Human Aspect of Information Security Policy in Service Industry
In my 14 years of experience in the service sector industry where we have served almost all the markets globally as a country, I have observed that there has been tremendous focus on tools and technologies in which we try to fix the security loopholes by implementing various detective/ corrective/ preventive tools. But organizations usually miss that these tools don’t have any artificial intelligence to take subjective decisions as to who is right and who is wrong.
If any employee has intention to do some malicious activity then one usually finds a way to do so by bypassing various automated controls by means of social engineering. Wikipedia defines Social Engineering as: “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”
Hence it doesn’t mean that tools are useless, but the only thing which we miss is that these tools are operated by humans. It is very important for an organization/ senior management to strategize and keep into consideration that how to motivate their employees to avoid having any disgruntled employees within the organization.
Losses occurred by insiders is more as compared to outsiders. We have to make appropriate plans to educate the employees on an ongoing basis to tell them as to what is right v/s what is wrong. The consequences of getting into the wrong behavior has to be properly communicated with examples.
Following 5 steps can be taken to ensure coverage of human aspect:
1.Proper awareness plan
There has to be proper plan in place as to what to do prior to employment, during employment and post employment. Employees must know their rights as to what are they supposed to do and what their boundaries.
2.Drafting appropriate disciplinary policy and educating employees on that
Disciplinary action is very good example of perfect governance within an organization. It should be drafted in such a manner that without any bias any employee gets a clear message that by indulging into following activities these are the consequences that one may have to face.
3.Appropriate detective controls in place to send a clear message to employees that each and every act of there is under surveillance
Here organizations should have appropriate detective controls in place to make sure that the management is aware of what is happening where or in other word we can say that we should know who is doing what and where. This should be communicated to all employees as part of our awareness plan so that they know that every act of theirs is being monitored. Tools like SIEM, log management tools and now a day’s NAC and DLP tools are few examples which security teams within the organization would like to strategize in their annual budget if they do not have one.
4.Setting up the right tone by taking appropriate action if any non compliance is found
While monitoring, if any employee is found in any malicious activity then appropriate action need to be initiated without looking into the respective employees band or position within the organization. This has been mostly seen that mostly organization have wonderful drafted policies and procedures but the differentiator is how it has been implemented at the ground level. This gives a straight message within the organization from bottom to top that no one will be spared irrespective of any position they hold and in the interest of the organization’s reputation any non compliance will be dealt with seriously.
5.Rewarding employees found adhering to such policies to motivate others following these steps
This is one of the key aspects of human nature. Employees must be motivated/ rewarded based on their act or adherence to organization’s policy which should be measurable in a SMART way. Ideally within the KRA there must be one area which should be linked to adherence to organization’s information security policy and efforts to improve the overall Info Sec culture. With this we can straight away differentiate employees who are keen on improving the culture within the organization whom we can reward appropriately.
Views mentioned here are solely author’s independent and are not related or linked to any organizations or to CafeBpO
Brief Author Profile:
Surinder Singh Rait a seasoned information security professional currently is working with Birlasoft India Limited as Information Security and Data Privacy Leader. With about 14 years of experience in various roles where he has implemented Enterprise Information Security Framework and did consulting for many fortune customers in implementing ISMS, Enterprise Risk Services and various IS related technologies and solutions. As part of his past experience, he have worked very closely with senior management and CXO teams to ensure clean implementation of IT Governance framework meeting client and various global regulations and framework in a very cost-effective manner.
We would like to thank Surinder Singh Rait to contribute to CafeBpO, he is the first independent expert author to contribute to CafeBpO, if you would also like to contribute as an expert author then please Contact CafeBpO form to get in touch with us if you would like to contribute content for CafeBpO
If you have liked this article feel free to share with your friends, and colleagues on your social networks like Facebook, LinkedIn , Twitter etc. If you would like to receive regular updates from CafeBpO please use the subscribe by email option on this page (We do not sell, rent or donate your email address to spammers)