unit6research paper

docx

School

Columbia Southern University *

*We aren’t endorsed by this school

Course

4320

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

8

Uploaded by briandjones127

Report
Running head: UNIT VI RESEARCH PAPER 1 Unit VI Research Paper Brian Jones Columbia Southern University
UNIT VI RESEARCH PAPER 2 Unit VI Research Paper The ultimate goal of a successful security awareness campaign within any size corporation or organization is an increased awareness of security practices. The program should be inclusive of all employees from those who are just being onboarded, to those that have been with the company for years. Additionally, the program should be used in all departments and reinforced on a regular basis. Creating the Program To begin the process of creating such a program, management should devise a set of rules and controls to be put into place. These are the foundation upon which the program will be built. The rules and controls should include everything from what to do for new hires, how to handle and incident, down to what to do when an employee leaves the company. Checklists Once the specifics of the program are established, checklists should be created that should be used to ensure that the practices are being spread to all employees and departments and to keep the information organized. Examples of checklists are as follows. The onboarding process is the introduction of a new hire to the company. Having a checklist of what information to expose the new hire to in terms of security policy is a must. Items can include an acceptable use policy for devices that the new hire must sign and a handbook detailing the security policies and how to report incidents. Another checklist that would be a good practice is calendar to set refresher training ahead of time. Having training scheduled before hand will help to ensure all employees will be notified well beforehand, and therefore more likely to attend.
UNIT VI RESEARCH PAPER 3 Finally, and perhaps most importantly, is a checklist outlining how to handle an incident. This checklist should include not only how to handle the situation within the company, but also how to communicate a possible breach with customers (Allin, 2017). Communicating the Program Once the program parameters have been established and checklists have been created, it is important to expose the employees to the information. Some newer employees will be informed of the security program during the onboarding process. Employees who have been with the company for some time also need the information. Exposing the older employees to the new program and policies could be met by several methods. A lunchtime meeting with a PowerPoint presentation is an effective way to communicate the information. In addition to the presentation, a printed handout could be distributed as an addendum to the employee handbook to ensure the employees will have a hard copy of the information as well. Lastly, if a schedule of refresher training is available, inform all employees of the time and date of the training. The refresher training will act to reinforce the policies of the new program as well as keeping everyone up to date on any changes. Special Circumstances In addition to the methods listed above for communicating the new program, a special training session should be conducted after an incident. There will, inevitably, be some form of incident. After an incident, a refresher course on how to best avoid the situation should be given to all employees. Additionally, the process for dealing with an incident should be covered (e.g. who to report the incident to, how to communicate with customers and/or stakeholders). It is an unfortunate circumstance, but it would be best practice to remind the employees of policy and procedure while it is fresh in everyone’s mind (Bauer, Bernroider & Chudzikowski, 2017).
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT VI RESEARCH PAPER 4 Infographic As a way to reinforce some of the core concepts of the security plan, the following infographic could be posted throughout the facility as a way to remind employees of best practices to avoid common pitfalls. Testing the Program Almost as important as the launch of the new program is seeing real world data on how effective the program is. There are multiple ways to quantify the effectiveness. Some are best seen in the review of security metrics. For example, how many phishing emails were opened recently versus before the program was instituted. The company could also look at the response time of the security or IT department when an incident is reported. Another method is to launch small, staged incidents on purpose. Sending emails that may pass for phishing attempts is one way. If employees are opening these emails sent by the security team, they are probably opening them from outside sources as well. Dropping a USB thumb
