A successful implementation of an information security program requires a well-planned security awareness and training program that addresses policies, standards, and procedures. (Peltier & Peltier, 2004) The awareness and training program should encourage employees to make the right decision among alternatives in a manner consistent with ethical principles. (Josephson Institute of Ethics, 2016) This paper focuses on the security awareness program and the ethical decision-making process of a large enterprise in the US.
The paper discusses:
- The security awareness program called “Rules of the Road” of the firm.
- The “Five Keys to a Great Customer Experience” campaign promoting ethical behavior at the business enabled it to top J.D. Power’s Customer Satisfaction Survey.
- The implementation of the security awareness program along with the ethics campaign at the firm.
- The impact of the security awareness program and ethics
- The effectiveness of the security awareness program and ethics campaign.
- Selected recommendations on how to improve security awareness program and ethics
Security Awareness Program
The firm’s operations team that includes the development and information security team launched its revised security awareness program four years back with three fundamental principles: Security, Stability, and Standards. The firms call it – Rules of the Road.
Security – Maintain data privacy and confidentiality
One of the goals of the operations team with the security awareness program is to develop or acquire software that is secure from the start. Detecting and applying security fixes early in the system development lifecycle (SDLC) will avoid expensive repairs of the software towards the end. (Solomon, 2015) The program educates employees the importance of protecting internal and confidential data from unauthorized access using the firm’s policies and standards. According to the policies and standards, employees are discouraged from disclosing specific information about their role at the company on any social media forums. Communicating such information may help adversaries to target selected employees with social engineering attacks to gain unauthorized access to the firm’s locations and network. The business prohibits employees from sending company’s information outside without approval and are not allowed to use personal email for business purposes. The awareness program helped employees understand the principle of least privilege and why it is important to limit access only to those who need it. (Virtru, 2015) All access needs to be reviewed annually and removed as soon as it is no longer required. The awareness program also covers the need to manage and use privilege account securely.
Stability – Ensure reliability and resiliency
Though a service enterprise, the firm considers itself as a business that relies heavily on technology. Ensuring its systems are reliable and resilient by meeting its infrastructure and application hygiene requirements is paramount. The firm requires Operations Team to test the developed or acquired software, and validate the results before deploying to production. Data should be backed up and, if necessary, archived according to data retention and business recovery requirements. It needs to maximize the availability of its system by planning and testing for failures scenarios. Use of Chaos Monkey to test its private cloud is a good example of such requirement. The firm requires the approval of Change Management team for any changes to its software or infrastructure. All controls applied to its software and infrastructure should be regularly assessed, and address any gaps or weakness promptly.
Standards – Drive efficiency and reduce complexity
To achieve secure and stable system, the Operations Team should design and build technology systems in adherence with approved reference architecture and technical standards. Any new technology introduced to the firm, either by developing the solution internally or acquisition, should be approved by the Chief Information Officer (CIO), Chief Technology Officer (CTO), and Chief Information Security Officer (CISO). The firm’s Third Party Risk Management TPRM) team should be engaged in any external engagement to meet the company’s oversight standards. All servers should reside in a data center or equipment room approved by the technology team. All technology teams are required to create and maintain application and infrastructure reference data in an authorized centralized inventory tool. They should apply data management policies and standards to the firm’s data.
Ethics is a standard of behavior that human beings are expected to act in many situations that they find themselves in as friends, parents, children, citizens, businesspeople, teachers, and professionals. (Santa Clara University, 2015) Along with the firm’s security awareness program, the operations team launched a campaign to promote “Five Keys to a Great Customer Experience”. The goal of the campaign is to instill ethical behavior in everything an employee would do at the firm. The Five Keys aligns to the five source of ethical standards that philosophers and ethicists consider critical. The five source of ethical standards are:
- The Utilitarian Approach – which emphasizes on an action that provides the most good or does the least harm.
- The Rights Approach – which emphasizes on an action that best protects and respects the moral rights of those affected.
- The Fairness or Justice Approach – which emphasizes on an action that treats all human beings equally.
- The Common Good Approach – which emphasizes on an action that benefits the common good of a community.
- The Virtue Approach – which stresses that an action should be consistent with certain ideal virtues that provide for the full development of humanity. Such virtues include honesty, courage, compassion, generosity, tolerance, love, fidelity, integrity, fairness, self-control, and prudence.
The campaign was launched both at the business as well as the technology part of the enterprise.
The Five Keys
The “Five Keys to a Great Customer Experience” that the firm considers as critical ethical behavior to its customer and employees are:
- Always be courteous and professional – The company expects its employees to treat its customers as well as their colleagues courteously and professionally.
