Create a Security risk-aware culture that includes an information security risk management program
Security awareness is the heart of security risk management.We can significantly reduce the risk of improper data exposure by instituting a security risk management program. This risk management program should be supported by leadership and provide for information security roles and responsibilities. However, our efforts will be short-lived unless everyone in the University assumes responsibility for protection of institutional data. Leadership plays a key role in maintaining a strong risk-aware culture that has a direct positive impact on critical institutional issues such as:
- Meeting organizational goals
- Maintaining efficient uninterrupted operational processes
- Fostering a positive public image
- Complying legal statutes, regulations, and contractual obligations
1.1 UWG's security risk management program.
This program provides insight into existing risks within a given IT environment and strategies for reducing or eliminating those risks. It also helps managers stay abreast of changing risks and respond accordingly.
- IT Risk Management Framework
- NIST SP 800-30 Management Guide for Information Technology Systems
- PCI Data Security Standards Version 2
- PCI Data Security Standards Version 1.2
1.2 Roles and responsibilities for overall information security.
In a culture of security risk awareness, all individuals within the institution understand their roles and responsibilities for protecting data to which they have access. These roles and responsibilities should be clearly stated and communicated, and individuals should be held accountable for fulfilling them. Some departments will likely have greater security responsibilities than others, but everyone in the institution must personally assume some responsibility for the security of institutional data in electronic and/or paper form.
1.3 Leadership support for policies and governance actions.
In an institution that is security risk-aware security is viewed as an investment in the mission of the institution and security resources would be focused on proactive, risk management based strategies.