Emphasis on information security risks tends to focus on addressing advanced persistent threats associated with IT. Although mitigating such threats is important, they represent just part of the security triad "technology, processes, and people," where all three areas play a vital part in supporting the organization's information security program. Having an employee security awareness program puts the focus on people who can help mitigate physical and information security risks, as well as keep the organization compliant with regulations and industry standards that require stronger IT security controls such as the U.S. Sarbanes-Oxley Act of 2002, European Union Data Protection Directive, and Payment Card Industry Data Security Standard (see "Regulations and Standards" below).
Auditing a security awareness program and its administrative process is essential to gauge whether it's being executed successfully. The awareness program document, along with attached employee consent and code of ethics forms, should be disseminated to and reviewed and signed by all personnel annually. To ensure complete coverage, this process should be centrally managed and a repository should be maintained to keep track of completed employee consent forms. Enforcement procedures should address situations when employees fail to respond timely and should include management escalation procedures. Auditors should pay close attention to six areas covered in the program: data, networks, user conduct, social media, mobile devices, and social engineering.
The awareness program document should detail approved practices that safeguard the organization's data in both electronic and physical form. Particular focus should be on securing client nonpublic information (NPI) and the organization's proprietary information. NPI is defined as a customer's name plus one or more data elements such as an account number or date of birth. Proprietary information consists of sensitive business information that can prove useful to competitors. The security awareness program document should instruct employees to contact their manager if they suspect that NPI or proprietary information has been lost, stolen, or accidently disclosed to unauthorized parties so that escalation procedures can be initiated.
Test procedures auditors should consider include using questionnaires with metrics to measure overall awareness; evaluating data breach incident and escalation procedures, event logs, and resolution reports; and reviewing courier agreements to ensure that incidents involving missing or tampered packages are handled appropriately.
Audits of NPI and proprietary information also should cover physical media on which the data resides. To ensure that sensitive documents are secured and inaccessible to unauthorized individuals, employees must shut down their computers at the end of the day and secure laptop computers when not in use. Moreover, employees should clear their computer screens when away from their workstations and, if feasible, position their computer screens away from unauthorized individuals and use computer privacy screens for workstations located in public or high-traffic areas. Auditors should conduct unscheduled department walkthroughs to ensure that clean desk policies are being followed, unattended workstations are secured, file cabinets and desks containing sensitive documents are locked when not in use, and physical safeguards are in place to restrict access to authorized personnel.
Likewise, employees should protect physical documents that contain sensitive information by discarding them into secured bins, rather than trash cans or recycling boxes. Electronic media containing NPI or proprietary data should be destroyed using management-approved techniques and data-erasure utilities to ensure they are not recoverable. Personnel interviews and walkthroughs of work areas can enable auditors to observe whether disposal bins are securely locked, monitor vendor document disposal practices, and verify the destruction of electronic media.
Organizations' networks and applications provide access to production systems, databases, and email systems that require a combination of user ID and password to gain access. The security awareness document should remind employees that they are personally responsible for all activities performed using their credentials. In particular, sharing logon credentials may enable unauthorized personnel to access systems and data. Internal auditors should interview employees and observe their workplaces to ensure that logon credentials are not shared and written down and that passwords follow approved complexity requirements. Auditors should check that the security awareness or code of ethics forms contain a clause mandating employees' responsibilities for securing their logon credentials.
Similarly, voice mail security is necessary to ensure messages are protected. One risk is employees who use PINs based on their telephone extension number, which auditors can detect by conducting random tests.
Auditors also should check compliance with the organization's wireless networking policies and procedures. Connecting wireless devices or setting up wireless access points to the organization's internal network should be prohibited unless approved by management and the IT department. Auditors can review monitoring and enforcement practices to ensure that only authorized network connections are allowed.
The time and money spent by organizations on technological solutions doesn't mean much when controls can be compromised easily due to inappropriate user conduct. This is why the employee security awareness and ethics code documents must communicate the organization's expectations for employee behavior. Employees should not be permitted to install any personal or nonbusiness-related software — such as games, audio files, or peer-to-peer file sharing applications — on the organization's computers, as this practice may install malware or violate software copyrights or licenses. In addition, all files downloaded from outside the organization's network should be scanned for viruses. An audit of the controls that mitigate these risks includes determining whether mechanisms are in place to automatically scan files and quarantine suspected malware.
