Pratum Blog

Top Tips for Developing Effective Security Awareness and Training Programs

A common saying is that an organization’s employees are the weakest link in information security. While there is some truth to that statement, employees should be viewed as part of the solution, not the problem. Information security awareness and training activities can provide some of the best return on investment. If implemented properly, the organization’s leadership will see fewer instances of employees falling prey to cyber threats and tactics, such as social engineering, and greater reporting of suspected attempts to compromise the organization’s critical assets. To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.

Top Cybersecurity Tips

Leadership

Senior leadership involvement in awareness and training activities is a critical aspect of any awareness and training program. Leadership involvement sets the tone for the program and supports the message that information security is vital to the business’ goals and objectives.

Resources

Awareness and training activities can be conducted without a large outlay of monetary resources, yet those activities can have a significant positive impact in the organization’s overall defense-in-depth strategy. In addition, awareness and training activities do not need to take up a large amount of employees’ or trainers’ time.

Learning

Depending on the size of the organization, there may be up to five generations of learners, and each generation, in general, learns differently. Within the learning model, activities for employees generally fall into the awareness and training categories. To enhance retention of the information provided, consider activities that take into account the various generations of learners. Gaming and challenges are popular across all generations, so consider adding them into the mix.

Strategy

To have the most effectiveness, a long-term strategy should be developed to provide leadership’s vision of the culture it hopes to instill. To support the strategy, a 2-year plan detailing quarterly information security themes and topics should be developed. Activities can then be based on these themes and topics.

Analytics

To ensure there is a proper balance of activities and information, metrics can be useful. First, to understand the organization’s current culture, a “baseline” should be developed. From this baseline, other metrics collection and analysis methods can be used to gauge whether the organization’s security culture is shifting in the direction envisioned in the strategy.

Persistence

Information security training conducted one time per year is simply not enough. Awareness and training activities should be spread across the year to provide greater persistence. Cyber threats are constantly changing, and the awareness and training program must be agile enough to provide information regarding the latest threats.

Timeliness

Information provided to employees should reflect the latest news about best security practices, cyber threats, and company information security policies and standards. Information provided to employees in a timely manner may mean the difference between avoiding a data breach or falling prey to an attack that causes significant damage to the business.

Relevance

Awareness and training activities should include not only information relevant to work and the business, but information that applies to employees at home and on travel. As organizations see more business conducted on personal devices, as well as the impact of cybercrime on employees in home and travel settings, the awareness and training program should provide information pertinent to these situations.

Feedback

One of the best “bang for the buck” training activities is sending your organization’s employees phishing emails, simulating social engineering tactics that are used in a large portion of successful attacks against individuals and organizations. This type of activity can take advantage of “the teachable moment.” If an employee clicks on the fake link or opens the attachment, the employee is taken to a landing page for immediate feedback and additional information. Feedback that is immediate is proven to be much more effective than feedback that is delayed.

Incentives

Employees like incentives. Consider adding them to your awareness and training program. For example, if an end user avoids clicking on a phishing email link, or answers all questions right on an information security quiz, a positive reinforcement may be to provide that employee with a reserved parking spot for a period of time, granting a few extra hours off, or praise that employee in a newsletter.

.

.

.

You can get the printable version of this article here.

Top Tips for Developing Effective Security Awareness and Training Programs
White Paper: Top Tips for Developing Effective Security Awareness and Training Programs

This paper delivers proven tips for developing an effective security awareness and training program.

White Paper

An IT Manager's Guide to a Successful Audit - PART 5 - Summary Tips for a Successful IT Audit
An IT Manager's Guide to a Successful Audit [ PART 5 of 5 ]

Summary Tips for a Successful IT Audit

There are some things that are sure to sink an audit engagement. They are easy to avoid; however, I see people fall into these traps all too frequently. Simply knowing what some of these are should enable you to identify them and hopefully avoid them.

