Awareness, Training and Education
Training and education for employees is a critical component of any security program. Newer statutes, regulations, and consent decrees in the U.S. clearly recognize that even the very best physical, technical, and administrative security measures are of little value if employees do not understand their roles and responsibilities with respect to security. For example, installing heavy duty doors with state of the art locks (whether of the physical or virtual variety), will not provide the intended protection if the employees authorized to have access leave the doors open and unlocked for unauthorized persons to pass through.
Security education begins with communication to employees of applicable security policies, procedures, standards, and guidelines. It also includes implementing a security awareness program,108 periodic security reminders, and developing and maintaining relevant employee training materials,109 such as user education concerning virus protection, password management, and how to report discrepancies. Applying appropriate sanctions against employees who fail to comply with security policies and procedures is also important. 110
Monitoring and Testing
Merely implementing security measures is not sufficient. Companies must
also ensure that the security measures have been properly put in place and are effective. This includes conducting an assessment of the sufficiency of the security measures in place to control the identified risks,111 and conducting regular testing or monitoring of the effectiveness of those measures.112 Existing precedent also suggests that companies must monitor compliance with its security program.113 To that end, a regular review of records of system activity, such as audit logs, access reports, and security incident tracking reports114 is also important.
Review and Adjustment
Perhaps most significantly, the legal standard for information security
recognizes that security is a moving target. Businesses must constantly keep up with
108 See, e.g., FISMA, 44 U.S.C. Section 3544(b)(4); HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(5)(i); Ziff Davis Assurance of Discontinuance, Para. 24(d), p. 5
Ziff Davis Assurance of Discontinuance, Para. 27(c), p. 7. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(C) Microsoft Consent Decree at II, p. 4
112 FISMA, 44 U.S.C. Section 3544(b)(5); Eli Lilly Decision at II.C; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III(c)(3).
Ziff Davis Assurance of Discontinuance, Para. 27(e) and (f), p. 7; Eli Lilly Decision at II.C. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(D)