- Do the right thing – Employees are encouraged to do the right thing that benefits their customers and colleagues. None of their action should cause an adverse impact or, at least, increase the existing
- Build lasting relationships – The company sees every transaction as a relationship that it needs to nurture over time.
- Own customer issues from start to finish – The business encourages its employees to own a client issue until its resolution. No issue is some else’s.
- Exceed expectations – Employees are expected to show their best in everything they do.
These keys support the firm-wide effort to consistently provide an exceptional customer experience for every person who interacts with the firm. It could be someone visiting a branch, calling customer care, or visiting the company’s website. From the Operations Team perspective, this means employees should work accurately and efficiently, and quickly resolve any customer requests. The five keys represent actions that can enrich the client experience, deepens the firm’s relationships with them and, in turn, build the company’s business. It positions all employees to present the business as integrated, seamless enterprise to its customers – in branches, over the phone and online – when the employees service the work and when the employees resolve their requests.
The first step in implementing the security awareness program and the campaign to promote ethical behavior was to get approval from senior management on the developed material. A senior manager sent out an email to all employees under her regarding the launch of the program and the benefit of going through it. With the help of volunteers from the operations team, the training could determine its audience. Each type of Operations role had customized material that started with a video message from the CEO and focused on their role and work. The custom material was prepared with inputs from subject matter experts in each role and delivered using the firm’s e-learning platform on its internal website. As part of developing the program, the company made it a requirement to have each employee be certified annually on the Rules of the Road. The firm certifies each employee annually after successfully completing a quiz that each employee takes towards the end of the e-learning course. As part of the launch, all campuses of the firm had posters in all meeting rooms and hallways. The company started recognizing any employee who demonstrated one or many of the keys at quarterly town hall meetings helping to make the “Five Keys to a Great Customer Experience” part of the culture.
The security awareness and ethical campaign were a tremendous success for the business. The firm topped in J.D. Power’s Customer Satisfaction Surveys proving its “Five Keys to a Great Customer Experience” campaign was a success. The firm had only one reported security breach in the last five years. The impact of the breach was minimal with no impact to its customers.
Recognizing employees that demonstrated “Five Keys to a Great Customer Experience” became a regular practice in the business part of the operations. However, it is still gaining traction in the technology team. The effects of such behavior are easy to see at the business side as the customers are excellent at providing feedback; but not on the technology side.
Each product delivery starts with a design that incorporates information security early in the system development lifecycle (SDLC). A team of information security professionals ensures employees follows the Rules of the Road before allowing the product into production. However, such assessments are performed just before the product is ready for production. Moreover, the firm is yet to produce a reference architecture that it can apply to all its technology solutions.
The “Five Key to a Great Customer Experience” campaign should encourage business side of the operations team to recognize its technology partners for delivering solutions that meet its customer’s need.
The following selected recommendations may improve the security posture of the firm:
- The assessment of an application or solution should not wait until the solution is ready for production. It should start its evaluation early in the SDLC.
- The firm should produce a reference architecture containing a consistent and reusable set of technology patterns that each of its technology components could use.
The security awareness program of the firm called “Rules of the Road” is a success with only one publicly reported breach in the last five years. The “Five Keys to a Great Customer Experience” ethics campaign enabled the firm to top J.D. Power’s Customer Satisfaction Survey.
The company could improve its security posture and ethical behavior of its employees by following the selected recommendations mentioned.
- Architect, C. (2016, December 19). Executive Director. (S. Abdul Jabbar, Interviewer)
- Francis, R. (2017, March 27). 7 tips for better security awareness training sessions. Retrieved from csoonline.com: http://www.csoonline.com/article/3154760/social-engineering/7-tips-for-better-security-awareness-training-sessions.html
- Peltier, J., & Peltier, T. (2004). Complete Guide to CISM Certification. Taylor & Francis Group.
- Santa Clara University. (2015, August 1). A framework for ethical decision making. Retrieved from scu.edu: https://www.scu.edu/ethics/ethics-resources/ethical-decision-making/a-framework-for-ethical-decision-making/
- Shimeall, T. J., & Spring, J. M. (2014). Introduction to Information Security. Waltham: Syngress.
- Solomon, S. (2015, March 5). Source code analysis – for safer application development. Retrieved from whitesourcesoftware.com: https://www.whitesourcesoftware.com/whitesource-blog/source-code-analysis-safer-application-development/
- UC San Diego. (2016, May 4). Making ethical decisions: process. Retrieved from blink.ucsd.edu: https://blink.ucsd.edu/finance/accountability/ethics/process.html
- Virtru. (2015, June 12). 6 Common ways employees compromise enterprise data security (and what you can do about it). Retrieved from virtru.com: https://www.virtru.com/blog/enterprise-data-security/
- Whitman, M. E., & Mattord, H. J. (2016). Principles of Information Security. Boston: Cengage Learning.