XNUMX. XNUMX.Introduction

　previous columnAztec's information security systemintroduced the company's security system.
　Aztec has acquired ISO27001 (ISMS), and I am in charge of the implementation and operation of internal security measures and in-house education in the Information Security Committee.

　When undertaking search work, we will be entrusted with highly confidential information from our customers, so we will not allow any leakage or loss of information.As a company, we recognize that security measures are the most important issue, and for that reason, security measures on a daily basis are extremely important.
　From my point of view, I feel that security measures are being taken at a higher level than usual within the company.However, it is meaningless if the rules are not followed, including carelessness.In order to follow the rules, it is important for employees to have a high level of security awareness, but when it comes to "security education," the content tends to be rigid.We would like to introduce our efforts to make employees aware of security without raising the threshold.

XNUMX.the goal

　Since 2012, we have set one company-wide security goal each year.
　In the past, the company-wide targets set by the Information Security Committee did not fully permeate the company, and in the company-wide search conducted at the end of the term, a certain number of respondents said that they did not know about this year's targets.Although the company-wide response was relatively high at about XNUMX%, there are differences in awareness within the company.

　Therefore, we tried two approaches to improve it.

　The first is an initiative to "set goals for each department and operate them for one year".Since the goal was set by ourselves, naturally XNUMX% answered that they did not know this year's goal.We carried out this approach twice (for two years).

　The second is an initiative to "review each department on a quarterly basis."

・Are you aware of your goals in your daily work?
・Current effects, problems, improvements, etc.

　As a review item for the above two points, instead of setting up a special place, I tried to implement it in a short time in a regular daily meeting.This initiative is still ongoing.

　Currently, we have returned from setting goals for each department to company-wide goals, but in the most recent company-wide search, the number of respondents who said they were unaware of this year's goals remained zero, while those who said they were conscious of them remained zero. The answer to the question has also risen to about XNUMX%.

XNUMX.In-house training

XNUMX Regular education

　In conducting regular education for all employees, we believe that it is important to "repeatedly do ordinary things rather than education with advanced content".If there are too many educational contents or the contents are too difficult, it will not only be a burden on time, but the feeling of being forced to do it will become stronger and the effect will be weak.Also, education is meaningless unless you understand why there are rules.

　An employee's primary job is not to "follow security rules".Rather than having them memorize a list of rules, we provide education in a way that makes them aware of what they are doing and what is dangerous, and that it does not become a burden on their primary duties.

XNUMX Contents of education

　As a specific educational method, once or twice a year, we create learning materials with a specific theme, have employees study, and then conduct a confirmation test at the end.

　For example, in 2022, we conducted education on the following themes.

・Handling of paper materials
・Precautions for screen sharing during web conferencing
・Ransomware
・Obtaining operation logs

　Things related to the handling of paper materials and web conferences that are closely related to daily work, ransomware that has become a problem in recent years (what kind of cases damage will occur and what will happen), and the effect as a check The content is about daily operation log acquisition and storage status.
　All of the themes have been taught in the past, and we are repeatedly providing education to raise awareness of daily work.

XNUMX Effect measurement

　As a measure of the effectiveness of our education, we conduct the confirmation test mentioned above.The confirmation test is at a level where you can easily answer correctly by reading the study materials, but it is mandatory to pass the test with a perfect score, and if you fail, you will be retested until you pass.

　In the company-wide search conducted at the end of the term, about XNUMX% of the respondents to the most recent question, "How do you feel about information security after receiving regular training?" , XNUMX% answered “low or slightly low”.The result is that the education we provide is effective for "having a high security awareness" from the recipient side as well.

XNUMX.Internal audit

　Regarding security, we conduct an internal audit at least once a year.

XNUMX Selection of Internal Auditors

　Auditors who conduct internal audits are appointed from among employees in rotation every three to four years.This is because the purpose of this is to "enhance one's own security awareness through experience as an auditor" rather than to "cultivate audit professionals within the company."
　It goes without saying that it is necessary to understand the rules when conducting an audit, but by actually being the one doing the checking, you can notice new problems and notice other people's good efforts.Every time, as a result of the internal audit, about XNUMX to XNUMX proposals such as "It's not a rule violation, but why don't you improve it?"It's a great opportunity to think about security yourself.

XNUMX Method of Internal Audit

　After appointing internal auditors, we first conduct auditor training on the concept of auditing.The main thing I teach in auditor training is that it is important for the person who conducts the audit to confirm and be satisfied.
　The method of the audit is to confirm concerns in an interview format according to a checklist prepared by the auditor in advance.Here, for example, if you want to check the rules for sending emails,

・"Are you following the rules when sending emails?" → "Yes"
・「What are the rules for sending emails?」→「There are 〇〇 rules」

Rather than verbal confirmation such as

・"Please show me how you usually send emails."

It's important to check the actual action in the flow.By actually checking it, you can check whether it is really being operated correctly, and you can also get detailed notices.Thanks to this confirmation method, we are able to conduct audits in which the auditors make suggestions for improvement every time, as mentioned above.

XNUMX.Summary

　Among employees, there will inevitably be a gap between those with high awareness and those with low awareness.Under such circumstances, I have introduced how we can raise the overall level based on our daily efforts.
　Ultimately, it would be ideal if "everyone has a very high level of security awareness and there is no problem even if there are no security rules", but in reality it is impossible.
　However, if proper rules are established and an environment in which employees are easily aware on a daily basis, the risk of accidents should be greatly reduced.By increasing the number of opportunities for confirmation through regular review of goals and measuring effectiveness, and by deepening the meaning and understanding of rules through education, it will be easier to create such an environment.In addition, we can expect further effects by involving employees themselves in the system operation side like internal auditors.

　At Aztec, we recognize that security measures are the most important issue, including the content introduced this time, and we are working on them on a daily basis.We will continue to make further efforts to build an even higher security environment.

Information Security Committee Hisamitsu

【reference】
・Aztec information security system
　https://aztec.co.jp/news/columns/418