Information Handling for the Individual User
Most information (or cyber) security standards include user awareness as a security control: NIST SP800-53, ISO 27001, PCI DSS, HIPAA Security Rule, etc. General cyber awareness topics include phishing, popup scams, and strong passwords, among others. Another MAJOR component to user security awareness is the relationship between information security and A USER’S ROLE in the organization. Translation: What should users do on a day-to-day basis to safeguard their company/client’s information?
At Cyber Safe Workforce, we believe you must identify how information flows through the workplace. After all, everyone within your organization is responsible for non-public information in some manner. Without performing a security gap assessment, this is a starting point for review of role-specific security awareness. Use these four questions within each department or project to analyze your data handling procedures.
1. What type of information do I work with?
Is it client information? It the information proprietary or secret? What about marketing materials, customer lists, employee insurance, etc.?
2. For each type of information, is it public, private, or highly sensitive?
If your organization currently uses a Data Classification Guide, each type of information should fit within it. If not, use three broad categories to determine how information should be treated. For example, company proprietary information would be highly sensitive in the wrong hands (even within the company)–it could put the business in jeopardy.
3. Where am I allowed to save/store this information?
What type of devices, online tools/websites, or media can hold the information? If it’s highly sensitive, should it be on a personal DropBox? (The answer is NO!)
4. How can I send/share this information safely?
Review how information gets sent or shared and make sure it’s done via company-approved means. For example, don’t use a hotel business center computer to send highly sensitive information. Identify the systems and safeguards in place for each type of information within the department.
It’s most effective to manage this effort at the department or project level because these users are able to provide a full accounting of the information with which they work and can provide insight into their current information handling processes. Don’t be surprised to learn that there are instances when information goes outside of The Circle of Trust. Instead, work to raise awareness and implement clear processes surrounding data handling. Accidental disclosures of information typically occur when users are unaware of the importance of information or when the company lacks procedures around that information. Role-based security awareness helps minimize this risk.