Building a Security Policy Framework for a Large, Multi-national Company
By Leslie VanCura
Information Security is not just technology. It is a process, a policy, and a culture. Our organization had spent millions of dollars on technology to keep the “bad guys” out, but we had spent little time building the foundations of our Information Security Program. We did not have relevant, current policies or a culture of security awareness among our managers or end users. The technology was not able to prevent end users from disabling it or doing unintentional damage by opening strange email attachments or telling someone their password. This paper will discuss how we created a Security Awareness Program to address this problem. The program covers policy development, an awareness campaign, and compliance monitoring.