Security is ultimately a function of people, processes, and technology working well together. A well-educated employee goes a long way toward reducing risk. Policies cannot define every risk. Unlike automated security controls, which look only for specific risks, an aware employee can better detect unusual activity. This ability to detect and deal with the unexpected makes employees extremely valuable in reducing business risk.

A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components, the carrot and the stick. The carrot aims to educate the employee about the importance of security policies. You can use rewards to motivate compliance. The stick reminds the employees of the consequences of not following policy. Motivation is a powerful tool in any environment. Positive reinforcement often yields better results than negative consequences. Unfortunately, you may need both components to implement a successful security policy program.

You can implement a security awareness program in many ways. Here are some generally accepted principles:

• Repetition—Most employees do not deal with risk daily, so they need to be reminded.
• Onboarding—New employees should be told of their responsibilities immediately.
• Support—Leaders should provide visible support.
• Relevance—Rules that show awareness of the business context are more likely to be followed.
• Metrics—Measure the effectiveness of policies.

The presentation of security awareness training is also critical. Security awareness is about good communication. It’s not about memorizing policy word for word. You need to focus on key concepts and teach employees when to ask for help. An employee should know what to do when encountering something suspicious or unexpected. Be sure to point out resources such as intranet sites within the organization. Most important, a security awareness program should teach an employee where to go for help. New employees especially need to know they are not alone in dealing with unexpected issues.

Leaders need to provide visible support for the program. Training takes time away from employees’ regular work. Leaders need to walk the talk. They themselves need to take the training and reinforce the message with their teams. How leaders reward when policies are consistently followed or react when they are not sends a strong message. The daily message sent by leaders determines the risk culture of an organization.

A security awareness program gains credibility when the business sees a reduction of risk. Each employee plays a role in the business process. Multiple benefits come with a security awareness program that emphasizes the business risk, including:

• Value—Policies relevant to business are more likely to be followed by the business.
• Culture—Well-understood and enforced security policies promote a broad risk culture.
• Resiliency—Policies provide a basis for dealing with the unexpected.

Competence is difficult to measure. At a minimum, most programs track names of those who attended classes; however, simply taking roll is not a good way to measure competency. Many awareness programs have short quizzes to test key areas of knowledge. The challenge is that an employee may need to apply the knowledge long after the class ends. Often the best measure is noting real-world problems that occurred by not following policy. That way you can go back and continuously improve the training.

A risk-aware culture may be the critical success factor that affects the business the most. This means a culture that shares a common set of values, beliefs, and knowledge about the importance of managing risks. When you develop a risk-aware culture, people want to do the right thing all the time. It is second nature to follow the rules and support one another. This translates into an increased likelihood of policies being followed. When this behavior is modeled every day by everyone, it becomes the norm and defines the risk culture.

The Legal Information Institute, created by Cornell Law School, defines intellectual property (IP) as “any product of human intellect that is unique and un-obvious with some value in the marketplace. Intellectual property laws cover ideas, inventions, literary creations, unique names, business models, industrial processes, computer program code, and more.”³ Intellectual property can include patents, copyrights, and trademarks; however, IP is not limited to those three categories. In business, IP is a term applied broadly to any company information that is thought to bring an advantage. For instance, you need to protect secrets in order to protect your advantage over competitors. IP comes in many forms and can be electronic or physical. Security policies should state how to protect that information regardless of format.

Certainly, there are technological measures that can aid in protecting IP, but the focus in this text is policies. Protecting IP through security policies starts with human resource (HR) policies. The first step is screening employees to try and reduce the likelihood of an employee disclosing IP. However, these HR policies also establish a code of conduct. They should give employees clear direction as to what the organization owns with respect to IP. The issue of IP ownership can be confusing when a new employee brings to the workplace IP acquired or created while he or she was at another firm. Employment agreements may even attempt to enforce the confidentiality of IP after an employee leaves the organization or for work performed during the employee’s spare time. These HR policies and employment agreements may or may not be enforceable, depending on current law and location. Nonetheless, when building security policies, you should take a close look at HR policy. You want to be sure there are no conflicts between HR policy and security policy.

Digital assets are any digital content an organization owns or has acquired the right to use. PC Magazine defines digital assets as “Any digital material owned by an enterprise or individual including text, graphics, audio, video and animations. A digital asset is owned by an organization if it was created on the computer by its employees or if it was custom developed for and purchased by the organization. Images scanned into the computer are also a digital asset if the original work was owned by the company.”⁴ The term digital assets is often inaccurately applied to all computer-related resources. This chapter will use the strict definition.

It is also important to inventory the various assets. You can protect digital assets with a good inventory. Only at the moment you identify a specific digital asset and apply a label or data classification do you know where the data is. The challenge is keeping track of the information as it is moved, changed, created, and deleted. A good inventory of digital assets allows you to design security controls where the data resides. Security policies define what an asset is. They also define what label or classification should be applied. You can see these key relationships needed to protect information in FIGURE 2-2.

The ability to protect information starts with well-defined security policies. The definition of digital assets is so broad it is difficult to create a complete inventory. Many organizations rely on tools that scan servers, desktops, and laptops. They try to inventory sensitive information based on patterns such as Social Security numbers (SSNs). When they see a pattern match, they can determine the level of security control to apply.

