVALUATION
Demonstrating the Effectiveness of Your Program
Refreshing Staff Knowledge and Agreements
Use Statistics-Sparingly but Pointedly
Getting Third Party Input
Leveraging Internal Audit
Keeping Up with the Joneses-What Is Happening in the Industry
Updating the Program to Address Changing Needs.

- - - - - - - -
-

ABOUT THE AUTHOR

“MARK B. DESMAN ... has worked in the fields of information systems security
and
business resumption planning for more than 25 years. In that time, the entire field
of IS has
evolved from a glass room, mainframe-oriented industry into the networked,
server-based,
desktop phenomenon we see today. As a practitioner in the field during that
metamorphosis,
he has had a strong role in building, rebuilding, and refining an overall information
security
program for each of a number of major corporations, including American Express,
Del Monte
Foods, Financial Corporation of American, Tandem (now HP) Computer, The
Banknorth
Group, and Micron Technology. In addition, he has consulted in both fields and,
due to his
approach of believing that information has to be presented in an interesting format
to be
accepted, has had innumerable speaking and teaching engagements.

“Throughout his career, Mr. Desman has found himself "breaking trail" finding
answers to
challenges that perhaps never existed before - for the industry in general. Many of
the
techniques he has developed, particularly in the business continuation and
communications
fields, are now part and parcel of generally accepted practices in both disciplines.
As he is
quick to add, many of the main merits in his contributions is in their being the
original answer
to the question, rather than the result of high impact technology.

“Among other things, Mr. Desman discovered early on that the basis for any
program is in a
complete set of policies and procedures. Where his approach diverged from the
mainstream
was with the notion that the populace in general ought to be made aware of this
body of
irrefutable knowledge, and once they have found themselves knee deep in it, they
should be
able ,and understand it. These two characteristics, and the explanations as to how
to put
documentation in this form, are the main thrust of this book. Perhaps most
important is the
notion he holds that information security is a people issue, rather than a technical
one. To be
sure, we use technical tools to resolve the problem areas, but we must rely on the
knowledge and cooperation of the people involved for any program to be
successful.
“Mr. Desman also co-authored the manual, Business Resumption Planning and
has
published articles in numerous periodicals and journals. From all indications, his
muse is still
active and will no doubt present the world with additional publications as time goes
by.”

- - - - - - - -
-
2001, 251 pages. Order #DR586.
- - - - - - - -
-

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.