Educating the Masses


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Educating the Masses

  1. 1. Educating the Masses George J. Dolicker, CISA, CISSP | 06.04.08
  2. 2. Agenda <ul><li>In this session you will learn how to develop and deploy a balanced information security training and awareness program that will increase compliance within your regulatory environment, and result in evolved employee behaviors that are more resistant to both insider and outsider attack. There are two main focus areas to achieving these goals: </li></ul><ul><li>1) delivering information that meets the needs of the organization and has significant perceived value to the employee; and </li></ul><ul><li>2) an in-depth, visceral understanding of what is actually important in information security. You will leave this session with direction in the first, and well on your way on the second. </li></ul><ul><li>75 minutes </li></ul>
  3. 3. Agenda <ul><li>Agenda </li></ul><ul><li>Two Critical Questions </li></ul><ul><li>Where Training Fits in Your Total Program </li></ul><ul><li>Goals </li></ul><ul><li>A Look at NIST 800-16 </li></ul><ul><li>What You Really Need </li></ul><ul><li>Awareness Programs </li></ul><ul><li>Conclusions </li></ul>
  4. 4. Two Critical Questions <ul><li>How Do You Know? </li></ul><ul><li>Whom Do You Trust? </li></ul>
  5. 5. Security Program Essentials <ul><li>Policy </li></ul><ul><li>Training and Awareness </li></ul><ul><li>Perimeter </li></ul><ul><li>Host </li></ul><ul><li>Application and Content </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Incident Response </li></ul><ul><li>Audit and Assessment. </li></ul>
  6. 6. Security Awareness and Training <ul><li>Goal: To educate the populace so that they... </li></ul><ul><ul><li>Understand what is expected of them </li></ul></ul><ul><ul><li>Are aware of common user errors that can compromise security </li></ul></ul><ul><ul><li>Are aware of common attacks </li></ul></ul><ul><ul><li>Recognize abnormal events </li></ul></ul><ul><ul><li>Understand reporting avenues for suspicious events or activities </li></ul></ul><ul><ul><li>… comply with applicable contracts, statutes, and regulations. </li></ul></ul>
  7. 7. Security Awareness and Training <ul><li>Consistently the Best Value for Dollars Spent </li></ul><ul><li>Combats 50%-80% of all Attacks </li></ul><ul><li>Raises the Index of Suspicion. </li></ul>
  8. 8. Security Awareness and Training <ul><li>New-Hire Training </li></ul><ul><li>Annual Certification of Policy Understanding and Compliance </li></ul><ul><li>Customized Training for those with Elevated Privileges </li></ul><ul><li>On-going Awareness Events and Stunts. </li></ul>
  9. 9. Training vs. Awareness <ul><li>Training is more formal, having a goal of building knowledge and skills to facilitate job performance. The learner in a training environment has a more active role in the learning process. The desired outcome of training is a change in behavior </li></ul><ul><li>In Awareness activities, the learner is the recipient of information. Awareness relies on reaching broad audiences with attractive packaging techniques. The desired outcome of awareness is a reinforcement of learned behaviors, and an elevated index of suspicion. </li></ul>
  10. 10. The Training Continuum
  11. 11. ISO-27002 on Training <ul><li>Specifies that All employees of the organization and, where relevant, third party users, should receive appropriate training and regular updates in organizational policies and procedures… </li></ul><ul><li>… before access to information services is granted. </li></ul><ul><li>Topics include: </li></ul><ul><ul><li>Security requirements </li></ul></ul><ul><ul><li>Legal responsibilities </li></ul></ul><ul><ul><li>Business controls </li></ul></ul><ul><ul><li>Appropriate use </li></ul></ul><ul><ul><li>Log-on procedure </li></ul></ul><ul><ul><li>Use of software packages. </li></ul></ul>
  12. 12. <ul><li>A Look Inside NIST 800-16: </li></ul><ul><li>Information Security Technology </li></ul><ul><li>Training Requirements: </li></ul><ul><li>A Role- and Performance-Based Model </li></ul>
  13. 13. IT Security Training Matrix
  14. 14. IT Security Training Matrix <ul><li>Six Functional Specialties </li></ul><ul><li>Three Major Training Areas </li></ul><ul><li>(One Spare in Each Category) </li></ul>