  • Communication. I probably don’t need to spend much time describing what this does to a relationship. For this engagement to be a partnership you need to communicate effectively with your audit team. This means regular meaningful communication. It also needs to be a two way street. If you feel a staff auditor isn’t forthcoming with information, escalate to the team lead or audit manager. Explain how you view this as an opportunity to partner with them and want more from the engagement. I’ve never known a manager, audit or otherwise, to turn down this type of offer.
  • Don’t get a defensive attitude. The auditors are simply doing their job to assess the controls of your environment. Nothing they do or say should be taken out of context and assumed to be an attack on you or your team. They are about the most objective group of individuals you’ll ever meet. Every profession has “that guy”. The one who lives to make life miserable for everyone around them. You might even know one in your line of work. If “that guy” happens to be your auditor, take the high road. Nothing good will come out of doing battle on a matter of principle. Do your best to work with auditors as professionals and your engagements will run amazingly smooth. Cop an attitude and you’re in for a wild ride.
  • Be willing to complete the simple tasks. While most technology professionals loathe creating documentation it is one of the easier tasks. Auditors will key on this every time. Spend the time and document your process. Not only does this make for a more successful audit, it helps with disaster recovery planning, cross-training, and reducing support costs.
  • Talk with your auditor about their expectations and explain yours to them. It may be unrealistic for you to expect to have no gaps or deficiencies. Working with your audit team to communicate and document expectations will reduce the chance that one or both parties are completely surprised during the reporting phase.
  • The more active a management team is in the audit the better chance for a satisfactory rating. I’m not advocating that a manger be the point of contact or run the audit engagement. They do however need to attend the kick off meetings, negotiate scope and time lines, provide input during fieldwork and influence the final report. If your team sees you interacting with auditors, they will take their cue from you. Hide and they’ll hide, build partnerships and they’ll build partnerships.
  • Having a single point of contact works best for both teams. The auditors don’t waste time tracking down the individuals responsible for a certain function or for documentation. Your team isn’t constantly interrupted to provide testing evidence or documentation. The point of contact becomes the mediator. They can help narrow scope, revise testing scenarios and work with the auditor to streamline the request before it gets to your operational teams. Having a good point person working with auditors is invaluable. If you are in a highly regulated environment, such as banking or healthcare, having a person dedicated to working with auditors, tracking remediation plans, or writing management responses is a necessity for most mid-sized or larger organizations.
  • Negotiate a win-win situation with the audit manager upfront. Find out what they want to accomplish through the audit and tell them your objectives. Find some common ground and work to build a scenario which gives you both the best opportunity to succeed. Failure to do this step is only going to hurt you. The audit is going to happen with or without your input. You might as well make the best of it and find a way to turn this into a positive experience.
  • Preparing for an upcoming audit is essential. Start building audit prep into your daily routine. Make sure documentation is part of the build process. Tie operational processes to policy or control statements. The more work you do to prepare for an audit the less you’ll have to do during the audit. I’m usually more successful and comfortable performing tasks according to self-imposed deadlines than to seemingly arbitrary deadlines imposed by others.
  • Self-audits are a great way to prepare for an audit. If you’ve gone through an audit you can use the same testing scenarios from the last cycle. This can be used as a dress rehearsal for your next audit. Your team will be better prepared and equipped to respond during the actual audit. You also get a sneak peek into what’s happening in your organization.
    One of the things I always hated was finding out from an auditor that my team had decided at some point to not follow documented procedures without telling me. Sometimes they just changed the procedures to meet operational goals and in most cases the changes were warranted. However, if they aren’t documented, you’re going to be cited for this. Being able to identify gaps earlier and address them behind closed doors is one of the greatest values of the self-audit. If you do this frequently enough and your audit cycles are long enough the discrepancy might not even be found by an auditor based on their look back period.
    Having gone through the self-audit will give your team the confidence they need to interface with the auditors and build a solid relationship with them. Hopefully this will help bridge any communication gaps and reduce confusion during the audit.

There is no way to ensure you’re going to come out of an audit unscathed. You can however minimize any potential negative impacts by being an active participant. The worst possible thing you can do is to let what happens, happen. This is a naïve and dangerous approach. By building relationships, engaging in the entire process, communicating and negotiating with the audit team, you stand a very good chance of improving the rating you would have received otherwise and are at least somewhat in control of your destiny.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

An IT Manager's Guide to a Successful Audit - PART 3 - Communicating Throughout the IT Audit Process
An IT Manager's Guide to a Successful Audit [ PART 4 of 5 ]

The IT Audit Process

The audit process can vary from engagement to engagement, company to company,or even auditor to auditor. What you should find though is that IT auditors take a consistent approach to the engagement. The phases may have different names based on the environment, however the actual function of each phase should be consistent. It’s very important for you to fully understand the phases of your audit to ensure you can have the appropriate resources and input available at each stage. It’s very similar to the SDLC (Software Development Life Cycle). It’s much easier and less costly to get all requirements for the project up front so no future work has to be scrapped.

