Posted by John Kleeman
With the rise of data security leakages, most professional organizations are seeking to significantly upscale their cybersecurity to better protect their organization from information security risks. I see an increasing use of online assessments helping information security and thought I’d provide some pointers about this.
There are three main ways in which online quizzes, tests, exams and surveys can aid information security:
- Testing personnel to check understanding of security awareness and security policies
- Ensuring and documenting that personnel in security roles are competent
- Helping measure success against security objectives
Testing on security awareness and knowledge of policies
A cornerstone of good practice in security is training in security awareness. For example, the widely respected NIST 800-53 publication recommends that organizations provide general-purpose and role-based training to personnel as part of initial training and periodically thereafter. If you follow NIST standards, NIST control AT-4 also requires that all security training be documented and records retained.
There is widespread evidence that delivering an assessment is the best way of documenting that training took place, because it doesn’t just document attendance but also understanding of the training. For more explanation, see the Questionmark blog post Proving compliance – not just attendance. The only point of security awareness training is to have the training be understood, so testing to confirm understanding is widespread and sensible.
At Questionmark, we practice what we preach! All our employees have to take a test on data security when they join to check they understand our policies; all employees must also take and pass an updated test each year to ensure they continue to understand.
Ensure that people in security roles are competent
The international security standard ISO 27001:2013 requires that an organization determine the necessary competence of personnel affecting information security performance. The organization must also ensures that personnel have such competence and retain evidence of this.
In a large organization with many different security roles, developing and using competence tests for each information security-related role is a good way of measuring and showing competence. Knowing who is competent in which aspect of security and data protection matters: it ensures that you are covering appropriate risks with appropriate people. Online testing is an effective way of measuring competence and makes it easy to update competence records by giving periodic tests every six months or annually.
Helping measure information security objectives
ISO 27001 also requires setting up metrics to measure information security objectives. Results from assessments can be a good metric to use. Other standards say similar things. For example, the PCI standard widely used for credit card security says in its best practice guide:
“Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective”
The PCI guide recognizes that good metrics include “feedback from personnel; quizzes and training assessments”. In my experience, as well as using quizzes and tests to measure knowledge, it also makes sense to use online surveys to assess actual practice by employees and to allow reporting of security concerns.
Testing on information security and data protection is an increasing use case for Questionmark’s trustable SaaS assessment management system, Questionmark OnDemand. Whichever security standard you are following (ISO 27001, NIST, PCI or one of several others), creating online assessments tailored to measure knowledge of your organization’s policies and procedures using an assessment management system like Questionmark’s can make a useful difference.