November 2002

Financial Services Organizations Fail to Meet Security Standards

The Security Awareness Index (SAI) for financial services organizations reveals disappointing facts. A survey of financial organizations worldwide rated participating organizations with a “D” grade or lower for security awareness and behavior. The SAI report concludes that current practices and procedures fail to foster higher security awareness among employees.

Among financial services organizations that took the survey:

• 10% of employees have never read a security policy.
• Only 75% of the organizations make policies available in electronic format, and only 39% track whether employees read policies.
• Only 24% require employees to re-read security policies annually.

Improving awareness. The SAI report recommends certain remedies:

• Make security policies, standards, procedures, and guidelines easily accessible.
• Find creative ways to facilitate using security policies, standards, procedures, and guidelines.
• Institute a complete policy compliance system that requires all workers to read the appropriate security policies and reread them at least annually.
• Promote security through training manuals and periodic performance reviews.

Human Firewall Council. As part of its involvement with the Human Firewall Council (www.humanfirewall.org), PentaSafe created the SAI to help organizations assess their security awareness efforts through the first metric of its kind.

The first part of the SAI asks chief security officers questions that benchmark how similar companies implement security policies and procedures. The second part of the SAI enables chief security officers to test their company employees’ actual security knowledge, and compile the data into an index score that can be compared with other organizations.