Published on

Published in: Technology, Travel
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. IT ADVISORY AND ASSURANCE Security Awareness & Training ADVISORY Chris Gould, BS 7799 Lead Auditor Director, Head of IT Advisory and Assurance Risk Advisory Services RISSPA Conference Moscow 10 April 2007
  2. 2. Agenda Definitions Why start an Information Security Awareness Program Objectives Benefits Approach 2
  3. 3. Definitions 3
  4. 4. Definitions SANS The process by which you make everyone on your network aware of what your security policies and practices are, what is expected of them, and how they handle your information. ISF Information security awareness is the degree or extent to which every member of staff understands: The importance of information security The levels of information security appropriate to the organization Their individual security responsibilities And…. Acts appropriately!!! 4
  5. 5. Why Start an Information Security Program 5
  6. 6. Why start an information security awareness program People are the biggest threat to security They do ‘stupid things’ They don’t understand the implications of their actions They don’t think the rules apply to them But people can be improved ☺ Pavlov showed the way with dogs Now we can show the way with our people 6
  7. 7. The weakest link… ITAA - META Group Cyber-Security Survey: What do you consider to be the weakest area that organizations must deal with to protect their information systems? Website Security 11% Virtual Private Netw orks 0% Anti-Virus Softw are Staffing 11% 4% Background Checks Physical Access 11% 7% Netw ork Administration 2% Infosec Processes and Methods Employee Training 18% 27% Firew alls 9% 7
  8. 8. Why? We need to look for ways to improve people! Should make security everyone’s business Policy and procedures need to be understood to be complied with End users play a vital role in information security Gets buy in and cooperation on all levels Avoids ‘mistakes’ 8
  9. 9. Complex environments increase the risks Distributed, open, scalable, high availability infrastructures are becoming more common: It is a BIG world out there and we have to provide trusted access to potentially “everyone”. And the enemy is getting more sophisticated Even a child can use many of the tools… not like it used to be Therefore our people need to understand the threat and know how to recognize and respond to an issue. They need to be trained and kept aware of threats! 9
  10. 10. Why does security awareness and training fail? Only done when someone joins No conditioned response People don’t like to change Lack of management commitment Time for people to attend Resources to support proper program Attendance themselves Program itself is not appropriate Too technical Boring Not relevant Confusing 10
  11. 11. Therefore we need a program that: Recognizes resistance to change and focuses on changing behavior Psychological factors are very important Provides an individual with motivation Transfers responsibility Or at least makes it feel that way Are delivered in a way that is acceptable to all the various structures and cultures in the organization Is not very optional!!! 11
  12. 12. How? Make it fun and entertaining But still maintain the serious nature Have real goals Fit into the schedule Takes advantage of trainers who have good change management experience Understand the nature of change of behavior Know how to motivate Know how to reward (even without giving) 12
  13. 13. Objectives 13
  14. 14. Objectives Prevention Education Employees who Protection understand the need for security and know their individual responsibilities are the best protection a company can have! Reaction Detection 14
  15. 15. Benefits 15
  16. 16. Benefits Security Awareness Protection Reaction Misuse of information An aware staff will and harm to resources react quickly and can be prevented by Detection appropriately if attacks knowledgeable and on the security of aware employees. With training and information occur. guidance, employees will to recognize attempted misuse of information. 16
  17. 17. Benefits – reduced risk Understanding of information value and sensitivity Definition of corporate security architecture Better security in new systems Increased system integrity Cultural change 17
  18. 18. Benefits – Increased System Integrity Password controls and usage ID sharing Confidentiality Backup of data Virus avoidance Intrusion detection 18
  19. 19. Benefits – operational improvements Less help desk activity Or more focused at least More effective access request process Maybe improving segregation of duties controls Improved end-user efficiency Reduced ‘accidental’ incidents Easier acceptance of new standards and policies It is part of the fabric of the way we work! 19
  20. 20. Approach 20
  21. 21. Approach Must be relevant to the audience and consistent with their values Delivered through an ongoing, and goals: If security is perceived continuous program of work, as as a hindrance to their own opposed to a finite set of activities personal activities, then the that stop and are not continued. message will carry little meaning. Effective security awareness is achieved throughan ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change. Benefits must be quantifiable in Should not only result in a order to determine value for security-positive change in money and whether the behavior, but that change program itself is successful in should last longer than the achieving its objectives. program itself. 21
  22. 22. But like all change… It takes time…. 22
  23. 23. ISF has a suggested approach 1. Set objective for security awareness 2. Scope and design security awareness programme 3. Develop and deliver security awareness campaigns 4. Evaluate effectiveness of campaigns 23
  24. 24. Approach must consider… Education of new and existing employees Who will develop and implement the course Training specialists Security specialists Others How to maintain momentum Deal with new threats 24
  25. 25. Therefore it should… Definitely be done as part of new employee orientation But be an ongoing process Refresher training Presentations Poster campaigns Newsletters Quizzes – or exams (we have mandatory) And include ALL management and staff 25
  26. 26. Nine factors for success Top management support Clear lines of responsibility Comprehensive, well designed program Consistent efforts Policies tailored to the organization (not downloaded from SANS) Simplicity and fun Enforcement Regular review Measurable results 26
  27. 27. Presenter’s contact details Chris Gould KPMG Limited +7 (495) 937 4477 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2007 KPMGLimited, a company incorporated under the Laws of the Russian Federation and a member firm of the KPMG network of independent member 27 firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.