Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jan 1, 2007

A legal argument for security awareness

An article by Ryan Sulkin on Law dotcom starts thus: "As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program." Making the case for security training/awareness, it continues: "However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats." Ryan picks out GLBA, HIPAA, PCI, FFIEC and ISO 17799 as examples of laws, regulations and standards that require employees awareness, training and education in security. "Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security." Well said Ryan!

More resources for security awareness and laws, regulations and standards