Isa Prog Need L


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isa Prog Need L

  1. 1. Why an Information Security Awareness Program is needed in an Information Communications Technology Environment
  2. 2. Information Security Vision <ul><li>Information Security enables the protection of the privacy, operations, intellectual property and reputation of the business. Information Security provides an effective set of policies, processes and controls, within a governance structure that defines clear responsibilities, authority, accountability, and demonstrated the ability to measure and proactively manage Information Security risks, threats compliance and effectiveness across the organization. </li></ul>
  3. 3. AGENDA <ul><li>Why it is needed </li></ul><ul><li>Laws – Regulations – Guidelines </li></ul><ul><li>Implementation </li></ul><ul><li>Business Plan </li></ul><ul><li>Risk Management </li></ul><ul><li>Audit Considerations </li></ul><ul><li>Summary </li></ul>
  4. 4. The Need for a Program <ul><li>Designed to protect information </li></ul><ul><ul><li>Policies and procedures </li></ul></ul><ul><ul><li>Informing users of their responsibilities </li></ul></ul><ul><ul><li>Monitor and review program </li></ul></ul><ul><li>It’s a people problem </li></ul><ul><ul><li>Awareness </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Education </li></ul></ul>Symantec
  5. 5. The Security Gap <ul><li>Security technology is essential </li></ul><ul><li>Technology is not enough </li></ul><ul><li>Tighter security controls makes the user the target </li></ul><ul><li>Technology cannot stop social engineering </li></ul><ul><li>Insider threat </li></ul>
  6. 6. Laws – Regulations – Guidelines <ul><li>Computer security act 1987 </li></ul><ul><li>OMB A-130 </li></ul><ul><li>FISMA </li></ul><ul><li>HIPAA </li></ul><ul><li>PCI/DSS </li></ul><ul><li>SOX </li></ul><ul><li>GLB </li></ul><ul><li>ISO/IEC 27xxx </li></ul><ul><li>ID Theft Red Flags </li></ul>Porter Post Accreditation Activities Accreditation Process Certification Process Organization’s Security Policies and Programs Security Standards & Best Practices Laws & Regulations
  7. 7. Security Awareness Program <ul><li>Communicate security requirements </li></ul><ul><li>Communicate roles and responsibilities understand proper security procedures </li></ul><ul><li>Create baseline for monitoring and sanctions </li></ul><ul><li>Influencing behavior and decision making </li></ul>
  8. 8. Security Awareness Program Objective <ul><li>The objective of the Information Security Training, Awareness, and </li></ul><ul><li>Education program is to change the actual behavior of people by </li></ul><ul><li>raising awareness and providing appropriate training so that each employee can protect confidential electronic Information and: </li></ul><ul><li>better understand the risks when using and storing electronic information; </li></ul><ul><li>better understand how to reduce the risks to the confidentiality, integrity, and availability of confidential electronic information; </li></ul><ul><li>better understand their roles and responsibilities for the protection of information and systems. </li></ul>
  9. 9. ROI from Security Awareness <ul><li>Cost avoidance </li></ul><ul><li>Support of mission objectives </li></ul><ul><li>Protection of image </li></ul><ul><li>Prevention of downtime </li></ul><ul><li>Increased security of information from damage and destruction </li></ul>
  10. 10. Risk Management <ul><li>Framework for risk management process </li></ul><ul><li>Assess risks </li></ul><ul><li>Senior management responsibilities </li></ul><ul><ul><li>HIPAA - SOX – GLB – FISMA – PCI/DSS </li></ul></ul><ul><li>FIPS – publication 102 </li></ul><ul><li>Evaluate information usage requirements </li></ul>G.A.I.S.P. Designs operational components of solution and estimates operating costs Information Technology: Operations Designs technical solutions and estimates engineering costs Information Technology: Engineering Determines probability of impact on business assets Information Security Group Determines value of business assets Business Owner Responsibility Role
  11. 11. Information Security Drivers <ul><li>IT constantly changing </li></ul><ul><li>Greater connectivity </li></ul><ul><li>Increasing sophistication of hacking tools </li></ul><ul><li>Expanding risk </li></ul><ul><li>The weakest link in the security chain </li></ul><ul><li>Insider threat </li></ul>
  12. 12. Conclusion Businesses must protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment. An effective IT security awareness, training and education program, as part of the overall IT security program, gives users the needed tools and information to protect an businesses vital information resources.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.