  15. 15. Functional Specialties <ul><li>Manage </li></ul><ul><ul><li>Chief Information Officer (CIO) </li></ul></ul><ul><ul><li>System Designer/Developer </li></ul></ul><ul><ul><li>Information Resources Manager </li></ul></ul><ul><ul><li>System Administrator </li></ul></ul><ul><ul><li>Network Administrator </li></ul></ul><ul><ul><li>Database Administrator </li></ul></ul><ul><ul><li>Data Center Manager </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>Program Manager </li></ul></ul><ul><ul><li>System Owner </li></ul></ul>
  16. 16. Functional Specialties <ul><li>Acquire </li></ul><ul><ul><li>Contracting Officer </li></ul></ul><ul><ul><li>Information Resources Management </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>Source Selection Board Member </li></ul></ul><ul><ul><li>Telecommunications Specialist </li></ul></ul><ul><ul><li>System Owner </li></ul></ul>
  17. 17. Functional Specialties <ul><li>Design and Develop </li></ul><ul><ul><li>Auditor, Internal </li></ul></ul><ul><ul><li>Chief Information Officer (CIO) </li></ul></ul><ul><ul><li>Information Resources Manager </li></ul></ul><ul><ul><li>System Owner </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>Records Management </li></ul></ul><ul><ul><li>Privacy Officer </li></ul></ul><ul><ul><li>Database Administrator </li></ul></ul><ul><ul><li>Program Manager </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>Network Administrator </li></ul></ul><ul><ul><li>Programmer/Systems Analyst </li></ul></ul><ul><ul><li>System Administrator </li></ul></ul><ul><ul><li>System Designer/Developer </li></ul></ul><ul><ul><li>Systems Operations Personnel </li></ul></ul>
  18. 18. Functional Specialties <ul><li>Implement and Operate </li></ul><ul><ul><li>Programmer/Systems Analyst </li></ul></ul><ul><ul><li>Internal Auditor </li></ul></ul><ul><ul><li>Chief Information Officer </li></ul></ul><ul><ul><li>Program Manager </li></ul></ul><ul><ul><li>Information Resources Manager </li></ul></ul><ul><ul><li>System Owner </li></ul></ul><ul><ul><li>Data Center Manager </li></ul></ul><ul><ul><li>System Designer/Developer </li></ul></ul><ul><ul><li>Database Administrator </li></ul></ul><ul><ul><li>System Administrator </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>Systems Operations Personnel </li></ul></ul><ul><ul><li>Network Administrator </li></ul></ul><ul><ul><li>Technical Support Personnel </li></ul></ul>
  19. 19. Functional Specialties <ul><li>Review and Evaluate </li></ul><ul><ul><li>External and Internal Auditors </li></ul></ul><ul><ul><li>Certification Reviewer </li></ul></ul><ul><ul><li>Information Resources Manager </li></ul></ul><ul><ul><li>IT Security Officer/Manager </li></ul></ul><ul><ul><li>CIO </li></ul></ul><ul><ul><li>System Owner </li></ul></ul><ul><ul><li>Program Manager </li></ul></ul>
  20. 20. Functional Specialties <ul><li>Use </li></ul><ul><ul><li>User </li></ul></ul><ul><ul><li>(‘magine that!) </li></ul></ul>
  21. 21. Training Areas <ul><li>Laws and Regulations </li></ul><ul><li>The types of knowledge, skills, and abilities relative to the laws and regulations pertaining to information and asset protection that govern the management and use of IT within the Organization. These may include HIPAA, GLBA, Sarbanes-Oxley, 21CFRpart11, as well as policies and procedures specific to a organization. </li></ul>
  22. 22. Training Areas <ul><li>Security Program </li></ul><ul><li>Knowledge, skills and abilities relative to the establishment, implementation, and monitoring of an IT Security Program within an organization </li></ul>
  23. 23. Training Areas <ul><li>System Life Cycle Security </li></ul><ul><li>Knowledge, skills and abilities relative to the nature of IT security needed throughout each phase of a given system’s life cycle. In this instance, a six-phased system life cycle model was used (Initiation, Development, Test and Evaluation, Implementation, Operations, and Termination) </li></ul>
  24. 24. IT Security Training Matrix <ul><li>Six Functional Specialties </li></ul><ul><li>X </li></ul><ul><li>Three Major Training Areas </li></ul><ul><li>- </li></ul><ul><li>Non Applicable Combinations </li></ul><ul><li>= </li></ul><ul><li>46 Discrete Security Program Training Modules! </li></ul>
