Creating an information security and privacy awareness and training program is not a simple task. It is often a frustrating task. It is often a challenging task. And many times, unfortunately, it is often a thankless task. However, providing your personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of your organization’s business success.
If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, you not only risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risk being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation. Information security and privacy education are important for many reasons, including the following.
Regulatory Requirements Compliance
There are an increasing number of laws and regulations that require some forms of training and awareness activities to occur within the organizations over which they have jurisdiction. Factors under the U.S. Federal Sentencing Guidelines that impact the severity of the judgments include the following:
- How frequently and how well does the organization communicate its policies to personnel?
- Are personnel getting effectively trained and receiving awareness?
- What methods does the organization use for such communications?
- Does the organization verify that the desired results from training occur?
- Does the organization update the education program to improve communications and to get the right message out to personnel?
- Does the training cover ethical work practices?
- Is there ongoing compliance and ethics dialogue between staff and management?
- Is management getting the same educational messages as the staff?
According to the Department of Justice, in 1995, 111 organizational defendants were sentenced under the guidelines, with 83 cases receiving associated fines. By 2001, the number of organizational defendants sentenced rose to 238, with 137 getting fines and 49 getting both fines and restitution.
- Average fine: $2.2 million.
- Average restitution awarded: $3.3 million.
- Of those sentenced, 90 had no compliance program.
From 2005 to 2006, there were 217 organizational defendants, and only three of the organizations were found to have an effective compliance program in place as required by the guidelines. The existence of what the courts consider as effective compliance programs are more important, and carry more weight in sentencing judgments, than they ever have before. And they are getting more important as more regulations and laws are put into effect. Along with this increased scrutiny of compliance programs, and the training and awareness activities that are necessary within, it is likely that the numbers of fines and penalties will increase.
A regulatory education program should:
- Address your company’s interpretation of applicable security and privacy laws and regulations
- Support the activities your organization takes to mitigate risk and ensure security and privacy based upon the results of a baseline assessment, and support your company’s policies
Customer Trust and Satisfaction
Respect for customer security and privacy is one of the most important issues facing your company today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).
To gain and keep customer trust, your company must exercise good judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages.
These topics will be discussed in more detail in Chapter 10, but I will list a few specific items here to be sure you include them in your training and awareness program because they can have such a big impact on how consumers and customers view your organization, and on how much trust and satisfaction will result from your educational efforts. The goal is to provide training and awareness that will result in:
- Your company adequately protecting each customer’s PII from inappropriate exposure or sharing
- Giving your customers the opportunity to indicate their contact preferences at the point where their PII is collected.
- Personnel’s understanding that senior management is serious about protecting customer’s PII, and that personnel who do not comply with security and privacy policies could face serious consequences, including termination.
- Customer PII not being used for any purpose that was not disclosed to the customer at the time of collection.
- Customers being able to opt out of any touch-point or service (such as a newsletter subscription or Web site), and ensuring that your personnel know the appropriate processes that must be in place to honor the decision.
- Ensuring you give customers information about what you are doing to protect their PII, how it will be used, and knowing how to give them choice for deciding whether to be included in your marketing databases.
- All your company email communications being opt-in, with very few approved exceptions for administrative contact. Mobile phone marketing and third party data sharing should also be restricted to opt-in. Postal and phone communications are typically opt-out, but it is a good leading practice to also make these opt-in.
- Protecting your customer PII by contract (written agreement) and compliance audits.
All workers, both employees and contract, or companies directly handling or influencing the handling of your company’s customer PII should receive targeted security and privacy training before handling customer information, with refresher training every year, or more often, based on the nature of your business and the potential impact to your business if PII is not handled correctly. They should also receive ongoing awareness communications to reinforce security and privacy issues and requirements and help to imbed such practices within their daily work activities.
You should provide training and awareness to ensure that all your company’s activities comply with your privacy policy, as well as with local laws and regulations. Your security and privacy messages must communicate that:
- Your company is obligated to fulfill the privacy expectations that it has communicated.
- Your personnel must know the customer privacy principles.
- Your personnel must incorporate the principles into their daily job responsibilities and tasks.
- Your personnel face sanctions, including possible termination, for not complying with security and privacy policies.
Compliance with Published Policies
Organizations are obligated to comply with their own information security and privacy policies. If compliance is not enforced, such policies are basically worthless!
So, organizations need to educate personnel about their information security and privacy roles and responsibilities, especially in support of published policies, standards, and procedures. Awareness and training should be designed to support compliance with security and privacy policies. Executive management acts as role models for personnel, and their actions heavily influence the level of employee awareness and policy compliance.
Senior management should clearly and visibly support, encourage, and show commitment to information security and privacy training and awareness activities. Training and awareness activities should include a review of the policies and address issues and topics such as those discussed later in this book.
