What is involved in Security Awareness
Find out what the related areas are that Security Awareness connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security Awareness thinking-frame.
How far is your company on its Information security awareness journey?
Take this short survey to gauge your organization’s progress toward Information security awareness leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.
To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.
Start the Checklist
Below you will find a quick checklist designed to help you think about which Security Awareness related domains to cover and 162 essential critical questions to check off in that domain.
The following domains are covered:
Security Awareness, Access control, Civil law, Classified information, Computer, Criminal law, ISO/IEC 27002, Identity document, Information Security Awareness, Internet Security Awareness Training, Malware, Non-disclosure agreement, Password policy, Phishing, Physical Security, Privacy, Security, Security controls, Security management, Social engineering, Trade secret, Two-factor authentication, World War II:
Security Awareness Critical Criteria:
Communicate about Security Awareness engagements and get answers.
– How do you determine the key elements that affect Security Awareness workforce satisfaction? how are these elements determined for different workforce groups and segments?
– Is training varied to address evolving challenges and dynamic to stimulate interest (i.e. flyers, regular emails, formal classroom, it security awareness day)?
– Is there an up-to-date information security awareness and training program in place for all system users?
– Can Management personnel recognize the monetary benefit of Security Awareness?
– Is there any existing Security Awareness governance structure?
– Does the security awareness program address it security?
– Do we utilize security awareness training?
Access control Critical Criteria:
Think carefully about Access control engagements and devote time assessing Access control and its risk.
– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?
– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?
– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?
– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?
– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?
– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?
– Can we add value to the current Security Awareness decision-making process (largely qualitative) by incorporating uncertainty modeling (more quantitative)?
– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?
– Is the process actually generating measurable improvement in the state of logical access control?
– Access Control To Program Source Code: Is access to program source code restricted?
– What is the direction of flow for which access control is required?
– Should we call it role based rule based access control, or rbrbac?
– Do the provider services offer fine grained access control?
– What type of advanced access control is supported?
– What access control exists to protect the data?
– How would one define Security Awareness leadership?
– What is our role based access control?
– Who determines access controls?
Civil law Critical Criteria:
Explore Civil law issues and explore and align the progress in Civil law.
– Are breaches of any criminal or civil law and statutory, regulatory or contractual obligations and of any security requirements avoided?
– Who is the main stakeholder, with ultimate responsibility for driving Security Awareness forward?
– Will Security Awareness deliverables need to be tested and, if so, by whom?
– Does the Security Awareness task fit the clients priorities?
Classified information Critical Criteria:
Deduce Classified information quality and look at the big picture.
– Does Security Awareness include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist?
– Are there any data with specific security or regulatory concerns with sharing (e.g. classified information or handling requirements), and how will they be addressed?
– What vendors make products that address the Security Awareness needs?
– How can you measure Security Awareness in a systematic way?
Computer Critical Criteria:
Win new insights about Computer management and explain and analyze the challenges of Computer.
– The pharmaceutical industry is also taking advantage of digital progress. It is using IoT for supply chain security in packaging and tracking of drugs. There are new companies using computer chips in pills for tracking adherence to drug regimens and associated biometrics. Using this as an example, how will we use and protect this sensitive data?
– Partial solutions can only be used if the information support is being developed for a process that has not yet been computerised. Namely, if users already use an old IT solution – will they partly use the old one and partly the new one?
– Does your company provide end-user training to all employees on Cybersecurity, either as part of general staff training or specifically on the topic of computer security and company policy?
– Do we prepare for the future where the internet will move significantly beyond relying on handheld devices and computer terminals towards a more massively integrated web of things?
– During the last 3 years, have you experienced a disruption to your computer system that lasted longer than 4 hours for any reason (other than planned downtime)?
– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about Security Awareness. How do we gain traction?
– Do we do this…As you approach the front desk, the Customer Service professional is busy typing on a computer. after several seconds, he mumbles, yes?
– Will the selection of a particular product limit the future choices of other computer security or operational modifications and improvements?
– Is anti-virus software installed on all computers/servers that connect to your network?
– What is the difference between Interaction Design and Human Computer Interaction?
– What operating systems are used for student computers, devices, laptops, etc.?
– How well are information risks being communicated to your computer end-users?
– Does the organization need to analyze evidence from a computer incident?