The phases as I describe them are the initial Announcement of an upcoming audit, delivery of the Engagement Letter, Scoping Activity and Self-Identifying Gaps, the actual Fieldwork or Control Testing, and the Reporting phase. We’ll talk about these in detail starting with the purpose of each phase and the role of IT management during that phase.

The Announcement Phase

The announcement phase of the audit is simply a time for the auditors to announce their intentions to audit a group, function, system, etc. Most internal audit departments try to plan their work out in advance just as you do. They may even know a full year in advance what their anticipated schedule is going to be. There probably won’t be any details released other than a name for the audit, the audit manager or team leader, and a preliminary date. Be prepared as the further out the date, the more fluid it will be. The audit schedule is no different than any other operational group. Timelines slip due to personnel, weather, technology and other business drivers. This is only meant to give you the opportunity to see what’s coming and begin preparation.

The timing of audit announcements can be brutal. Sometimes audits are on a cycle and you know to expect them every quarter, every other year, etc. These audits are much easier to plan for. The associated workload is known and you’ll have a staffing plan to deal with it. You know you’re going to have certain resources tied up with the engagement and you simply plan around it. Sometime though you get no warning and the auditors show up. Those are usually the audits that are the result of some other situation that didn’t go as planned. You might not have known the timing of the audit but you probably won’t be surprised that it is occurring.

The announcement phase of an audit is the key time for you as an IT manager to begin preparing for an audit. This is also the phase that most of us ignore, which costs us dearly. Once an audit is announced you should have ample time to begin getting ready for the auditors to arrive. Take advantage of this time as once the auditors are on site they will expect that you have already done your prep work and will be ready to move. During the announcement phase you want to begin collecting and centralizing all information that might be requested during the audit. Things like system documentation, work or change requests, policy, procedures, risk analysis information or penetration testing results. You may want to develop some sort of documentation portal where you can store the information and give the auditors granular access for a given period.

A big item that is often overlooked is review of any previous audits. Do you have any outstanding issues that need to be resolved? This is going to be the first thing on an auditor’s check list. Leaving things like documented remediation plans unaddressed is one of them. Go back and make sure everything you said would be done after the last audit was done and that the appropriate documentation is completed. What do you think your chances are of getting a warning when the police officer pulls you over for speeding and upon checking your license sees that you have a drawer full of unpaid violations?

Assigning a POC for the auditors at this point makes sure you are kept in the loop regarding any changes. Should the intended purpose or timelines change, you will want to be the first to know. You should also begin to plan for resource utilization if you haven’t already. Audit response can be time consuming. You need to make sure your people have availability during the engagement. If you see any red flags talk with your auditor. Now is the time to try and adjust the schedule, not three weeks before they are on site.

Ideally you have a self-assessment process, where you have continual process and system reviews to identify any gaps and work toward remediation objectives. If your organization doesn’t have something like this, now is the time to start. You certainly don’t want to appear lazy or negligent during this process.

Engagement Letter

The role of the engagement letter is for the audit team to spell out their specific objectives for this engagement. Perhaps they want to assess HIPAA compliance or review the effectiveness of your identity and access management controls. Their intentions should be clearly defined along with proposed timelines for each phase of the engagement. This is also a time for the audit team to introduce themselves to the business unit. Knowing who is on the audit team and what their role is will help the entire engagement flow more smoothly.

Besides just stating the objectives for the audit, the second major issue addressed by the engagement letter is to scope the audit. This entails determining which systems can be reviewed and the look back period (date range for review) among other details. This information is often just a best guess from the audit staff as they probably don’t have the specific system knowledge to know if this scope is too big or too small to accomplish the stated objectives.

Once you receive the engagement letter you should begin to scrutinize the details. Are the dates as expected? Is the objective clear? Has it changed from the initial announcement? Is the scope too broad or too narrow? This is the time for you to drive the engagement. There are 4 key action items you have during the engagement process.

