Security awareness is not just a good idea—it’s the law! Many regulations require security policies and a security awareness program. Having a security awareness program is considered a must in most industries. Not having a well-defined security awareness program opens an organization to a number of legal liabilities and regulatory penalties. The following list highlights a few examples of regulations requiring a security awareness program:
Federal Information System Security Managers’ Act
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley Act and Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Federal Information System Security Managers’ Act (FISMA)
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
The NIST Computer Security Handbook
This is just a sampling of federal laws that require a formal security awareness program. Many laws at the state level also require security awareness, such as most state privacy laws. These laws will outline the frequency and target audience of the training.
One of the key objectives of a security awareness program is to promote a risk-aware culture. This means keeping information security at top of employees’ minds in their daily job. You want people to automatically and intuitively react to situations in a way that reflects the security policies’ core principles. A security-aware culture is all about people acting in accordance with the organization’s beliefs and priorities.
Communication of security policy through a security awareness program is vital. Even the best policy is of little use if no one is aware of it. Security awareness tries to change behavior. Security awareness consists of a series of campaigns aimed at improving understanding of security policies and of risks to the organization. Security awareness is not a one-time event. It’s a campaign that strives to keep reinforcing the message in different ways. The message must be consistent in the manner in which it is delivered and commensurate with the level of expertise of the target audience.