Justification for Security Policy / Awareness Position

by Ron Woerner

Recently, I had to justify a vacant opening for a security analyst responsible for policy and awareness.  This article is the position paper from that effort.  Feel free to use it if you ever need to justify this position.

“The position of Security Policy & Awareness is the key to the success of the Security program at [our company].  This employee sets the policies and standards for security across the enterprise.  They ensure those responsible for enacting or following them know of their existence.  The role facilitates multiple groups to ensure the policies developed are rational, affective, and visible in order to protect our employees, clients, and shareholders. It establishes the expectations of behavior for employees and the establishment of controls to ensure the confidentiality, integrity and availability of company assets.

We need an employee who can focus on ensuring our policies are well-written, up to date, and have been coordinated across the enterprise.  If this position where not filled, then the chances are high that our Policies would stagnate with very little improvement.  In addition, it would be much more difficult to develop new Polices, therefore leaving potentially critical gaps.  This would potentially increase our security and compliance risks.

We also need an employee to promote Security’s Policies, Standards, and best practices.  We cannot leave it up to employees, Managers, or anyone impacted to find the security policies and to follow expected secure behavior without someone leading the way.  Without a person dedicated to Security Awareness, our employees will not be able to follow not only policies, but also the best practices that keep us all secure thereby greatly increasing the risk of a security breach.

If it is in the best interest of the Company to continue without this position, much of the activities will be delegated to the affected parties (IT, HR, Compliance, Legal, and the Business Units). The Security team will continue to lead many of the functions, but will be forced to take a minimalist approach and will only be able to accomplish the most critical tasks.  The current Security manager could perform some of the duties of a Policy and Awareness Analyst, but many of the functions would be left incomplete.

Most organizations the size and breadth of [our Company] in our sector have at least one employee dedicated to the activities of Security Policy and Awareness.  Security pundits across the globe have spoken out for this need as well.  This is because the lack of this position creates a gap in the whole security program that cannot be fulfilled any other way. Lastly, without this position, we are in danger of violating laws and regulations established for the protection of personal information (See Attachment 1).

It is my recommendation that [our Company] allow us to fill the position of Security Policy & Awareness Analyst.  It’s in the best interest of all involved including Security, our employees, and our business partners.

Attachment 1 Laws, regulations, and industry best practices stating the need for Policy & Awareness position:

Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 12, “Maintain a policy that addresses information security for employees and contractors.”
ISO/IEC 27002
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Operating procedures should be documented, maintained, and made available to all users who need them.
COBiT v4.1
Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
ID Theft Red Flag rule
Section 114 of the FACT Act directs the Agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or ‘‘customer.’
The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.
FFIEC Information Security Handbook
Institutions are required to establish an information security program that meets the requirements of the 501(b) guidelines. Information security polices and procedures are some of the institution’s measures and means by which the objectives of the information security program are achieved.
Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management.
HIPAA
An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.
A security awareness and training program for the entire workforce must be developed and implemented.