Automating Security Policies
MANY ORGANIZATIONS have an increasingly large set of policies on data security and other issues that they need to distribute to employees. It can be challenging to keep such policies updated and to ensure that the right employees read them when they should. And as state and federal data security laws grow stricter, it’s becoming increasingly important to maintain such documents and to make sure employees understand them. To achieve those goals, Bentley University, located near Boston, turned to an automated policy management solution.
The university needed to update several of its policies, including those concerning compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA). Massachusetts’ strict new Data Privacy Act (201 CMR 17) was also coming into effect; its requirements include strong written policies and regular auditing on protecting personal information.
As the school began to tackle that task, it became clear that the old system of administering policies with paper and binders was becoming too unwieldy and time-consuming, says Patty Patria, Bentley’s chief information security officer. Patria had heard of some new automated policy management solutions. Among them was one recommended by a colleague; the product was called MOAT (Managed Ongoing Awareness and Trust) from Awareity.
MOAT offered what is called infrastructure- as-a-service via the Web, says Patria. That meant that it would likely require relatively little software downloading and management within Bentley.
Even without the software worries, getting up and running was not easy. It required that the university migrate all of its policies into a format that could be read and edited in the MOAT system and develop training programs that fit into the MOAT modules.
Preparing the new system took about six months. Two weeks of that were spent on back-end integration, mainly ensuring that Bentley employees could access MOAT. The majority of the effort involved meetings among the university’s human resources, privacy, and law personnel. A main aim was deciding which types of policy modules, or training products, to create and distribute to particular employees via MOAT.
MOAT offers two basic types of modules. The first includes several prepackaged products to train users in areas including HIPAA and HITECH; and the second concerns general data and cyber security. The university decided to use the healthcare-related product, says Patria. Meant for employees in clinical and other medical settings, it can help in areas such as annually required HITECH training.
For the rest of the modules, Bentley used customizable “Intelligent Templates,” which help guide module creation with formatting and inputs that track what is required by applicable regulations.
Bentley decided against using the off-the-shelf data security module, opting instead to create a more customized version “better suiting our own security needs and policies,” she explains. The university was able to borrow certain information from the MOAT version, however.
The general security awareness module eventually included information on topics ranging from phishing attacks, in which e-mails can contain malicious links, to ways in which employees could properly dispose of sensitive personal data, a requirement under the new state data law. Patria expected that the module would help raise user awareness, which is a “crucial component” of any overall security strategy, she notes. Indeed, the general security awareness module has created a far simpler way of educating employees about security best practices, Patria says.
Once the staff had done the hard work of developing the content, creating the actual templates was relatively straightforward, says Patria. In most cases, content for the modules was transferred into Adobe Reader PDF format before being uploaded into a central Awareity Vault. But Awareity also lets users create PowerPoint and spreadsheet documents as well as add video and audio files.
The university added audio versions to many of its modules, says Patria, letting people learn “while conducting other tasks.” A main goal in building the modules was making them highly user-friendly, she says.
Twelve modules were eventually developed, she says. Some employees, including some working in areas such as security and human resources, would receive them all, but most employees would need to receive “about eight.” When the modules were distributed late last year, employees were typically given 30 days to certify that the sessions had been viewed or heard.
The administrators used Awareity’s real-time, automated reporting and statistics to monitor staff progress on the modules. Human resources could quickly see when employees needed a follow-up communication, usually an e-mail, about finishing a session. The automated reporting can integrate into documentation that can be used for auditing and regulatory purposes as well.
Most employees completed training within 30 days, in part because they could do it at their convenience. Many employees, particularly those spending relatively little time at a computer, appreciated the audio format, she says.
MOAT’s automated reporting feature also lets university personnel easily check whether new employees or contractors have read the required information before starting a job or accessing certain systems.
The new system has also reduced the amount of time Bentley staff might have had to spend training employees and answering questions, she says. Plus, the time spent updating policy information and training programs has been greatly reduced. The Intelligent Templates are simple to update, she says, and Awareity automatically updates its ready-made modules for the university as regulatory changes occur in areas affecting the university’s security awareness training.
Paper costs have also declined, which has helped move the university closer to meeting some of its environmental, or green, initiatives.
MOAT’s pricing is based largely on the volume of user licenses an organization requires, according to an Awareity spokes person. The price per license declines as the volume increases; costs range from less than $5 per user per month to less than $1 per user per month. Initial installation can range from several hundred to several thousand dollars.
Patria says she may eventually add additional MOAT features, including test questions in true-or-false or multiple-choice format at the end of training sessions. But already, she says, the technology has generated “huge benefits.”