To protect digital assets, you need to know where your data is. You need good tools to inventory information and networks. You will need to refresh this inventory often. Finally, you need to be able to label or classify data quickly. The sooner data is labeled or classified, the sooner it is protected. The ability to inventory digital assets is a major policy implementation issue.

Once data is inventoried, it’s fairly straightforward to apply a label or classify the data. But you need to be sure the security policies clearly define the handling for each label and data class. It’s almost impossible to classify every data file. Think of the thousands of files on a single personal computer or laptop: data in the form of documents, essays, screen shots, pictures, tax returns, and much more. Much of this is considered unstructured data. The data was not predefined or as well organized as you would find in a production environment such as a bank, which will have defined processes for transactions such as taking deposits. Production systems organize data in a well-defined manner. Their processes are unambiguous and repeatable.

Applying data classification to unstructured data is a major challenge. Often data classifications are applied to where data is stored. In other words, you may not know all the files within a user’s laptop, but you know it’s a user’s laptop. Based on that knowledge, any data placed on a laptop may have a certain data classification. This is a good technique when assessing data classification at a file level is not possible.

It is human nature to crave privacy when it comes to our personal matters. People want their highly personal information to be secure—whether it is their medical or financial records. What many do not realize is that this information can be stored in digital files in computers anywhere in the world. Your personal information might be found with an offshore vendor in China. Regardless of where your personal data travels, securing and protecting this information is both a trust and a legal obligation. This chapter focuses on U.S. privacy obligations; however, all developed countries throughout the world have some form of privacy laws.

The concept of protecting privacy starts with data that identifies people as unique individuals. The U.S. Government Services Organization cites the Office of Management and Budget (OMB), which defines personally identifiable information (PII) as:

Security policies need to define PII data by business type and location. A bank, for example, follows different federal regulations than a local check-cashing service or medical clinic. The state in which you operate could have different requirements than a neighboring state. Widely accepted practices help businesses navigate the maze of privacy regulations. For example, most states consider the combination of a person’s name and SSN as PII. With identity theft, a major concern for both businesses and consumers, you should be careful of any combination of information that could be used to open or access an account. Depending on the business, these types of data have a good chance of falling within the PII definition.

Because organizations must follow many different privacy regulations, some organizations have established a chief privacy officer (CPO) position. This is the most senior leader responsible for managing an organization’s risks. The CPO is responsible for keeping up with privacy laws. The CPO also needs to understand how the laws impact business. Due to the nature of the work, many CPOs are lawyers. Although they are generally not technology people, they work closely with technology teams to create strong security policies.

You should consider the following guidelines when developing policy to secure PII data:

• Examine—Understand local state and federal requirements.
• Collaborate—Work closely with the CPO.
• Align—Coordinate privacy policies with data classification policies.
• Educate—Conduct awareness training on handling of PII data.
• Retain—Ensure proper controls around data retention and destruction.
• Limit—Collect only the data you need from an individual to provide the service or product.
• Disclose—Fully disclose to the individual what data is being collected and how it will be used.
• Encrypt—Consider using encryption when storing or transmitting PII data.

Well-defined and enforced security policies lead to well-defined controls. These controls, in turn, protect the information. So how do you achieve lower risk exposure? The concept of exposure relies on a calculation that estimates the losses to the business in the event the risk is realized. First you need a scale that allows you to measure risk against predicted business losses. Over time, you invest in people, processes, and technology to lower that risk to an acceptable level. That acceptable level is sometimes called your “risk appetite.”

What a risk appetite tells you is how much loss an organization is willing to accept in the normal course of business. These calculations are made in many different businesses and industries. Credit card companies estimate losses from fraud and invest in countermeasures. As the fraud rises, so does the spending to stop it and lower the risk exposure. You calculate the loss if these events occur and invest in programs to lower the risk exposure. For example, most banks today have changed their security policies to require much more rigorous screening of calls to the customer service desk. It’s not unusual for a customer to be asked more detailed questions than just their name, account number, and SSN. A customer could be asked about current balances, last transactions, and other details in an attempt to reduce risks of fraud.

There is no easy way to calculate risk to the business in the event of a security breach. Ideally, you should calculate risk exposure in terms of total potential losses in financial terms. Given that security breaches could also result in reputation damage, it is hard to calculate that in financial terms.

Some organizations take an easier approach. They calculate risk exposure in terms of security policy compliance. This approach takes a leap of faith that if you comply with good security policies, you are adequately controlling the risk. This approach lets you lower risk exposure to the business by measuring and improving policy compliance over time.

Regardless of approach, you cannot rely exclusively on risk score. A risk score is quantitative and as such is a numerical representation of multiple factors. It does not replace risk judgment. Nor can it replace a person making a qualitative judgment through experience and common sense. Risk scores are based on factors people think they understand at a moment in time; however, the risk scores may not keep up with changes in the environment, technology, or the market. The danger is in blindly following the numbers (the quantitative judgment) when common sense and experience (the qualitative judgment) say the risk is much higher. Think of the financial crisis of 2007–2008, with trillions of dollars in losses and millions put out of work. Many risks were considered low. This is an oversimplified example, but generally quantitative scores for many banks assumed that housing prices would continue to rise forever. So, it didn’t matter how much you loaned, there would always be buyers for properties and homeowners would always have equity. The qualitative side, the human judgment and common sense, was missing. As a result, the United States endured the worst financial crisis since the Great Depression of the 1930s.