– At what level is data first computerized (i.e., entered in a computer)?
– Can your software be accessed via Windows PCs and Apple Mac computers?
– How can e Learning or computer based training be more effective?
– Are all computers password protected?
– What if the data cannot fit on your computer?
– Who needs Computer Forensics?
– Access to your computers?
Criminal law Critical Criteria:
Paraphrase Criminal law quality and find the ideas you already have.
– Are there any disadvantages to implementing Security Awareness? There might be some that are less obvious?
– What is the source of the strategies for Security Awareness strengthening and reform?
ISO/IEC 27002 Critical Criteria:
Have a meeting on ISO/IEC 27002 failures and give examples utilizing a core of simple ISO/IEC 27002 skills.
– Think about the people you identified for your Security Awareness project and the project responsibilities you would assign to them. what kind of training do you think they would need to perform these responsibilities effectively?
– What is Effective Security Awareness?
– Is Security Awareness Required?
Identity document Critical Criteria:
Weigh in on Identity document tasks and catalog what business benefits will Identity document goals deliver if achieved.
– Who is responsible for ensuring appropriate resources (time, people and money) are allocated to Security Awareness?
– Do we monitor the Security Awareness decisions made and fine tune them as they evolve?
– Have all basic functions of Security Awareness been defined?
Information Security Awareness Critical Criteria:
Discourse Information Security Awareness strategies and define what our big hairy audacious Information Security Awareness goal is.
– Do the Security Awareness decisions we make today help people and the planet tomorrow?
– What are our Security Awareness Processes?
Internet Security Awareness Training Critical Criteria:
Give examples of Internet Security Awareness Training engagements and pioneer acquisition of Internet Security Awareness Training systems.
– What are the Key enablers to make this Security Awareness move?
– How to deal with Security Awareness Changes?
Malware Critical Criteria:
Analyze Malware projects and tour deciding if Malware progress is made.
– IDS/IPS content matching can detect or block known malware attacks, virus signatures, and spam signatures, but are also subject to false positives. If the cloud provider provides IDS/IPS services, is there a documented exception process for allowing legitimate traffic that has content similar to malware attacks or spam?
– Record-keeping requirements flow from the records needed as inputs, outputs, controls and for transformation of a Security Awareness process. ask yourself: are the records needed as inputs to the Security Awareness process available?
– Do we cover the five essential competencies-Communication, Collaboration,Innovation, Adaptability, and Leadership that improve an organizations ability to leverage the new Security Awareness in a volatile global economy?
– How can you verify that the virtualization platform or cloud management software running on the systems you use, which you did not install and do not control, does not contain malware?
– If the cloud provider provides IDS/IPS services, is there a documented exception process for allowing legitimate traffic that has content similar to malware attacks or spam?
– Does your company provide resources to improve end-user awareness of phishing, malware, indicators of compromise, and procedures in the event of a potential breach?
– Is there an appropriately trained security analyst on staff to assist in identifying and mitigating incidents involving undetected malware?
– How can you protect yourself from malware that could be introduced by another customer in a multi-tenant environment?
– What is our formula for success in Security Awareness ?
– Android Malware: How Worried Should You Be?
Non-disclosure agreement Critical Criteria:
Guard Non-disclosure agreement leadership and create Non-disclosure agreement explanations for all managers.
– How do senior leaders actions reflect a commitment to the organizations Security Awareness values?
– Have the types of risks that may impact Security Awareness been identified and analyzed?
– What will drive Security Awareness change?
Password policy Critical Criteria:
Troubleshoot Password policy risks and explain and analyze the challenges of Password policy.
– Is there a password policy for non-consumer users that enforces the use of strong passwords and prevents the resubmission of previously used passwords?
– What are the success criteria that will indicate that Security Awareness objectives have been met and the benefits delivered?
– How does the organization define, manage, and improve its Security Awareness processes?
– Do we have a current vs. desired password policy on sensitive systems?
Phishing Critical Criteria:
Brainstorm over Phishing adoptions and assess and formulate effective operational and Phishing strategies.
– How do we make it meaningful in connecting Security Awareness with what users do day-to-day?
– How to Handle Email Spoofing / Phishing?
Physical Security Critical Criteria:
Scan Physical Security outcomes and find out what it really means.
– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?
– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?
– For your Security Awareness project, identify and describe the business environment. is there more than one layer to the business environment?
– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?
– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?
– Is maximizing Security Awareness protection the same as minimizing Security Awareness loss?
– Is the security product consistent with physical security and other policy requirements?
Privacy Critical Criteria:
Systematize Privacy risks and interpret which customers can’t participate in Privacy because they lack skills.
– Privacy should not be an afterthought; a bolt-on sometime between the initial coding and delivery of a new system. It should be designed in from the start; peer-reviewed; tested and the data controller needs to be able to show that adequate security is in place; it is monitored; and that the strictest data protection policies will apply by default. If you design your own custom apps; are these the standards you work to? When deploying purchased systems; is privacy set at its tightest by default?
– Does the information security function actively engage with other critical functions, such as it, Human Resources, legal, and the privacy officer, to develop and enforce compliance with information security and privacy policies and practices?
– Describe the companys current practices that are used to protect proprietary information and customer privacy and personal information. Does the company have an information classification and handling policy?
– Have you considered what measures you will need to implement to ensure that the cloud provider complies with all applicable federal, state, and local privacy laws, including ferpa?
– Are legal and regulatory requirements regarding Cybersecurity, including privacy and civil liberties obligations, understood and managed?
– What tools do you use once you have decided on a Security Awareness strategy and more importantly how do you choose?
– Do you conduct an annual privacy assessment to ensure that you are in compliance with privacy laws and regulations?
– What information security and privacy standards or regulations apply to the cloud customers domain?
– What risks to privacy and civil liberties do commenters perceive in the application of these practices?
– The real challenge: are you willing to get better value and more innovation for some loss of privacy?
– How will IoT applications affect users control over their own privacy and how will they react?
– Can We Quantitatively Assess and Manage Risk of Software Privacy Breaches?
– Who cares about IT Security and Privacy?
– Do we have designated Privacy Officers?
Security Critical Criteria:
Face Security visions and devise Security key steps.
– What is the impact on the training and level of effort needed to identify and define roles, the organizational impact of implementing roles, and the responsibility for role maintenance?
– Has anyone made unauthorized changes or additions to your systems hardware, firmware, or software characteristics without your IT departments knowledge, instruction, or consent?
– If the organization will be using existing account directories, what are the performance and security implications if directories are regularly shadowed/replicated?
– Does the service agreement explicitly document procedures for notification and handling of security incidents?
– Appropriateness: Is the use of the information consistent with the purpose for which it was collected?
– How much should we invest in Cybersecurity (and how should those funds be allocated) ?
– Are historical statistics available on the number of attacks detected and blocked?
– Do you have legal review of your content performed by staff or outside attorney?
– Is there a business case where additional cyber security risks are involved?
– How does the standard fit into the Federal Enterprise Architecture (FEA)?
– What governs the performance of services in the absence of a contract?
– Are there any licensing requirements for using the standard?
– Can Managing Enterprise Security Be Made Easier?
– Have we had a PCI compliance assessment done?
– Is senior management involved/sponsoring?
– What is the goal of information security?
– What Steps Have Been Taken So Far?
– Why choose managed services?
Security controls Critical Criteria:
Interpolate Security controls management and clarify ways to gain access to competitive Security controls services.
– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?
– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?
– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?
– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?
– Think about the functions involved in your Security Awareness project. what processes flow from these functions?
– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?
– Is the measuring of the effectiveness of the selected security controls or group of controls defined?
– Does the cloud service provider have necessary security controls on their human resources?
– Do we have sufficient processes in place to enforce security controls and standards?
– Have vendors documented and independently verified their Cybersecurity controls?
– Do we have sufficient processes in place to enforce security controls and standards?
– What are all of our Security Awareness domains and what do they do?
– Can we do Security Awareness without complex (expensive) analysis?
– What are the known security controls?
Security management Critical Criteria:
Set goals for Security management adoptions and slay a dragon.
– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?
– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?
– Does the service agreement have metrics for measuring performance and effectiveness of security management?
– How do we know that any Security Awareness analysis is complete and comprehensive?
– Is Security Awareness Realistic, or are you setting yourself up for failure?
– What business benefits will Security Awareness goals deliver if achieved?
– Is there a business continuity/disaster recovery plan in place?
– So, how does security management manifest in cloud services?
– Are damage assessment and disaster recovery plans in place?