  25. 25. IT Security Training Matrix <ul><li>The Good News: </li></ul><ul><li>That’s All You Need! </li></ul><ul><li>Mix and match to meet individual needs </li></ul><ul><li>The Bad News: </li></ul><ul><li>Yours is Different from Everybody Else’s… </li></ul><ul><li>… and it changes with </li></ul><ul><ul><ul><ul><ul><li>Technology </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Corporate Culture </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The Threat Environment </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Your Security Policy </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>And TIME. </li></ul></ul></ul></ul></ul>
  26. 26. Mix & Match Modules by Role
  27. 27. Mix & Match Modules by Role
  28. 28. Mix & Match Modules by Role
  29. 30. But What Do You Really Need? <ul><li>Training Programs Based on a Combination of Policies and Good Practices </li></ul><ul><li>A Limited Group of “Roles”: </li></ul><ul><ul><li>All Users </li></ul></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>Audit and Security </li></ul></ul><ul><ul><li>IT </li></ul></ul><ul><ul><ul><li>Operations </li></ul></ul></ul><ul><ul><ul><li>Development. </li></ul></ul></ul>
  30. 31. ISO-27002 on Training <ul><li>Recommended Topics include: </li></ul><ul><ul><li>Security requirements </li></ul></ul><ul><ul><li>Legal responsibilities </li></ul></ul><ul><ul><li>Business controls </li></ul></ul><ul><ul><li>Appropriate use </li></ul></ul><ul><ul><li>Log-on procedure </li></ul></ul><ul><ul><li>Use of software packages. </li></ul></ul>
  31. 32. Delivery Vectors <ul><li>Instructor-lead </li></ul><ul><li>Webinar </li></ul><ul><li>Web-based </li></ul><ul><li>Video </li></ul><ul><li>CBT </li></ul><ul><li>Pamphlets as adjuncts </li></ul>
  32. 33. Security Policy-at-a-Glance
  33. 34. Security Policy-at-a-Glance
  34. 35. “Evaluation” <ul><li><shhh… this means “test”… but we can’t say that> </li></ul><ul><li>Always include evaluations of learning </li></ul><ul><li>Document participation and effectiveness </li></ul><ul><li>Necessary for statutory programs </li></ul><ul><li>Bilateral evaluation: Person and Program </li></ul>
  35. 36. <ul><li>Awareness Programs </li></ul>
  36. 37. Awareness Topics <ul><li>Password usage and management </li></ul><ul><li>Protection from viruses, worms, Trojan horses, and other malicious code </li></ul><ul><li>Policy and Compliance </li></ul><ul><li>Unknown e-mail/attachments </li></ul><ul><li>Web usage </li></ul><ul><li>Email </li></ul><ul><li>Spam </li></ul><ul><li>Data backup and storage </li></ul><ul><li>Social engineering </li></ul><ul><li>Incident response </li></ul><ul><li>Shoulder surfing </li></ul><ul><li>Personal use and gain issues </li></ul><ul><li>Handheld device security issues </li></ul><ul><li>Blogging </li></ul><ul><li>Use of encryption. </li></ul>
  37. 38. Awareness Topics <ul><li>Laptop security </li></ul><ul><li>Personally owned systems and software </li></ul><ul><li>Patch Management </li></ul><ul><li>Software license issues </li></ul><ul><li>Supported/allowed software </li></ul><ul><li>Access control issues </li></ul><ul><li>Individual accountability </li></ul><ul><li>Use of acknowledgement statements </li></ul><ul><li>Visitor access </li></ul><ul><li>Desktop security </li></ul><ul><li>Protect information subject to confidentiality concerns </li></ul><ul><li>E-mail list etiquette </li></ul><ul><li><Your Topic Goes Here!>. </li></ul>
  38. 39. Delivery Vectors <ul><li>Messages on awareness tools posters, “do and don’t lists,” or checklists </li></ul><ul><li>Screensavers and warning banners/messages </li></ul><ul><li>Newsletters </li></ul><ul><li>Desk-to-desk alerts </li></ul><ul><li>Agency wide e-mail messages </li></ul><ul><li>Videotapes </li></ul><ul><li>Web-based sessions </li></ul><ul><li>Computer-based sessions </li></ul><ul><li>Teleconferencing sessions </li></ul><ul><li>In-person, instructor-led sessions </li></ul><ul><li>IT security days or similar events </li></ul><ul><li>“ Brown bag” seminars </li></ul><ul><li>Pop-up calendar with security contact information, monthly security tips, etc. </li></ul><ul><li>Mascots </li></ul><ul><li>Crossword puzzles </li></ul><ul><li>Awards programs </li></ul><ul><li>Audits. </li></ul>
  39. 40. Conclusions <ul><li>Effective Security Training and Awareness Programs can gain >90% compliance with policy </li></ul><ul><li>Best “Bang for the Buck” </li></ul><ul><li>Must match YOUR culture and policy </li></ul><ul><li>Requires Executive Charter and Support </li></ul><ul><li>Requires tapping the creative side of the security staff. </li></ul>
  40. 41. <ul><li>Questions? </li></ul>Don’t Forget the Session Evaluations!