  1. Do you agree with the overall time line for each phase of the audit? Auditors are famous for trying to get in and get out as fast as possible. You know what the operational impact is going to be on your systems. Perhaps you’ll need to run 10 reports, which take 4 hours each to generate and you can only run them in your evening maintenance windows after the backup has run. This might mean you can only run one per night, and it will take you ten days just to run the reports. If the auditor has an expectation to be done with the evidence gathering in 5 days, you need to explain why this is unrealistic and negotiate the timeline. Don’t drag things out just to play it safe though. Remember, the longer the auditor has to review and look over things the more they uncover and the more they want to probe, thus possibly expanding the scope of the audit.
  2. Set clear objectives for the engagement. Understanding what the auditor hopes to accomplish will help you in the next phase, scoping. This is no different than getting business requirements from an operational unit before you begin coding their application. You should understand what they want to do before you can provide them anything. Another key in this is understanding definitions. Acronyms and abbreviations mean different things to different people. Even within the same company acronyms may be used differently by different business units. Agree up front to how you’ll communicate these items. Also, make sure to clarify what someone means when talking in technical terms. People often throw around the terms authorized and authenticated interchangeably when discussing access controls. Make sure the term someone says is the term they mean.
  3. Find out if the auditors have any pre-existing concerns about your organization or the systems. Unless you like being blindsided during the reporting phase this is your time to get all the cards on the table. If an auditor has anything they are looking for upfront they should tell you. It’s not fair for you to be judged on criteria you don’t know about. You may also find you have some perception issues you’ll need to work through to make this a successful engagement.
  4. Take this time to gain some visibility into your problem areas. Do you have any gaps that you’ve tried to get funding for but it just hasn’t been a priority with management? That gap becoming an issue in the auditor’s opinion report is sure to change this. Be careful though. This is a double edge sword. Your management may view this as an underhanded trick to get your pet project pushed through, or if it becomes a big issue you might be on the hook for not having responded to it earlier. Trying to balance getting visibility to known problem areas and just continuing to work them in the background takes some experience. I wouldn’t recommend trying it on your first pass.

Scoping Activity and Self-Identifying Gaps

The purpose of the scoping activity is for the auditors to tell you what systems they plan to review, what the look back period will be, how many samples they plan to take, what the sample sizes will be, etc. Some of this information will be based on their previous experience with your organization or system. If this is an internal group that has performed the same audit several years in a row, their initial scope may be right on. If, however, this is the first time the audit has been performed, the team membership has changed, or the system has gone through a major revision, this might not be the case.

During the announcement phase you should have been going through a self-assessment and looking for gaps. That exercise may have resulted in some remediation plans. Most auditors will allow you to provide them with information regarding known gaps up front. If you have an action plan and have made significant process on the plan this can help improve your audit rating. Auditors are more concerned with ensuring things are done right than with who gets credit for finding the gap and making the changes. The scoping phase is a good time to disclose self-identified gaps. Some auditors prefer this happen during the engagement negotiations so be sure to check their expectations.

If negotiation isn’t one of your strong suits, you either need to develop your skills in this area or have someone on your team who can do it for you. Auditors are driven by best practices and repeatable processes. If the auditor feels you’re trying to get around these during the process, they will certainly push back. If you have a need to change the scope of your audit for any reason you need to be prepared to justify your reasoning. Thinking something will work better probably won’t be enough to sway an auditor. You and your team need to utilize your specific knowledge of the system architecture and operation to explain why the scope needs to be modified. For example, maybe the audit scope includes reviewing any authentication process for user of a web application. In the architecture diagram provided to the auditor there is a proxy or load balancer in the middle. With your expert knowledge, you could explain how these devices have no direct impact on the authentication process and the logs can be excluded from this audit. The auditors will rely on your knowledge to help drive the scope. They don’t want to review meaningless data any more than you want to collect it for them.

Fieldwork and Control Testing

Fieldwork is the phase where most of the heavy lifting will take place. One of the first things an auditor will ask for is information relating to your process and procedures. They want to see how well these accomplish the successful implementation of your policy and related control standards. Some of your controls may not be documented. They will try to discern this during the fieldwork process. They will interview system administrators to determine how they perform their duties daily and then check for supporting documentation. Having written operating procedures is always best. Even if you’re doing the right things, if it’s not documented you can probably expect that issue to be noted on your final review. Without the written documentation, there is no level of assurance that the process will be repeated the same each time. Staff transition or a disaster could prevent the regular administrator from performing their duties and cause the process to be changed if not documented.

Once the auditor has identified all of the controls, they will review for effectiveness. Before even looking at the system, the auditor will try to ascertain if a control can meet a policy objective. They will look at the control and assume it has been implemented correctly and consistently. They will also consider the technology aspect of the control and the system it was meant to protect. If there is significant chance a policy could be violated even with the control in place it probably isn’t going to be considered an effective control and will need to be reviewed. Sometimes this just means modifying the written documentation for the control to better reflect its design and other times you’ll need to scrap the control and start over.