Social engineering Critical Criteria:
Have a session on Social engineering quality and finalize specific methods for Social engineering acceptance.
– Will our employees allow someone to tailgate into our facilities or will they give out their credentials to an attacker via social engineering methods?
– Does Security Awareness analysis isolate the fundamental causes of problems?
Trade secret Critical Criteria:
Discourse Trade secret risks and find out.
– To what extent does management recognize Security Awareness as a tool to increase the results?
Two-factor authentication Critical Criteria:
Accelerate Two-factor authentication adoptions and improve Two-factor authentication service perception.
– Who will be responsible for making the decisions to include or exclude requested changes once Security Awareness is underway?
World War II Critical Criteria:
Confer over World War II tactics and forecast involvement of future World War II projects in development.
– What is our Security Awareness Strategy?
This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Information security awareness Self Assessment:
Author: Gerard Blokdijk
CEO at The Art of Service | http://theartofservice.com
Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.
To address the criteria in this checklist, these selected resources are provided for sources of further research and information:
Security Awareness External links:
Security Awareness Training>Main>index.htm
IRS Security Awareness Tax Tips | Internal Revenue Service
Security Awareness Training | Security Mentor
Access control External links:
Multi-Factor Authentication – Access control | Microsoft Azure
Linear Pro Access – Professional Access Control Systems
Civil law External links:
What is the Civil Law? | LSU Law – Civil Law Online
Classified information External links:
[USC04] 18 USC 798: Disclosure of classified information
http://uscode.house.gov/view.xhtml?req=(title:18 section:798 edition:prelim)
Computer External links:
Shredder Online Chess – Shredder Computer Chess …
Criminal law External links:
Benezra & Culver – Employment, Civil Rights, and Criminal Law
Criminal Law I Definitions Flashcards | Quizlet
Criminal Law (1988) – IMDb
ISO/IEC 27002 External links:
Iso/iec 27002 : 2013. (Book, 2013) [WorldCat.org]
http://ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security management.
ISO/IEC 27002 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
http://Iso/iec 27002 : 2013. (Book, 2013) [WorldCat.org]
Identity document External links:
Land Bill | Identity Document | Title (Property)
Information Security Awareness External links:
[PDF]FY2018 Information Security Awareness and rules of …
https://www.dm.usda.gov/OBP/docs/FY2018 USDA ISA Training.pdf
Information Security Awareness Program | MediaPro
NIH Information Security Awareness Course
Internet Security Awareness Training External links:
[PDF]FY2015 Internet Security Awareness Training
Malware External links:
Spybot – Search & Destroy Anti-malware & Antivirus Software
Product info: Malwarebytes
http://Official site: malwarebytes.org/bing-download
Remove specific prevalent malware with Windows …
Password policy External links:
Setup strong password policy in Windows XP
Password Policy – technet.microsoft.com
Password Policy Template – IT Manager Daily
Phishing External links:
Phishing Scams | Navy Federal Credit Union
Internet Phishing Alert | Social Security Administration
Report Phishing | Internal Revenue Service
Physical Security External links:
ADC LTD NM Leader In Personnel & Physical Security
UAB – Business and Auxiliary Services – Physical Security
Protecting Portable Devices: Physical Security | US-CERT
Privacy External links:
Bank of America | Privacy Assist | Sign In
Privacy Statement – CEFA
Privacy and Security | U.S. Bank
Security External links:
my Social Security | Social Security Administration
What You Can Do Online | Social Security Administration
Security controls External links:
Picture This: A visual guide to security controls – CertMag
Security management External links:
VISIBLE VISITORS – Entry Security Management System …
Personnel Security Management Office for Industry …
Endpoint Security Management Software and Solutions – Promisec
Social engineering External links:
Social Engineering | Education Center | BB&T Bank
Phishing Simulation Software For Social Engineering Testing
Avoiding Social Engineering and Phishing Attacks
Trade secret External links:
Trade Secret – Outlet Furniture Warehouse
What is a Trade Secret? – wipo.int
Two-factor authentication External links:
Two-factor authentication for Apple ID – Apple Support
Two-factor authentication (eBook, 2015) [WorldCat.org]
Using Two-Factor Authentication with Shibboleth | …
World War II External links:
Pearl Harbor – World War II – HISTORY.com
World War II | HistoryNet
10 Bloodiest Battles of World War II – militaryeducation.org