If possible within your organization, implement a procedure to obtain a signed information security and privacy awareness agreement at the times you deliver the training, to document and demonstrate that training and awareness activities are occurring, that the personnel acknowledge understanding, and that the education efforts are ongoing.
Due Diligence
In general, due diligence is providing demonstrated assurance that management is ensuring adequate protection of corporate assets, such as information, and compliance with legal and contractual obligations. This is a powerful motivator for implementing a training and awareness program.
Key provisions of the U.S. Federal Sentencing Guidelines and recent amendments include establishing an effective compliance program and exercising due diligence in the prevention and detection of criminal conduct. Any organization with some type of compliance requirement and plans, which is basically all public entities, given the Sarbanes-Oxley Act of 2002,is directly impacted by the new guidelines. One way such due diligence is demonstrated is through an effective, executive-supported, information security and privacy education program.
The organizational sentencing guidelines motive organizations to create a program to reduce and, ideally, eliminate criminal conduct by implementing an effective ethics and compliance program that includes compliance with all applicable laws. The updates to the sentencing criteria incorporate leading practices that have been referenced and identified in such regulations as the Sarbanes-Oxley Act, HIPAA, GLBA, the Red Flags Rules, the HITECH Act, and other internationally recognized standards. The 2004 updates are contained in guidelines (at ยง8B2.1, as discussed later in this chapter) and elaborate upon the need for organizations to more rigorously demonstrate responsibility and demonstrate executive leadership.
To have a program that effectively conforms to the guidelines, an organization must demonstrate that it exercises due diligence in meeting compliance requirements and also promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” It is important to note that the guidelines describe functional requirements, and it does not matter if an organization calls the program a compliance program, an ethics program, or some other name. The actions and activities of the program are what reviewed if a due diligence and sentencing situation arises. At a high level, the following are the organizational requirements described in the updated guidelines:
- Develop and implement standards and procedures to prevent and detect criminal conduct
- Assign responsibility and ensure adequate resources at all levels, and authority for the program
- Perform personnel screening as applicable (in accordance with laws, regulations, and labor union requirements) and as related to program goals and the responsibilities of the staff involved
- Ensure adequate and effective awareness and training at all levels of the organization
- Ensure auditing, monitoring, and evaluating activities occur to verify program effectiveness
- Implement internal reporting systems that ensure non-retaliatory reaction
- Provide incentives and enforce discipline to promote compliance
- Consistently take reasonable steps to respond to violations and prevent similar violations from occurring
The motivation behind these updated guidelines seems to be to ensure that if an organization is convicted of a federal offense, the leader will face stiff sentences and civil penalties unless they provide proof of having a stringent, well-communicated compliance program. This should drive organizations to make ongoing, continuously communicated compliance programs, including awareness and training components, a priority.
It is not enough to simply write and publish information security and privacy policies and procedures. Organizational leaders must now have a good understanding of the policies and the program, support them, and provide oversight as reasonable for the organization. This reflects a significant shift in the responsibilities of compliance and ethics programs from positions such as the compliance officer or committee to the highest levels of management. The guidelines require that executive leaders support and participate in implementing the program. To accomplish this, an effective ongoing information privacy, security and compliance education program must be in place.
Every compliance plan, including information security and privacy, must include continuing involvement of the highest level of organizational management in its design and implementation. Compliance will then become part of the daily responsibilities of upper management. Requirements for effective training and awareness now extend not only to personnel and business partners and associates but also to the highest levels of management, and must be ongoing.
When considering due diligence, it follows that a standard of due care must be observed. Quite simply, this means that organizational leaders have a duty to ensure the implementation of information security and privacy even if they are not aware of the specific legal requirements. If leaders do not ensure that actions are taken to reasonably secure information and ensure privacy, and as a result others experience damages, it is possible both the organization and the leaders could face legal action for negligence. This certainly should motivate leaders to invest time, resources, and personnel in establishing an ongoing, effective, well-documented information security and privacy awareness and training program.
Corporate Reputation
Reputation is another critical organizational business success asset. Without a good reputation, customers leave, sales drop, and revenue shrinks.
