ANY COMPANY THAT wants to ensure the highest levels of security is likely to find that the biggest challenges involve company culture and organisation, rather than technology implementation. In a report entitled 'How to manage an information security awareness programme', analyst Rich Mogull of technology research firm Gartner said: 'IT security managers must create clear, enforceable security policies and lead by example to promote a 'security-aware' corporate culture ... Employee education and accountability will be key components of the programme.' Mr Mogull recommends that companies create a concise security policy and make employees sign them to ensure accountability. He said the policy should include areas such as acceptable usage, remote access, information classification and privacy, and password management. Once the policy has been drawn up, companies are recommended to introduce education programmes to increase security awareness among employees. 'Education is a critical element of information security awareness. It's difficult to be aware of security incidents if you don't know what the issues are,' he said. He recommends dividing education into two parts: company policies and how to protect yourself. 'Employees should understand why security is important and how it affects the health of the company and their work ... All employees should understand that their personal efforts make a difference.' Meanwhile, in a separate report entitled 'IT security and operational management must converge', Gartner recommends greater co-operation between the IT security and IT operations teams to ensure security needs are met in large enterprises. The report's authors, Mark Nicollett and John Girard, say that one way this closer working relationship can manifest itself is in the evaluation of software prior to making a purchasing decision so that security configuration issues are taken into account. 'The IT security group's role in this process is to define system security and administration policies, initiate mitigation projects, and monitor mitigation progress and the overall security state of the environment,' the analysts said. 'The IT operations group's role is to collaborate with IT security to define security configuration policies and exception cases, and deploy the network, server and desktop changes needed to implement the security configuration policies.' However, the authors admit that the security team and the operations team may at times find the different approaches to their tasks makes co-operating difficult. The purpose of the security team is to identify and eliminate security risks. Typically, once a flaw is found, the security team will recommend changes to the system to rectify the issue. However, this must be done without disrupting system availability and service levels, which is the responsibility of the operations team. Consequently, the operations team may be reluctant to make changes. 'Many attempts by IT security groups to implement security configuration management programmes stall at the intersection with IT operations due to several reasons, including differing responsibilities and organisational perspectives, and tool and technology issues,' the authors said. To avoid problems, the report recommended that IT security groups 'prioritise security-related changes and also provide a business justification so that security changes can be weighed against other change requests'. For example, if wholesale changes required to eliminate a flaw are associated with regulatory compliance requirements, they could carry a higher priority.