Security Awareness: Best Practices to Secure Your Enterprise

This document provides the critical steps needed to implement an enterprisewide security awareness effort; build concurrence among other departments; and provide baselines, maturity levels and control objectives. Information systems and networks can be affected by internal and external risks. Everyone must understand that security failures may significantly harm those systems and the information under their control, as well as interdependencies. Additionally, increased regulatory pressure, including the European Data Protection Directive, the US Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), requires organizations to implement formal security policies. Educating employees is certainly a frontline defense for adherence and proper implementation. The guidance provided includes:

• Security awareness foundations, as everyone has a role to play in the protection of enterprise information assets, from the most senior executive to junior staff
• Steps to design a security awareness programme, because awareness of the risks and available safeguards is the first line of defense
• A maturity model for best practice
• A security awareness self-assessment program and a case study