Reputation must be managed well. A component of managing a good reputation is ensuring that personnel and business partners follow the right information security and privacy precautions to lessen the risk of compromising private information; such incidents will likely lead to some very unfavorable news reports and media attention. Corporate social responsibility (CSR) is another way to manage reputation risks more effectively, by building trust and legitimacy with your key customers, consumers, and stakeholders. Many recent news reports and various studies (2) reveal that most organizational chief executives believe that corporate reputation is more important now than ever before. Organizations are now taking reputation seriously into consideration when devising business strategy. Some of the activities for which they are devoting resources to help ensure good reputation include:
- Determining the impact of corporate policies and providing advice to business leaders on how corporate strategies and policies influence reputation
- Identifying risks and opportunities that can affect corporate reputation negatively or positively, such as information security and privacy practices
- Identifying target audiences of consumers by following the analysis of current and desired perceptions and assisting in the definition and articulation of key information security and privacy messages
- Developing government relations at multinational, national, state, and local levels to more easily facilitate compliance with mandates
- Preparing security and privacy awareness programs to raise the company’s profile with the public
- Developing media strategies, customer relations, and internal communications programs to ensure consistency of information security and privacy messages that may be communicated by personnel
- Establishing and maintaining a high standard of security, privacy, and crisis management within the organization, and providing training to security and privacy crisis management and media communications groups
There are many issues that impact corporate reputation that can be addressed through effective ongoing information security and privacy training and awareness activities. Some of these include:
- Customer complaints
- Competitor messages and internal messages related to competitors
- Customer satisfaction levels with your organization’s security and privacy practices
- Providing for customers with special needs and requests
- Number of legal noncompliance reports regarding security and privacy
- Perceived strength of posted security and privacy policies
- Marketing through what is considered as spam
- Number of staff grievances
- Upheld cases of corrupt or unprofessional behavior
- Number of reported security and privacy incidents
- Staff turnover related to training and communications
- Value of training and development provided to staff
- Perception measures of the company by its personnel
- Existence of confidential grievance procedures for workers
- Proportion of suppliers and partners screened for security and privacy compliance
- Proportion of suppliers and partners meeting security and privacy norms
- Perception of the company’s performance on security and privacy by consumers worldwide
- Proportion of company’s managers meeting the company’s standards on security and privacy within their area of operation
- Perception of the company’s performance on security and privacy by its employees
- Perception of the company’s performance on security and privacy by the local community
- Dealing with activist groups, especially militant groups, opposed to the organization
According to www.csreurope.org, over 100 empirical studies published between 1972 and 2000 have analyzed the relationship between what respondents considered to be socially responsible conduct of organizations and their financial performance, which included how the organizations handled the security and privacy of their customer PII. Sixty-eight percent of the results in the studies exhibit a positive relationship between organizations’ public reputation and perceived social performance and their financial performance. More recent studies continue to support these findings:
- Ernst & Young (E&Y) 2009 Global Risks Survey: Reputation risks, ranked 22nd in the 2008 E&Y global risks report, rose dramatically to number 10 in the 2009 report. The impact of the financial crises, including information security incidents and privacy breaches, were factors in this ranking.
- According to the Corporate Reputation Watch 2006 from PR firm Hill & Knowlton, 90% of financial analysts believe that companies which fail to adequately look after non-financial aspects of reputation, including such things as information security and privacy, will suffer financially.
Accountability
Most personnel understand that if their performance is being measured for certain activities, then they had better do them efficiently because those measures can be used to impact their career with the company in some way. If an organization reports information security and privacy compliance and connects it with personnel performance, then personnel understand their accountability more clearly and are even more likely to comply.
Accountability now has more impact on a company and corporate personnel than ever before. There are a growing number of legal actions in which the victims of inadequate information security and privacy practices are filing suits against organizations that were not necessarily the perpetrators of an incident, but whose systems and poor practices contributed to allowing the incident to occur. For example, there have been instances involving denial-of-service (DoS) attacks in which lawsuits have been filed against Internet service providers (ISPs) whose networks were used by hackers to launch attacks.
The effect of such legal actions is to make organizations and people with poor information security and privacy practices accountable for the misuse of their network. Such shifts in accountability start moving the enforcement of policy away from management toward individuals and are also being supported by new regulations and U.S. government moves, such as requiring federal agencies to increase personnel accountability for breaches and requiring security to become standard in all network and computing products. These moves are publicly supported, such as when Daryl White, then chief information officer for the U.S. Department of the Interior, was reported to have said in 2002 with regard to information security, “You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”
To achieve accountability, the information security and privacy training and awareness program must be well organized, support business goals, and clearly supported by executive leaders to ensure participation. The regulations and sentencing-guideline updates discussed earlier require organizations to make their personnel accountable for their business activities, and training and awareness are ways in which this accountability can be established.
Also consider implementing the use of awareness acknowledgments to further increase awareness and accountability for information security and privacy. Your organization should expect all employees, officers, contractors, and business partners to comply with privacy, security, the acceptable use of policies, and protect your organization’s information and systems assets. Such signed acknowledgments document your organization’s efforts and due care to ensure that all personnel are given the information they need to perform their job responsibilities in a manner that protects information and network resources, and therefore these documents may be considered facilitators for your awareness and training efforts. Such documented acknowledgments could also provide valuable support for any sanctions you need to administer for policy noncompliance.