Once the effectiveness of the control has been considered, it will be reviewed for efficiency. This is the point we see how well something works. While the control may be deemed effective it may not be working well in the actual implementation. Perhaps it was implemented incorrectly or the process isn’t being followed. Many things can impact a control’s efficiency.

Since fieldwork is where the auditors begin to dive into your technology environment, you have home field advantage. Nobody knows the environment like you, so take advantage of that. Walk through your systems with the auditor to give them a personal connection to your team and environment. The more they understand the technology architecture, the easier it will be to negotiate with them to correctly scope the audit. Assigning a senior staff member as the point of contact assures the auditor you take this engagement seriously and want to do everything you can to make it a smooth process. You also get the benefit that if the auditor tried to exceed the scope of the audit, your staff member will know the system well enough to catch and adjust the auditor’s focus.

Review Prepackaged Testing Scenarios

Some auditors come with prepackaged or predetermined testing scenarios. Make sure you review these. They may or may not be appropriate for the way your environment is designed. Databases and directory services are prime examples. Both can be customized to the point they almost seem like in-house developed solutions. The standard fields an auditor tests may not be in use or may be used in vastly different ways by your organization. It’s important that both of you understand this before going through the laborious process of pulling data. Don’t be afraid to suggest scenarios you think will yield the results the auditor is looking for.

Many times, auditors ask for a report having no idea what the result of that report will be. I once worked for a company where an auditor wanted to see every manager’s certification whose access for their staff members was still valid for every Active Directory account in the company. Once I explained that we had over 210,000 accounts, this would take about two days to run and would print out on about 30,000 pages they changed their tune. We were allowed to run smaller samples from several business units and finished with about 40 managers, 200 accounts and 5 pages. This was a statistically valid sample of the accounts, which would indicate if the control was efficient. Work with your auditors to find valid samples instead of testing the entire environment.

Reporting

Section 1: Opinion Statement

The first thing in the auditor’s report will be their opinion statements on the overall effectiveness and efficiency of the controls in your organization. If all goes well and there are no major issues to report this should be succinct. In an internal audit, this will usually be no more than a couple of paragraphs and high level in nature depending on the system complexity and audience for the report.

External or regulatory audits are another story. I hope you like to read. In most cases, there will be an executive summary section if the opinion section is more than a few pages. If your auditor has uncovered multiple deficiencies, then the report will be as long as it needs to be to accurately describe the impact.

Section 2: Recommendations

The second portion of the report is the recommendations section. Auditors can’t be too specific here as this would cause a conflict of interest when they next review the control. If they tell you step by step how to fix it and then pass the control in the next round, their motives would be suspect. If they again failed the control, you’d be none too happy with them. For this reason, they will tell you what needs to be fixed but not how to fix it.

Remember that this audit process has been a partnership between you and the audit team. It should be expected you will want to help shape the final report. After all, it is at least to some degree a reflection of how well you and your team do their job. You certainly don’t want your signature on a scathing report that you had no input on. If an auditor balks at getting your input included in the final report, this is a red flag that must be addressed immediately.

You should also agree with everything on the report. You may not like everything that is stated or how it is stated but there should be no assumptions. Only facts should be reported and these facts should be backed up with evidence from the fieldwork. Feel free to challenge the auditor and show additional evidence of your own if you believe the report to be inaccurate. It’s important to get these issues cleared up while the report is in draft format. You want a limited audience to see the “dirty laundry”. Once the final report is published it’s hard to have it changed.

During this phase, you’ll also need to develop a timeline for remediating any identified control deficiencies. A little trick I like to use is to commit to building a project plan by a certain date but not to fixing the problem. Most times you have a week or two at best to review the draft report and build a management response. There is little chance you’ll fully understand the changes that need to happen or the impact on budget and operations. Committing to building a project plan shows you’re serious about fixing the problem but realistic about potential impact. Most auditors are fine with this because you will be tracking and reporting progress as you go. Just remember this needs to be fixed before the next audit cycle.

.

.

.

Download the entire guide by visiting the following link.

IT Manager's Guide to a Successful IT Audit
White Paper: An IT Manager's Guide to a Successful Audit

This white paper provides an overview of the audit process and how IT management can insert themselves into this process to benefit from the exercise.

Download White Paper

Get our blog posts delivered to your inbox: