For any company, especially technology-oriented ones, being aware about the cyberthreat landscape is critical. There is often the mindset that most cyberattacks can be warded off by procuring and implementing the latest security technologies. While to a certain degree this may be true, it also takes a high level of security awareness on part of both employees and management in order to 100% fortify the lines of defense around the business or corporation.
In this article, we will examine the major components that need to be included in any security checklist.
1. The Major Components
One of the key aspects of any security awareness checklist is to address the components of the “CIA” triad. CIA is an acronym that stands for Confidentiality, Integrity and Availability.
This refers to the protection and safeguarding of both information and data from unauthorized access and usage. For example, for a healthcare-related technology company, this would mean that all patient records are highly-restricted and available only to those personnel who absolutely require them. In this regard, security awareness means training your employees in the best practices of how to protect the resources they are using in their daily job tasks.
An area that needs to be addressed is the issue of “piggybacking.” This is when a temporary employee or contractor closely follows the movements of a regular employee in an attempt to garner their login credentials. It should be stipulated in the security awareness checklist that such actions should be immediately reported to the IT staff and that employee’s manager.
This term refers to the fact that any information and data transmitted remains in an unaltered state from the point of origin to the point of destination.
A perfect example of this is when an employee remotely logs into the corporate server from their company-issued laptop to access the shared resources that they need. Whatever information and data are transmitted back and forth should remain intact and unaltered. In this instance, the security awareness checklist should also include the proper usage of encryption protocols in order to make sure that it remains in a garbled state until it is descrambled by the employee’s computer.
Training should also be provided to the employees as to what the telltale signs are of information and data that has been maliciously altered and the procedures for reporting this to the IT staff and management.
Availability means that any relevant information/data and shared resources that an employee needs to do their job are available immediately when they are requested. This is assuming that the employee is authorized to access these datasets/shared resources and is assigned the appropriate login credentials.
Therefore, in the security awareness checklist, there should be a system of controls implemented to conduct regular audit checks. This to make sure that there is no compromise or unauthorized access to the database which contains this mission-critical information. Also, employees should also be trained at regular intervals in how best they can protect the shared resources that they are accessing.
2. The Protection of Corporate Resources
This is probably one of the most critical aspects of any type of security awareness checklist.
In this regard, one of the most widely-used mechanisms is that of the password. Employees should be trained not only in how to create long and complex passwords that are difficult to crack by the cyberattacker, but also in the consequences if they ever give out their password(s) under any unauthorized circumstances.
The implementation of a password manager software package should also be addressed in the security awareness checklist. This tool is very effective in helping employees remember long, complex passwords and reset passwords that have been lost.
It is also important to note that “corporate resources” does not just refer to digital assets — it also refers to physical assets, such as paper documents. A security awareness checklist should include the proper usage of document-shredding machines and how the shredded documents should be disposed of.
Employees should also be carefully instructed on the procedures for reporting any type of suspicious behavior around company property. This would also include “dumpster diving,” in which outside third parties literally scour the garbage disposal bins in hopes of retrieving classified information.
3. Protecting the Business Facilities
As mentioned above, employees should be trained not only in how to look for suspicious behavior from the outside, but from the inside as well: in this regard, threats from inside a business or a corporation. These are specifically known as “insider threats” and can be defined as follows:
“An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well”. (Source)
It’s important to note that these kinds of threats are often difficult to detect, as there are not always obvious clues or signs that can definitively predict such an incident. A behavioral specialist should be consulted as to what to look for. From there, specific strategies should be formulated and implemented into the security awareness checklist.
4. The Formal Security Awareness Training Program
The security awareness checklist should also factor in the timing and the venues where the formal training programs should take place. It should also contain a mechanism for reviewing employee feedback about the training program and how future training programs should reflect that feedback.
Security awareness also implies the usage of other tools such as email notifications, posters, bulletins, handouts, newsletters, circular notices and so forth. The checklist should also include the timing of the distribution of such materials and who will be responsible for the oversight of this.
5. Determining the Levels of Responsibility
This is also a key component of the security awareness checklist. This simply refers to who will be responsible for what when it comes to protecting both the digital and the physical assets of the business or corporation. In this regard, there are three types of roles to be fulfilled:
This includes all employees in the organization. This implies that everybody will have a general responsibility to keep their eyes and ears open for anything suspicious.
These are the employees that work in their own respective departments and are designated as specialized personnel by their job titles. These roles have specific security protocols to follow when working with company-based resources. For example, customer-service specialists would have to follow a set of procedures to safely collect and process credit card payments, while the IT staff would have to follow a specific routine to implement software/patches and updates.
These are the individuals that are tasked with the day-to-day oversight of the organization. In this regard, they too will have certain protocols to follow when it comes to reporting cyberattacks to law enforcement officials and other regulatory bodies.
6. Other “Laundry List” Items
These should also be included in the security awareness checklist:
- Are workstation monitor screens locked down?
- Are all of the operating systems up-to-date in terms of patches and updates?
- Do all workstations and wireless devices have the latest anti-malware/spyware/adware software packages installed?
- Have the appropriate disaster recovery/backup plans been crafted, implemented and tested?
- Is there a calling tree established in case of a natural disaster or cyberattack?
- Is there a proper server backup procedure and schedule in place?
- Have all employees been notified of proper Internet usage?
- Is there a regular schedule in place for the inventory of company-based IT assets?
- Have the appropriate background checks been conducted on contractors and third-party vendors?
- Is there a proper security-based onboarding and offboarding process in place for employees?
This article has reviewed some of the core components in a security awareness checklist. This is obviously not an all-encompassing list; what to include in the checklist is heavily contingent on the security needs of the organization. To make sure that your checklist is detailed and comprehensive enough, it is recommended that you consult with a cybersecurity consultant that specializes in this area. However, this will get you started. Good luck!
What is an Insider Threat?, observeit
Information Supplement: Best Practices for Implementing a Security Awareness Program, PCI Security Standards Council
Cyber Security Awareness Complex, IT Resource
Information Security Checklist, Camico
Corporate Security Checklist, Adnet Technologies