| |
 |
ISMS Cases 2. Ricoh Electronics, Inc. (Manufacturing
Company in the United States)
|
Ricoh Electronics, Inc. (REI) obtained
its ISMS certification in October 2005, becoming the first of Ricoh's
overseas production companies to be ISMS certified. An integral
component to achieving the original certification and being recommended
for re-certification is the ongoing training and awareness activities
conducted with employees.
Creating a Culture
of Responsibility |
 |
|
|
REI has recognized that after policies and
procedures are established, information security lies primarily
in the hands of employees. Their habits and actions every day can
protect or jeopardize key information assets. Because of this, REI
communicates the importance of information security through a variety
of methods, from promotional items to employee award programs, so
the message is continually reinforced to employees.
|
Logo of PDCA model [Figure
1] |
| |
![Logo of PDCA model [Figure 1]](img/case2_im01.gif) |
 All ISMS communications and promotional items,
such as monitor mirrors and retractable badge reels, bear ISMS logos.
Two logos were created that feature the ISMS "Plan-Do-Check-
Act" (PDCA) model and promote individual responsibility.
Handy reference cards are given to employees
that highlight key points of the ISMS handbook. A separate reference
card is produced for office and production staff, to be relevant
to each work environment.
Posters
and monthly newsletter articles help educate and remind employees
to keep information secure.
Two
of REI's award programs recognize employees for excellence in
managing information security under the category of corporate citizenship.
Corporate citizenship extends beyond environmental responsibility
and involves creating a strong, trusting relationship between Ricoh
and its customers.
Every week,
production supervisors use 10 minutes during a meeting to lead a
security discussion. Job-aids, or short bulletpointed information
sheets, are provided to aid in the delivery of information and to
ensure consistency.
ISMS Unit
Managers oversee ISMS responsibilities in their respective business
groups and serve as a knowledge base. One new activity they will
implement this term is to host roundtable meetings - an open
floor discussion where general ISMS or REI-specific questions can
be answered.
Information security
is a serious matter, but there is no reason not to have a little
fun with it! REI promoted the "clear-desk, clear-screen" policy
with a fun game using a porcupine mascot, Spike. See the sidebar
for more information on the Spike mascot game.
| Handy Reference Cards [Figure
2] |
![Handy Reference Cards [Figure 2]](img/case2_im02.jpg) |
How
the Spike Game Works:
- If an employee steps away from his desk without locking
his PC, a porcupine stuffed animal named Spike is placed
at his desk.
- Spike remains there until that employee spots another
colleague stepping away from an unlocked PC or until
he is returned to a neutral area to free him to "roam"
again.
- While in their possession, employees must keep Spike
in a visible location.
- ISMS Area referees were identified to keep the game
in action.
|
| The mascot used in the "Spike"
game |
 |
Harnessing the
Power of Technology |
|
|
|
REI incorporates the latest technologies to
help communicate ISMS messages:
Logon Messages
Logon messages are short videos that appear
automatically when an employee logs onto his or her computer. The
messages are animated, short - under a minute in length -
and contain ISMS tips and reminders using memorable themes. The
messages are created with the SWiSHmax software program which creates
Shockwave Flash Files. This communication vehicle has been so successful
that it is now also used to deploy SOX program information and other
important company reminders.
Digital Messaging System
Digital messaging is an electronic in-house
communication system that displays pertinent company information
on plasma screens. The plasma screens are located in lobbies and
employee lunchrooms, and have been particularly helpful in reaching
production employees, who do not have easy access to computers for
ISMS information. ISMS messages remind employees of physical security
measures to take, such as wearing employee identification badges,
displaying parking permits and not propping open doors.
Online Learning
An online learning course, supplied by Ricoh
Company, Ltd., educates employees on key ISMS policies that promote
a safe and secure work environment. Every employee with access to
Lotus Notes must complete the course and obtain a score of 80% or
better to pass. New employees are automatically registered, through
an interface with PeopleSoft, REI's HRIS system. An e-mail invitation
is sent to the employee, as well as monthly reminders on incomplete
training.
Company Intranet Site - Newswire
REI employees can access the company intranet
page for ISMS information, including the ISMS handbook, handy reference
guides, links to the e-learning website and an auditee's guide.
Improving Security
Awareness through Assessment |
|
|
|
|
Some REI members, after
the registration of ISMS certification (California, USA) |
| |
 |
REI assesses the success of training and awareness
activities by gathering information from two groups of employees.
IT/S Steering Committee members are periodically surveyed, using
a Delphi Opinion Survey, to measure the effectiveness of communication
tools for office and production staff. The information gathered
by this survey enables ISMS campaigns to be targeted to each audience.
For example, security awareness posters, digital messaging and supervisor
job-aids were reported to be highly effective with production staff.
Office employees responded well to ISMS reference cards, logon messaging
and the Spike mascot game (see sidebar).
An assessment survey is periodically given to employees to measure
the effectiveness of ISMS training activities in building understanding.
Employees from different REI functions and facilities answer 20
multiple choice questions on REI security policies and general e-mail/Internet
safety. The results of the survey provide key metrics necessary
for the ISO 27001 certification and identify employee knowledge
gaps. ISMS campaigns are then created to focus on those topics to
increase understanding and bridge the gaps.
|
|
|
|
