Building a strong security culture

15 May 2005

Appropriate processes and technology are critical to ensuring a secure IT environment, but creating and maintaining a security culture is critical for "closing the security gap".

Gartner's research supports this: "Technology can protect the workforce against external security threats to IT assets, but educating those users will also protect them against themselves."

In June 2004, CITEC gained certification to the AS/NZS 7799.2:2003 standard for Information Security Management Systems. The certification came on the back of a concerted effort to strengthen and reinforce staff awareness of IT-security related issues, and ensure best practices in security were being followed across the organisation.

CITEC's Security Manager, John Kidston said the certification was imperative for maintaining and gaining new business.

"Security has become a high priority for our clients and external certification is an important way we can demonstrate to clients that CITEC can be trusted to provide the level of security they require," John said.

Since gaining certification to AS/NZS 7799.2:2003, CITEC's Brisbane data centre and network management centre have also gained a physical security certification from the Australian Security Intelligence Organisation (ASIO) T4 Protective Security Group.

Building and reinforcing a security culture

In the months prior to the certification to AS/NZS 7799.2:2003, CITEC developed and implemented a range of initiatives to raise security awareness among its staff. These included:

• Compulsory security awareness training for all staff and contractors;
• Further development of the system used to identify staff, contractors and visitors, with different coloured lanyards for each group introduced to assist with easier identification of staff and non-staff; and
• Random audits to check that unattended PCs were locked and ID badges were being worn;

An internal communication strategy supported these initiatives. Based on the "10 commandments of security" the strategy included posters and email messages promoting various security issues, and regular articles in the staff newsletter.

Ongoing commitment

After "embedding" good security practices, John says a key challenge is to maintain staff awareness and organisational commitment.

"CITEC's senior management are committed to ensuring that security issues remain firmly on the agenda," he said.

"This commitment is vital to maintaining a security culture throughout the organisation."

Key functions in CITEC are represented in both the governance and operation of the information security management system. This cross-functional approach means that security issues are addressed in a business context.

Regular external AS/NZS 7799.2:2003 compliance audits complement the internal audit program, which helps keep security "front-of-mind" and identify opportunities for further improvement. CITEC's weekly staff newsletter has a section dedicated to covering the latest security threats, issues and technologies. All CITEC work units regularly consider security issues within their management review activities.

John says the organisation is committed to maintaining a culture of constant vigilance.

"Like security threats, which are forever changing, our security position needs to be dynamic, so that we can continue to manage our risks. To do that, we must have a strong security culture."

Read more CITEC Confirm feature news