Information Security and Privacy Education Lesson Fines And Court Penalty Judgments

My July issue of “IT Compliance in Realtime” has been published!
This month I continue to focus on the importance of information security and privacy training and awareness to not only improve security and privacy preservation, but also to meet a very wide range of compliance requirements. The first article in this month’s Journal is, “Information Security and Privacy Education Support Compliance.” Download the PDF of the full Journal issue for the formatted, best-looking version.
Here are the first couple of sections from that article…

The Deloitte Touche Tohmatsu (DTT) 2007 Global Security Survey revealed that less than two-thirds (63%) of respondents have an information security strategy. An overwhelming majority of respondents (91%) were concerned about employees being the primary cause for information security failures. Despite this, almost a quarter (22%) of respondents provided no employee security training whatsoever within the past year, and only one-third of respondents (30%) said their personnel could effectively safeguard information.
It is not surprising, then, that information security incidents and privacy breaches continue to happen every day, is it? How can your personnel know how to safeguard information if you do not tell them? There are many reasons to provide your personnel with regularly scheduled information security and privacy training as well as ongoing awareness communications and activities; such actions will

  • Establish accountability for each of your personnel to safeguard the information that they handle as part of their job responsibilities
  • Meet a wide range of regulatory requirements for training and awareness
  • Meet compliance with your own organization’s published policies
  • Demonstrate due diligence for your organization’s activities to appropriately safeguard the information with which you have been entrusted

Educate to Lessen Fines and Penalties
All your organization’s activities must comply with your own information security and privacy policies as well as local laws and regulations. Even without compliance requirements, you must always remember that it would be very damaging to your business if you did not properly safeguard your information assets, and then, as a result, incidents occurred, followed by lawsuits and fines and penalties.
Your business leaders should know that there are significant educational considerations listed under the U.S. Federal Sentencing Guidelines that impact the severity of the judgments in cases in which your organization is taken to court. Your executives’ sentences and your organization’s fines and penalties will include consideration of the following when a judgment is made against you:

  • How frequently and how well does your organization communicate policies to personnel? Are personnel effectively being trained and receiving awareness? What methods does your organization use for such communications? Does your organization verify that the desired results from training occur? Does your organization update the education program to improve communications and to get the right message out to personnel? Does the training cover ethical work practices? Is there ongoing compliance and ethics dialogue between staff and management? Is management getting the same educational messages as the staff? Is adequate and effective awareness and training provided throughout all levels of the organization?
  • Do auditing, monitoring, and evaluation activities occur to verify program effectiveness?

Thus, providing information security and privacy education helps to prevent information security incidents and privacy breaches and support compliance with a wide range of laws, regulations, and industry standards. In addition, it helps to lesson the negative impacts in the event your organization is taken to court.
Thoughts? Feedback? Let me know!

Tags: , , , , , , ,

Leave a Reply