IT Simplifier Webinar:

Transcription

1 IT Simplifier Webinar: How to improve security through your associates Institutionalizing Security Policy (Part 2 of 3)

2 Who is Bross Group? Bross Group is a premier IT consulting and talent management firm dedicated to helping clients across multiple industries with all of their IT requirements. Bross Group has a unique intersection of Service Delivery and Practice Areas that enable clients to enhance value and promote nimble technological restructuring. Founded in years developing, architecting and implementing successful solutions in various verticals Consultants average 17 years of experience in business information technology Consistently recognized as a Best Place to Work by the Denver Business Journal Microsoft Gold Certified Partner (2012) Nominated for "Colorado Companies to Watch" (February 2014) Certified Women's Business Enterprise (WBENC) Certified National Women Business owners Corporation (NWBOC)

3 4 Service Areas

4 What does Bross Group Do? SharePoint Business Continuity Mobile Solutions Cloud Office 365 Virtualization Analytics/BI Project Management Strategy Planning

5 Some of our work

6 Your Speaker Today is Cindy Gibson Bross Group Security Program Director Cindy combines a business-minded approach with strong technical acumen, Cindy is a certified Project Management Professional (PMP), Certified Agile Scrum Master (CSM), Certified Six-Sigma Green Belt, Certified Information Systems Security Professional (CISSP), and offers knowledge in COBIT processes, ITIL foundations and SDLC.

7 Agenda Improving Security Through Associates Making Security Stick Primary Security Program Compontents Top 20 Critical Security Controls & Relevant Security Policies Top 3 Security Risks Caused by Associates The Forgetting Curve & 3 Methods to Increase Retention Best Ways to Deliver Security Messages 10 Security Tips for Associates Summary

8 3 Security Program Components A successful IT security program consists of: 1) Developing IT security policies that reflects the organization s business needs and can be understood and followed by everyone 2) Informing users of their IT security responsibilities and training them on the security policies and procedures 3) Achieving long-term sustainment by establishing processes for monitoring and reviewing the program on a regular basis

9 Top 20 Critical Security Controls 1. Inventory authorized and unauthorized devices 2. Inventory authorized and unauthorized software 3. Secure configurations for HW/SW on mobile devices, laptops, desktops, and servers 4. Continuous vulnerability assessment and remediation 5. Malware defenses 6. Application software security 7. Wireless device control 8. Data recovery capability 9. Security skills assessment and appropriate training to fill gaps 10. Secure configurations for network devices (firewalls, routers, switches) 11. Limitation and control of network ports, protocols and services 12. Controlled use of administrative rights 13. Boundary defenses 14. Maintenance, monitoring, and analysis of audit logs 15. Controlled access based on the need to know 16. Accounting monitoring and control 17. Data loss prevention 18. Incident response and management 19. Secure network engineering 20. Penetration tests and red team exercises

10 Why Don t They Follow Policies? They don t know the policies If they do, no one is enforcing the policies Polices get in the way of productivity

11 Help Associates Get their Jobs Done Improving Security Through Associates Making Security Stick 1 Understand data flow & Determine Access Needs (On & Offsite) Making it Stick Long Term Sustainment & Compliance of Policies 5 2 Secure Corporate Infrastructure Institutionalize Security Policy By Communicating & Training Associates on a Regular Basis 4 3 Be Explicit About What Can & Cannot Be Done on Org Network & with Org Data

12 Low >50% Occurrence Probability Medium 50%-90% High > 90% Top 3 Security Risks Caused by Associates Qualitative Risk Assessment Inappropriate Access 1 2 Work Machines for Personal Use 1. 90% of end users have legacy access, giving them inappropriate access to proprietary information 2. 83% of end users use their work machines for personal reasons, transferring files between work and personal machines 3. 50% of data leaks are caused by unauthorized use of applications 3 Unauthorized Apps Low Medium High Impact on Business (Risk, Compliance, Costs)

13 The Forgetting Curve

14 Methods to Increase Retention 1. Compliance Annual training through a PowerPoint presentation, you get compliance with retention of <5% over 12 months 2. Compliance + Engagement Annual training through training videos, you get short-term retention of 80-90% with a slow decrease to 5-10% over 12 months 3. Compliance + Engagement + Strengthen Content plan based on: A. Annual security awareness training videos, with a competence requirement of 90% or better to pass placed after each video lesson B. Monthly security campaigns using visual imagery from the videos to call back to the content C. Consistent activities (i.e., lunch and learns) to give supplemental information to associates

