1 Oct 29 th, 2013 Importance of Security Awareness training John Ecken
2 WELCOME About Me What is Security Awareness? Importance of Security Awareness What should be included in a Security Awareness program Types of Security Awareness programs Follow Me
3 Background Born in Louisville, KY 20+ years in IT Extensive IT training and consulting background CISSP / HIPAA Consultant
4 WHAT IS SECURITY AWARENESS Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and especially, information assets of that organization. Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.
5 WHAT IS SECURITY AWARENESS Confidentiality Security Traid Integrity Availability
6 WHY IS SECURITY AWARENESS IMPORTANT The behavior of employees with access to data affects information systems and assets. Security can't be guaranteed. The human factor (what employees do or don't do) is the biggest threat to information systems and assets.
7 WHO NEEDS SECURITY AWARENESS All users security basics Executives security basics and policy level training in security planning and management Program and functional managers security basics and management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.
8 WHO NEEDS SECURITY AWARENESS Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning. IT function management and operations personnel security basics; management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.
9 BENEFITS OF AWARENESS Provide better protection for assets Improve morale Save money Give your organization a competitive advantage and protect and enhance your organization's reputation and brand Reduce the potential for fines and mandatory audits Reduce the potential for lawsuits against your organization
10 WHAT SHOULD BE INCLUDED IN MY PROGRAM Topics should consist of existing organizational policies and procedures and industry best practices These topics will help employees understand why security awareness is important and guide them in knowing how to prevent incidents from happening and what to do if one occurs.
11 WHAT SHOULD BE INCLUDED IN MY PROGRAM Physical Security Desktop Security Wireless Networks and Security Password Security Phishing Hoaxes Malware File Sharing and Copyright
12 TYPE OF AWARENESS PROGRAMS Classroom-Style Training Security Awareness Website helpful Hints Posters s Promotions E-Learning Hybrid Approach
13 PROGRAM BEST PRACTICES Documented. Widely accepted. Developed by knowledgeable bodies. In compliance with existing laws and regulations. Effective at providing reasonable assurance of desired outcomes. Continually reviewed and improved upon.
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
Northwestern University Feinberg School of Medicine Information Security at Feinberg School of Medicine Past, Present, Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
The Cyber Security Council has requested basic "state of the state" cyber security information from each member firm of the Association. While the information that was requested in the survey questionnaire
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
INTERNATIONAL STANDARD ON QUALITY CONTROL 1 QUALITY CONTROL FOR FIRMS THAT PERFORM AUDITS AND REVIEWS OF FINANCIAL STATEMENTS, AND OTHER ASSURANCE AND RELATED SERVICES ENGAGEMENTS (Effective as of December
Why Integrate Physical and Logical Security? White Paper Author John Carney, Senior Technical Manager, Cisco Government and Security Solutions This document is the first in a series of papers from Cisco
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
Good Decision-Making Guide Good decisions make good sense Introduction Today s community expects that public agencies will operate consistently and fairly and that government at all levels will have systems
Job Family Standard for Administrative Work in the Information Technology Group, 2200 TABLE OF CONTENTS INTRODUCTION... 2 COVERAGE... 2 MODIFICATIONS TO AND CANCELLATIONS OF OTHER EXISTING OCCUPATIONAL
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1