OK auditors! We’ve heard it said as many times as we’ve said it ourselves, so let’s all say it together now: One, Two Three, “People are the weakest link in security.”
Right? Right. All agreed.
So now that we agree, how do you audit for security awareness?
I tend to think about security awareness in three distinct categories, each presenting its own control and auditing challenges: Enterprise Security Awareness in which general principles of information security are communicated to a general audience; Administrative Security Awareness in which controls must be aligned with known risks and administrators must demonstrate proficiency with those controls; and finally Information Handling Awareness in which people know what they must or must not do with specific information that they have access to.
Enterprise Security Awareness seems easy enough to dispatch and audit. Microsoft, in fact, provides for free much of what an organization needs in order to deploy a general security awareness program with their Security Awareness Program Tool Kit. The tool kit provides guidance for creating a security awareness program, including template forms, skeletons of presentations, posters and loads of material to present to a general or management audience. Topics such as password strength, shoulder surfing and physical security are covered in presentations for a general audience, with legal and risk issues covered for the management audience. Following NIST’s SP 800-50 “Building an Information Technology Security Awareness and Training Program” you can almost plug in Microsoft’s provided documents and templates and have Enterprise Security Awareness covered. It will still take you some work to see this program through, but Microsoft has done much of the thinking for you. Take advantage of their offering.
Administrative Security Awareness could likely be audited through a standard technology security audit. Whether you are using ISO-27000 series, BS-17799, SP 800-53, or CobiT for your security controls framework, each of your technical tests can be matched with an awareness test. For example, are domain account login failures reviewed? Yes. Are account managers aware of unusual login failure patterns that would initiate an incident handling procedure? That’s a good awareness question. Having one or more awareness test for each control test could provide you with a good handle on this second security awareness category.
It is this third security awareness subject, Information Handling Awareness, that I most often think about. How do we get people to know what they must and must not do with the information that they are provided access to? How do we audit for their awareness and compliance with those rules?
I approach Information Awareness Handling by recommending that specific instructions be provided to information handlers. I’ll explain a mechanism for doing this in a moment. First, I’ll tell you why I think the approach is important.
When I review the records within the DataLossDB (at http://www.datalossdb.org), I notice that of the 1,900 or so reported disclosures to date, about 600 are apparently due to people mishandling personally identifying information. This includes putting Social Security numbers in e-mails, on web pages and the like, people losing devices and print-outs, or disposing of data in unsafe ways. If we also qualify as “mishandling” the saving of clear text, confidential information to unencrypted devices that are later stolen, the percentage of disclosures attributable to mishandling could approach half of all reported cases (though I’m not asserting that it is half).
From my experience, only a few people within any organization handle the highest risk information. And when they do so, it is for reasons that may not be foreseen. Let’s consider an Enterprise Security Awareness program at a university. The awareness training will be presented to all staff, and will inform employees to use passwords of a certain type, to not let people tailgate into locked offices, to handle laptops and storage devices with due care, etc. There may even be generalized policies to not expose Social Security numbers, student IDs, credit card numbers, etc. This session is meant for all employees, from custodians to secretaries, admissions officers and professors. Will the training also include statements such as, “Don’t put the following information on web pages; Social Security numbers, credit card numbers, student IDs, checking account IDs, student visa numbers. Don’t e-mail the following . . . ; Don’t send via postal mail the following. . . ; When disposing of the following on paper, you must use a shredder that cross-cuts the documents in diamond shapes . . . ; When storing a CD that contains the following information, you must . . .
You get the picture. Most of this highly detailed, specific information is of no use to most of the audience and causes all other specific instructions to be forgotten. There should be a distinction made between generalized security training, and specific training for information handling.
To meet this challenge a year ago, I proposed a framework for designing security controls based on information handling instructions. The framework was first proposed in my paper “The Controlled Event Framework” published to satisfy my GSNA Gold certification and is available at the SANS Reading Room. The framework is basically a mechanism for categorizing information based on risk, then developing a set of instructions for people who will handle the information. The instructions are broken down by types of tasks, such as “Copy” “Send” “Dispose” “Save” and written specifically for the media that the information is contained within. Going back to our university example, if HR deals with health claims and Social Security numbers of employees, and they handle databases, spreadsheets and paper reports, they can be given a set of instructions for copying, saving, printing or disposing of that information. Only they need to know those instructions because only they will handle it. The Admissions department will use different processes, information and media, so their handling instructions would be tailored to the information they will be exposed to.
According to the framework, technical controls are then set up to automate the instructions, or to prevent or detect violations of the instructions. Finally auditors can work with technology administrators and information handlers to determine whether or not the instructions are being followed. In a way, the Controlled Events Framework drives security by awareness. The thinking behind this approach is multi-fold.
Information technology does not yet make information secure from cradle to grave – by design or implementation – so we rely on people’s conscience and awareness to protect information that is not secured for them.
If people are overwhelmed by a large set of instructions, many that do not apply to their work, they will forget them. Rather, if people are given brief instructions about how to “Print” when they need to print, or “Dispose” when they need to dispose, their awareness materials can be very tailored to their needs.
When security auditors conduct interviews with information handlers about specific instructions, they will find awareness to be very audit-able and measurable.
And auditors will be able to address specific controls that information handlers confess to working around because they find the controls to be too onerous
This framework was implemented at an international consultancy and withstood audits by clients and federal agencies, always with strong enthusiasm for its direct and audit-able way of instituting awareness where it mattered most.
Take a look at the Controlled Events Framework materials and feel free to comment, either here or at the site. If you think it has merit or room for improvement, I’d like to know.