15 Security Message Delivery Pens, key fobs, post-it notes, notepads, first aid kits, bookmarks, Frisbees, clocks, gotcha cards Posters, do and don t lists, or checklists Screensavers and warning banners/messages Newsletters Desk-to-desk alerts (e.g., a hardcopy, bright-colored, onepage bulletin either one per desk or routed through an office that is distributed through the organization s mail system) Organization wide messages Web-based sessions Computer-based sessions Teleconferencing sessions Videos In-person, instructor-led sessions IT security days or similar events Brown bag seminars Pop-up calendar with security contact information, monthly security tips, etc. Mascots Crossword puzzles Awards program (e.g., plaques, mugs, letters of appreciation)

16 Animated Versus Live Action Videos are being created for security content plans in two different mediums. Live action videos which are great at getting a quick reminder/message/motivator across the company, they are not as effective for training. Animation is much more effective because you are not limited to reality and you can easily have a server room fly in - behind an avatar your IT guy- without it looking cheesy and weird. You also have the ability to show words, and are not limited to one ethnicity, culture, etc. Animations can be funny in order to get the message across whereas live action videos need to be more general and broadly applicable.

17 Video Versus Posters Videos and posters serve two very different purposes and need to be seen as supplemental to each other NOT synonymous. A video is an effective tool for transmitting larger amounts of information because if done right- it grabs the viewers attention through movement and pictures. A poster is just like a billboard on the highway. You have about 2 seconds in which to catch the viewers attention and transmit information. Any poster that takes longer than a few seconds to get the message will be lost.

18 Newsletter Versus Poster Newsletters and posters are a common duo that shows up in conjunction with training videos but again they are NOT synonymous. Newsletters are great for transmitting larger amounts of supplemental training information (e.g., check lists, how to s, anecdotes) that are just too much for a poster. Because of this, newsletters are great informers and motivators Posters are much more effective reminders

19 Activities versus Events Activities and events are a traditional elements of an organization s content plan. Activities serve as a valuable tool in informing your users, motivating them, and keeping them up-to-date on constantly evolving threats. Events create a different, more interactive way of giving users more information on a topic they did not pick up the first time or behaviors they need more motivation to perform.

20 Top 10 IT Security Tips for Associates 1. Never give out login credentials (over the phone, in person, ). Any competent IT department would never ask for your login credentials in any circumstance. 2. Roll the mouse pointer over a link to reveal its actual destination, displayed in the bottom left corner of the browser. In Microsoft Outlook it is displayed above the link. 3. When using public Wi-Fi, refrain from sending or receiving private information. 4. Report any loss or theft of your company issued smartphone/tablet/laptop immediately to IT. 5. Be leery of items from unknown sources or even suspicious links from trusted sources. When in doubt, chuck it out!

21 Top 10 IT Security Tips for Associates 6. Stop. Think. Click. Think twice before clicking that link. 7. Report any security incident (ex. responding to a scam with your login credentials) to IT immediately. Do not fear reprisal or be ashamed, such incidents are expected given today's threat landscape. 8. Use a different password for every website. If you have only one password, a criminal simply has to break a single password to gain access to all your information and accounts. 9. If you have difficulty remembering complex passwords, try using a passphrase like "I love getting to work at 7:00!" Longer passwords are harder to crack than shorter complex passwords. 10. Never leave your smartphone, tablet, or laptop unattended in a public place.

22 Summary Making it Stick Reduce risk by instutionalizing security policy into your culture through communications, monitoring and enforcing security policies Be Clear Write or edit existing policies to help associates understand what they can and cannot do on the corporate infrastructure and with corporate information Institutionalize Security Policy Continually raise the profile of security through communications and training to begin institutionalizing security policies

23 Resources SANS 20 Critical Security Controls SANS Security Policies NIST Publication /nistpubs/800-50/nist-sp pdf NIST Publication /nistpubs/800-16/ pdf Tech Republic log/it-security/short-and-pithyit-security-tips-for-users/8626/ Mad Security making-content-stick-retention/

24 Questions? To contact Cindy Gibson:

25 Increasing the value of today's webinar experience Visit brossgroup.com/blog today's presentation is available to download Check out the schedule of other upcoming Bross Group webinars and don t forget to share these resources with your colleagues. Contact Bross Group account executives if you would like help with your security program (303)