The most common mistakes that organizations are prone to make is that they assume that their users are aware of the security policies that have been implemented. Signing up of an awareness form at time of taking up of employment does not ensure that the user will become aware of the security measures nor can the organization wash its hands of the user awareness training responsibilities. Not only do users need to follow the policies they also need to understand why these are being implemented. This ensures that users adhere better to the established guidelines. Surveys conducted by CSI/FBI Computer Crime and Security survey have revealed a drop in threats and attacks to networks and this decline has been directly associated to increased user awareness. Although the list would be lengthy it would be worth looking at some key aspects of information security from a user’s perspective.

Anti Virus – The havoc that can be caused by malicious software’s worms and virus have been well documented. Despite this user awareness on how they can prevent a virus from entering a network is limited. Users need to be made aware that antivirus software’s need to be updated with the at least definitions and are a necessary for their own data protection needs even if they do take up a bit of the computer resource. IT teams on the other hand should ensure that virus scans should take place when of least discomfort to the user community.

Passwords – Once any hacker has you’re the passwords they can almost hack into anything be it office or personal data. It is the first line of defense for a user to protect himself. Users need to understand the meaning of “weak” passwords. A weak password is something that can be easily associated to the user like birthdays, which can be easily even guessed. Strong passwords should consist of letters, alphabets, and even special characters. It should be something that the user can remember and at the time ensure that it cannot be cracked.

Acceptable usage policy – The acceptable usage policy should cover the user access over the intranet, internet as well as email usage. Users need to be aware of the vulnerabilities they expose the network to when they are browsing through sites they should not be visiting. Also exchanging emails when not needed and subscribing inadvertently to hoax sites not only may invite viruses into the network it also uses up network bandwidth which may result in data not being available when needed.

One of the components of IT security often underestimated is the need to increase awareness amongst users of the role they play in maintaining the security of the network. The result of a survey by the Computer Security Institute and the FBI Computer Intrusion Squad has indicated that user security awareness training can lead to a decrease in internally initiated attacks on the network. Users need to be aware of their role in protecting the information that they use and how they can contribute to protecting the network. There are a variety of means available to educate the users on security policies and each organization will have to find its own best fit. Organizations can give presentations, stick posters and hand outs, conduct induction as well as periodic training or maybe even have an internal website dedicated to information security. Each method is effective in its own way and using one is better than none.

In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. A good information security system should be implemented by subject matter experts in information security – people who understand risk as well as the importance of using the right internal / external controls that will not only protect data but also contribute towards meeting organizational objectives. To be effective it is also important that the information security policy being implemented also has good management support. This is where the problem begins because many companies that have chosen to set up an expensive information security system but don’t always realize why or how they came to choose its implementation in the first place.

So why should a company measure the information security policy it has implemented. A few industry pointers are listed below:

• To show ongoing improvement,
• To show compliance (with Standards, contracts, SLAs, OLAs, etc),
• To justify any future expenditure (new security software, training, people,
• To identify where implemented controls are not effective in meeting their objectives, and
• To provide confidence to senior management and stakeholders that implemented controls are effective

While on the topic, organizations should also highlight to its stakeholders various advantages of measuring the effectiveness on the security policies which are;

• Proactive tools to measure can prevent problems arising at a later date (e.g. slow networks’, Denial of service, disk failures etc),
• Reduction of incidents,
• Staff motivation, and
• Visible  evidence to auditors, and assurance to senior management

Once organizations have defined the objective and realized that measuring the effectiveness of the security policies has advantages the question arises “What do I measure”

Again industry best practices would suggest that you can break down the information security implementation into the following categories:

1. Management Controls:
These would typically include the Security Policy and procedures IT Policies, and corporate strategy for information security and awareness, Business Objectives, Management Reviews.
2. Business Processes:
This would include conducting the actual risk assessment Risk Assessment & Risk mitigation measures that will be implemented and acceptable risk, as well as data retentions and disposal measures.
3. Operational Controls:
This consists of the Operational Procedures for providing support to the IT services being delivered. Hence processes like change, incident, availability management etc would be a part of the operational controls
4. Technical controls:
These would typically consist of activities like firewall configurations, AV updates, patch management, content filtering etc.

To measure the controls organizations can also have KPI’s defined for the controls so that the controls can also be mapped back to the organizational objectives.

Sometimes organizational security is one of the top victims of budget cutting in a cost cutting exercise. The most common logic is that although it costs money to implement a information security policy the benefits are not very tangible. This makes it difficult to justify the cost incurred. However organizations need to realize that information security benefits become visible only when a control fails. But when that happens the costs incurred may be too high. Hence the need to measure the controls implemented and presents the benefits to all stakeholders. This helps them understand the many benefits that it can bring to business and also help them understand how they can leverage a well implemented policy to drive the business and shape future organizational policies.