[ISN] Test feds' info security savvy, report suggests

From: InfoSec News (alerts@private)
Date: Thu Dec 13 2007 - 22:21:41 PST


http://www.fcw.com/online/news/151066-1.html

By Mary Mosquera
FCW.com
December 13, 2007

A majority of federal workers continue to violate information security 
policies despite being aware of threats to agency systems and knowing 
the importance of following data security policies, a survey by 
SecureInfo found.

Among federal workers, 22 percent said they believe their co-workers 
follow information security policies and procedures half the time or 
less. About 58 percent said they stick to them very frequently. Only 20 
percent said their co-workers adhere to them all the time.

Although 97 percent of the participants said they were required to take 
information security training, awareness training is not enough. Only 
one-third said they remembered most of the material covered in the 
training, said Christopher Fountain, SecureInfo president and chief 
executive officer. Only 48 percent said their agency tested them, 
according to the report on information security awareness from the 
perspective of government workers.

There seems to be a significant lack of understanding by the government 
worker that each individual plays a critical role in protecting 
information assets and contributes to an agencys information security 
posture, he said in the Dec. 10 report. A greater sense of urgency is 
required."

Cyberattackers now use more sophisticated and stealthier techniques to 
exploit user trust, such as phishing, a technique to fool online users 
into divulging sensitive information. This makes the human element in 
information security the most unpredictable and critical vulnerability 
of an agencys systems, according to the September survey of 100 federal 
employees and contractors.

In its previous security awareness survey in May, SecureInfo found that 
many federal employees were unfamiliar with the Federal Information 
Security Management Act, and FISMA compliance is often viewed as a 
headache instead of a framework for improving system and data 
protection.

In its latest report, SecureInfo said agencies should test and hold 
their employees accountable to make sure that they understand and follow 
data security policies and procedures. Only 36 percent said that their 
knowledge of security policies and procedure was part of their annual 
performance review, Fountain said. Agencies also should conduct random 
evaluations of employees retention of security training content through 
social-engineering penetration testing techniques, such as attempts to 
get employees to share user ID and password information. It is also 
critical to understand whether awareness training is effective and hold 
agencies accountable for it, Fountain said.

Agency leadershipshould be required to publicly report on the 
effectiveness of training programs, he said. With the appropriate focus 
on security awareness and accountability, federal workers will do a 
better job of protecting government information and systems.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Thu Dec 13 2007 - 22:43:04 PST