The compliance case for security awareness

Security awareness may be something you have to do for compliance reasons (mostly to avoid penalties) or something you want to do to gain the benefits, often both.

Today I'll concentrate on the compliance aspects, the most straightforward part, leaving the business case for another day's blogging.

Compliance pressures come at us from all sides!

Laws and regulations: many information-related laws and regs mandate adequate information security, particularly those concerning privacy and governance, plus those applicable to the healthcare, financial services, government, infrastructure/utility and defense industries. Some of them specify awareness and training explicitly, others are more circumspect, typically referring to ensuring compliance without saying precisely how to achieve that.

Contracts and agreements: PCI-DSS is the classic example of a contractual obligation to secure information, specifically card holder information relating to credit and debit cards. Security awareness is a mandatory requirement of PCI-DSS. Another example is the typical employment or service contract, containing clauses about securing personal and proprietary information and protecting the organization's interests. Yet another is cyber insurance: the policy small-print may include requirements along the lines of 'generally accepted standards and practices of information security', or mention particular laws and standards, or may specify particular controls (such as incident management and breach notification). Many a lawyer's fee results from the nuances in this area! Claiming that an incident occurred because workers were unaware of their security obligations would be a strong case for the prosecution, not the defense.

Corporate strategies, policies and standards: many organizations have formal company rules relating to information risk and security, website privacy policies for instance. If employees don't know and care about them, what is the point in even having them? Despite being an obvious requirement (obvious to us anyway, and now you too!), awareness and training is not universal although the requirement is no different to, say, health and safety, overtime or expenses. Aside from the practical, there are legal aspects to this with obligations on employers to ensure that employees are properly informed about the policies and rules that apply to them, if they are to be enforced (e.g. used to discipline employees for noncompliance).

Published national and international standards: numerous information risk, security, privacy and related standards are available. Compliance is generally discretionary (management decides whether or not to adopt the standards, and how) but some (such as ISO27k and NIST SP800-53) are imposed on some organizations for commercial, legal and regulatory reasons. Technical security standards covering encryption, authentication etc. in products are mandatory in the sense that interoperability and compliance are essential for customers. Standards covering the confidentiality, integrity and availability aspects of financial information, reporting etc. are often imposed through accounting and auditing professional practices, qualifications/certifications or in laws and regulations.

Good practices: the compliance pressure here is less obvious but just as strong. Organizations that do not conform to generally accepted good practices in information security and privacy risk being hauled over the coals by aggrieved parties if there are incidents, given a rough time by the auditors, authorities and owners, shunned by customers, suppliers, partners and potential employees, and criticized by the media. The reputational damage can be severe with long-lasting impacts on business prospects, especially in those industries that are critically dependent on trust and integrity. Furthermore, organizations that go beyond the bare minimum are making an ethical stand that will resonate with others, enhancing their brands.