UNIT VI RESEARCH PAPER 5 drive to see if anyone will pick it up and plug it into a workstation is another. According to Daniel (2020), in similar scenarios, flash drives were picked up and plugged into workstations 45% of the time. Again, if employees are picking up random drives and plugging them into their workstations, it could be a recipe for disaster. Integrating the Security Program The creation of the security awareness program is just one facet of releasing to the company as a whole. Executive management should be directly involved in early stages of creation and have input throughout the process. This should help to make the integration of the new program into all departments of the company a smooth one. Integrating with Human Resources Human Resources (HR) is a vital department within any corporation. This is the department that is directly responsible for the processes that control the life cycle of an employee within the company from hiring to termination (Santos, 2019). Having the new security program align with the function of HR is critical. By having HR aware of the new program, they can begin to drive home the fine points of the security program as new hires come in. HR should also be familiar with the process for removing an employee from the system after termination regardless if the termination is on good terms or not. HR is also directly responsible for ensuring that the security controls align with the company’s mission, goals and priorities (Chavez, 2018). Training for Management Management within the various departments should in no way be left out or exempt from training regarding the new security program. Management can be thought of as individuals who are a first point of contact for employees should an incident occur. Therefore, management should be well versed on the security program and receive even further training on the finer
UNIT VI RESEARCH PAPER 6 points related to responsibilities of the employees. Some management will have employees in their departments that have access to more sensitive data than others. It is vital that these managers completely understand the policies and consequences should an incident occur. Finally, managers should be aware that they, as managers, could present a better target for attackers due to the fact that their credentials could give access to more data (PCI SSC, 2014). Therein lies the need for managers to be extra vigilant. NICE Framework The NICE framework created by the National Institute of Standards and Technology (NIST) is an interactive website that was created with the focus of using real world scenarios to sharpen the cybersecurity skills of students and security professionals. Using the website as a tool to increase the awareness of the employees within the company is a good way to reinforce the concepts that are present in the new security program. By having the employees participate in the activities it will allow the employees to immerse themselves in a situation or scenario that will allow them to use their knowledge of best practices to arrive at the correct outcome. Cyberseek The Cyberseek website has the potential to be an amazing resource for the company. The company can use the data found on the site to gather information relating to the amount of security professionals are in the area, or if expanding the scope of hiring to other areas will be needed. Other data pertaining to the expected salaries of prospective new hires can inform the company if the money they are offering will be competitive. Perhaps one of the biggest advantages of the site is the ability to list open positions. With Cyberseek being a website devoted to primarily cybersecurity professionals and students, listing a job opening there may be much more beneficial than other job listing sites. Additionally, the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT VI RESEARCH PAPER 7 site has resources available for any current employees who may want to make a change and begin working on a different career path with a focus on cybersecurity.
UNIT VI RESEARCH PAPER 8 References Allin, B. (2017, March 21). How to implement a security awareness program at your organization. Retrieved from https://www.threatstack.com/blog/how-to-implement-a- security-awareness-program-at-your-organization Bauer, S., Bernroider, E., Chudzikowski, K. (2017, April 9). Prevention is better than cure! Retrieved from https://www.sciencedirect.com/science/article/pii/S0167404817300871 Chavez, R. (2018, October 11). The role of HR in cybersecurity. Retrieved from https://www.shrm.org/resourcesandtools/hr-topics/behavioral-competencies/pages/the- role-of-hr-in-cybersecurity.aspx Daniel, S. (2020, June 5). Should I test employee security awareness? Retrieved from https://sbscyber.com/resources/should-i-test-employee-security-awareness Donttakebait [Online image]. (2016). Thriveology. https://thriveology.com/dont-take-the-bait/ PCI SSC (2014, October). Best practices for implementing a security awareness program. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Im plementing_Security_Awareness_Program.pdf Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Upper Saddle River, NJ: Pearson

Related Documents

Untitled 2.pdf
ACC 531 Final Exam-8.docx
Unit3casestudy.docx
unit8finalproject.docx
Unit4casestudy.docx
Unit7casestudy.docx
CSS110 Externship Journal 5.docx
CSS110 Externship Journal 2.docx
CSS110 Externship Journal 1.docx
BIM400 Case Study Analysis Speed Cameras and Smartphone Technology.docx
BIM400 Twitter case_.docx
BIM400 Information Management in Organizations_The Rise of Zoom_Wadsworth_Charles.docx