Core values

The three primary strands

In recent years, the advent of some very-high-profile commercial criminal investigations have resulted in much more stringent and invasive legislation regarding risk taking in companies. Sarbanes–Oxley from the USA, the effects on corporate governance of the Turnbull Report, the Companies Act in the UK and related issues have all helped to bring risk management to the top of the agenda in many boardrooms. It is no longer effective or acceptable (if it ever was) to delegate the responsibility for risk management down to the manager of the IT section.

Three of the most significant investigations are:

1. Lehman Brothers – risky, bad loans led to bankruptcy.
2. UBS – loss of $2.3 billion due to poor governance.
3. Barings Bank – the Nick Leeson fiasco.

The last two incidents that are of major interest, illustrating why information assurance cannot be separated from corporate governance. The management team in Barings Bank broke one of the cardinal rules of trading – they let an employee settle his own trades. 

Leeson was put in charge of both the dealing desk and the back office. This is like allowing a cashier to bank the day's takings without an independent third-party checking that the amount banked tallies with the till receipts. UBS’s loss, due to similar circumstances, led to a loss of $2.3 billion in 2011. Both of these massive financial losses were due to neither organisation properly implementing the principle known as, Separation of Duties (SoD).

Separation of Duties (SoD)

The definition on Wikipedia is as follows:

'Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business, the separation by sharing of more than one individual in one single task shall prevent from fraud and error.'

In many situations, SoD is implemented using technical controls within computer systems. For instance, SAP systems have governance, risk, and compliance (GRC) solutions that support internal audit and compliance requirements, especially focusing on SoD. All of these examples show why it’s no longer acceptable to delegate risk down to the IT department – these are all corporate risks.

Compliance means conforming to one or more of the following:

• Rules
• Policies – those defined by your own organisation
• Standards - ISO 27001
• Law – DPA
• Legal Contracts

For example, an organisation could achieve certification against ISO 27001, thus making it compliant.

Everyone is responsible

Every individual in the organisation has a responsibility for security. However, it's equally true that you must give every member of the company the tools to exercise this responsibility as best they can. A critical element of information security management is conferring with and educating staff so it's vital to begin with the communication of a clear message. Creating a culture also involves policy, contracts and of course, training to ensure that each member can do their bit in an informed and competent way for the best of the company. 

Delegating responsibilities

The IA policy should clearly define the terms of reference for anybody involved in information security.

This is especially relevant where responsibilities are delegated to individuals who aren’t members of the information security team. This helps to distinguish security responsibilities from other core areas and establishes clear reporting lines to the information security manager. These aspects should be part of the job description and incorporated into contracts so that all members of staff are clear on their duties and requirements.

Security awareness programme

In order to create a healthy security culture, it's essential to design a security awareness programme that will fit the needs of staff. 

The first step in conceiving this is to do a needs analysis and define what the staff require to achieve the required IA standard. Having identified the areas needing attention, the information security team can design a bespoke programme ready to be rolled out across the organisation. Security awareness training should incorporate an assessment and the results should be recorded. This helps to identify the level of awareness and what measures are required to make improvements. Recognising problematic areas quickly can lead to their rapid improvement and results can also help inform future training programmes.

Individual responsibility

The responsibilities should reflect the organisation’s information assurance policies. They should also include any legislative or compliance aspects that the staff member needs to understand. 

This is important for internal and external behaviour. 

Adding these responsibilities to the individual’s job description helps to embed them in ‘business as usual’ activities. 

A security awareness programme should be rolled out across the organisation. It’s essential that the key elements of the organisation's security policies are communicated, and training should be evaluated to establish the organisation’s current level of awareness. 

The security awareness programme should be designed by the information security team in conjunction with specialist training designers. It should then be introduced across the organisation to meet the requirements identified in the training needs analysis. 

Understanding responsibility

You've seen that every individual in an organisation has a responsibility for security. Nevertheless, it’s only possible to fully promote this level of personal accountability if the information security manager has successfully introduced a security awareness programme.

Then, every member of staff will understand their responsibilities in relation to the organisation’s security posture, including the security-related aspects of their own job and the part they play in the security of the organisation.

A question for you

Which three aspects of cyber security awareness would you focus on, if you had to design a training programme for your current company?

What's next?

You've explored some aspects of cyber security awareness, now you're going to examine policies, standards, procedures and processes, the differences between them, and how they complement each other.