Information Security Awareness

Transcription

1 TASSCC Annual Conference 2008 Information Security Awareness -Beyond New Employee Orientation- 1 William Tompkins, CISSP, CBCP Teacher Retirement System of Texas August 11, 2008

2 William Tompkins William Tompkins is Information Security Officer at Teacher Retirement System of Texas. He has more than 25 years of technical, managerial and consulting experience in information technology and more than 17 years in information security. He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional. He was the Manager of Texas Department of Transportation s Information Security Section and Project Manager of the Information Security Program which was selected as Computer Security Program of the Year 1994 by CSI (Computer Security Institute). William was elected to the ISSA Hall of Fame in 2006 by the ISSA International Board of Directors. (Information Systems Security Association) Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education. 2

3 By the end of this session you will be able to identify: How to... Ensure employees are really aware of security policies and their responsibilities Build and/or maintain security awareness program that is effective through the whole life of employees. Comprehensive Effective Security Awareness Program 3

4 Information Security Awareness Program Goal To make people understand the value of the information they handle and the need to protect it 4

5 Information Security Awareness Providing Awareness, leads to Understanding Change in Attitude Change in Behavior! 5

6 Management may ask, Why implement a security awareness campaign? Communicate policy to the user community and encourage compliance Mitigate the Security versus Usability equation Defend against social engineering threat components User awareness enhances the overall security profile 6

7 Employees ask, Why have Awareness Education? To increase awareness of Information Security practices To provide a better understanding of Information Security 7

8 The Good News... Computer users want to learn more about how to protect themselves and their computers 8

9 Know your audience Executives and Senior Managers/Directors Business Unit Managers & Team Leaders Regular Staff, Temp Hires & Contractors 9

10 Types of message NEO (New Employee Orientation) Business Unit specific Recurring Hot topics home user, recent events (organization impact ; IT industry impact ) Posters Walkthrough (Report to exec & Reward to Users) Inform users of InfoSec activities 10

11 N E O (New Employee Orientation) Best Practices = Good Habits Examples: Protect access to your electronic accounts Avoid computer malware Perform routine backup procedures Policy 11

12 Employees ask, Why is security needed? Manage Risk sensitive information financial loss loss of credibility failure to produce reliable information legal liability Compliance Requirements Law Policy 12

13 Laws & Policies Industry standards Government regulations Organization policy 13

14 Information Security Responsibilities IT Department Dotted line security Network, Database, Storage and backup Printers and Print distribution Logging and monitoring Secure programming 14

15 Sell Security Day-to-Day To be effective Use marketing concepts Advertising Branding 15

16 Advertising Convert your security policies to three to five concepts and taglines that can be reinforced on a continual basis in a variety of media. 16

17 Once words have left your mouth, you can never take them back! Protect TRS member information 17

18 You can't unring a bell or squeeze toothpaste back into the tube. And You can t untalk about Protected Health Information 18

19 Create a brand Once you have your brand, think about how to communicate your three to five concepts. 19

20 Sample Concepts Protect printouts & access to them Copies made by whom ing to?? Active distribution of data to proper recipients Appropriate attachments 20

21 How to Reinforce the message Prizes gift certificates / Thank You letter from CEO Surveys annually; user assist in developing Reminders Chalkboard & TRS-News Posters Recurring s & Intranet Highlights 21

22 Perform ongoing assessment Don t wait for your next audit Test it yourself, or work with a vendor Continual testing Ongoing feedback and revision loops Assessment is key to identifying what works and what doesn't. 22

23 Summary Security information has value; both personally and professionally Security policies exist for business-driven reasons and they are enforced for everyone Security solutions can impact usability; communicate before solutions are implemented Security awareness is a long term process 23

24 Q U E S T I O N S? Thank You William A. Tompkins (512) [email protected] 24

25 Assessment COBIT doesn't have a section dedicated to information security awareness and training, but there are specific references to it in the following sections: PO6 Communicate management aims and direction. PO7 Manage IT human resources. DS5 Ensure systems security. DS7 Educate and train users. 25

26 Assessment The COBIT maturity model for training (DS7 - Educate and Train Users) specifies the following requirements for each of its 5 maturity levels: 26

27 COBIT - DS7 Educate and Train Users Level 0 -- Non-Existent Initial/Ad Hoc Repeatable but Intuitive Defined Process Managed and Measurable Optimized Requirement There is a complete lack of any training and education program. Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices. Informal training and education classes are taught... Some of the classes address the issues of ethical conduct and system security awareness and practices. Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored... All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance... Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles. 27