The security awareness program also should establish rules of conduct for using company email. At a minimum, auditors should ascertain that the program provides guidance on expected behavior, such as limiting email use solely to business purposes. The program document also should instruct personnel on how to spot spam, spoofed, and other suspicious email that manages to get through the organization's spam filters. Spoofing uses forged email messages that appear to have originated from a legitimate user to entice recipients to open and respond to them. Employees who receive such messages should not respond to them or click on attachments or links, which could download malware. Instead, they should forward them to the information security department for further analysis.
Social media presents special problems for organizations because it blurs the boundary between the personal and professional lives of employees. As such, the organization needs to clearly communicate detailed social media employee rules of conduct for within and outside of the workplace.
Auditors should scrutinize the social media guidelines to ensure that they sufficiently convey the organization's expectations for social media behavior. Although some content will vary from one organization to the next due to cultural, industry, and regulatory factors, auditors should expect these basic guidelines:
Personal use of social media during work hours should be disallowed or restricted to lunch time, approved breaks, or outside of scheduled work hours.
Employees should never post confidential or proprietary data on company-sponsored or personal social media sites.
Use of company-sponsored social media sites should be restricted to work-related communications.
Employees must understand that they serve as the face of the organization when posting on company-sponsored social media sites and are expected to behave respectfully.
Employees who comment or post on company-sponsored social media sites must not suggest that their personal views reflect the organization's official position.
Employees should abide by copyrights, logos, trademarks, and other proprietary branding when posting on company-sponsored social media sites.
In addition, internal auditors should evaluate training and other methods management uses to disseminate social media conduct guidance to employees.
Mobile Devices and Wi-fi
Like social media, the practice of employees using personal devices in the workplace to access company email and business information systems — often referred to as "bring your own device" (BYOD) — presents a special challenge to organizations. Accordingly, employees need to follow the organization's BYOD policies and mobile device management (MDM) vendor-supported solution. MDM technology is used to manage portable devices remotely, enforce security policies, and secure business content such as email and data. The security awareness program should direct employees to consult their owner's manual or seek assistance from their service provider about how to configure their device settings. In addition, employees should avoid using free Wi-fi hot spots to access company email and data unless there is a secured connection to prevent wireless transmissions from being intercepted.
Scrutiny of BYOD and MDM practices can ensure that data leakage risks are mitigated should devices be lost, stolen, or misconfigured. Internal auditors should evaluate the adequacy of the organization's BYOD acceptable use policy and enforcement practices, assess MDM portable device security policy configuration settings to ensure that NPI and data are secured, and review reimbursement activities to ensure that compensation practices comply with company policy for employees who use their own devices.
Social engineering uses deception, manipulation, intimidation, and other techniques to exploit individuals with the ultimate goal of stealing information to gain a business advantage, conduct industrial sabotage, or seek monetary gain. Typically, these actions are conducted by individuals perpetrating "vendor" visits or phone calls and email impersonating employees, government officials, or vendors. In response to these types of threats, organizations need to establish detailed procedures employees must follow.
Unannounced visitors claiming to be vendors need to be vetted before being allowed access to company areas, especially when it involves entry to locations that contain computers, wiring closets, and client information. Employees should ask visitors for government-issued photo identification; contact the appropriate department to validate the work order, which may be forged; and ensure that visitors are escorted until the work is completed. Visitors who cannot be vetted should be escorted out of the office.
Employees who receive a phone call from an employee they do not recognize should look that person up in the organization's directory or ask for a "daily security word" — a secret word or phrase changed daily that is accessible only to employees through the organization's intranet. Moreover, the security awareness document should instruct employees to contact their manager immediately if they receive such calls because the individual may continue to call other employees until successful.
Additionally, personnel should never provide their logon credentials or workstation IP address by phone or email to individuals representing themselves as being from the organization's IT or information security departments or a vendor, as this could be a phishing effort to obtain sensitive information. Employees who suspect suspicious activity should notify management. They also should avoid using removable flash drives they have found in conspicuous places, such as parking lots, as these may contain malware.
To gauge social engineering awareness throughout the organization, auditors should consider conducting "white hat" exercises aimed at identifying and remedying security vulnerabilities before they can be exploited. For example, auditors who conduct visits posing as a vendor can learn whether employees challenge and follow visitor authenticity vetting procedures before allowing access to company facilities. Likewise, sending phishing email and impersonating IT staff members can reveal whether employees can be tricked into providing sensitive information.
An effective employee security awareness program should make it clear that everyone in the organization is responsible for IT security. Employees who suspect or become aware of policy violations should be instructed to notify their reporting manager or a higher level executive promptly. To determine whether security-violation reporting processes are effective and operating as intended, auditors should interview compliance and information security department personnel. Taken together, such efforts to audit security awareness can pay dividends by leading to recommendations that address program gaps and deficiencies.