Advocating Security Awareness and Operational Security Principles

There are a number of basic guidelines that may be used to promote a culture of security awareness and effective operational security within an organisation.

Security Awareness

Security awareness training programs - periodic training programs will re-enforce security consciousness and promote secure practices. The result of such training is increased awareness of potential security issues and knowledge on how to handle potential security incidents.

Executive sponsorship - Top level management embracing and promoting security awareness. This will enforce the importance of being security conscious. If management places importance on security then the rest of the company is more likely to adhere to secure practices.

Promotional material - promoting security awareness through the use of posters, pamphlets, mouse pads and other such media. Security awareness could also be promoted through an internal newsletter or emailing list. Such promotional materials create collective security awareness amongst employees within their organisation.

Regular security control audits - This will ensure that any security controls have been applied correctly. This will also identify where security controls have not been applied but where they should have been. This will assist in mitigating security risks through ensuring consistent and planned controls have been implemented.

Operational Security Principals

Minimum access - The default rule. A person should only be given the absolute minimum level of access required in order to perform their job. This restricts people from accessing information which they have no need to access and helps prevent the unauthorised use of that data.

Simple security management - ensuring that the implementation and management of security controls is simple. This will ensure that the appropriate controls can be applied or removed quickly and easily. This will minimise the number of errors related to the application of security controls and it can also help reduce the complexity of security audits.

User and system logging –allows detection of system anomalies and exceptions that may occur. Logging can be used to create a baseline of historical trends to readily allow for the identification of unusual system behaviour.