CUPERTINO, Calif. -- 1. Create a Security Aware Culture-To be effective, organizations should have an ongoing security awareness program in place that includes continuous training, communication, and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
2. Establish Processes-While the cause of IT failures can include technology and environmental compatibility issues, the root cause of IT failure frequently lies in process and skills issues. Regular or routine activities should have established processes, which are known to all.
Processes enable workers to treat all components the same, reducing effort and potential risk that would be entailed if each component is managed differently.
3. Have a Remediation Strategy in Place-The absence of a solid security awareness and remediation strategy in the event of business disruptions is becoming an increasing priority as IT-related incidents are attracting an ever increasing share of the public's attention. When designing a remediation program, organizations should keep IT risk management in mind and follow several best practices as outlined below:
- Improve incident reporting and handling
- Properly classify and protect intellectual property
- Design and implement secure applications and infrastructures
- Demonstrate the importance of proper backup procedures
- Increase attention to system performance in IT systems design
- Follow internal IT safeguards and business policy requirements in
an effort to help meet compliance standards such as FISMA, HIPAA, Sarbanes-Oxley, COBIT, and ISO 17799:2000