Security Awareness Planning. Christopher R. Johnson University of Advancing Technology May 29, 2012

Size: px

Start display at page:

Download "Security Awareness Planning. Christopher R. Johnson University of Advancing Technology May 29, 2012"

Edmund Jessie Clark
8 years ago
Views:

1 Security Awareness Planning Christopher R. Johnson University of Advancing Technology May 29, 2012

2 Why is security awareness important? Security awareness is a critical part of an overall strategy to control risks. In cooperation with other safeguards and technology, awareness is an integral tool of risk avoidance. It is an imperative that awareness training and planning coincide with policy. The best policies in the world are ineffective if they are not being followed. Employees cannot be expected to follow policy or protocols that they either do not understand or are unaware off. There are many obstacles and questions that management faces when designing awareness training and creating a plan of action. A part from meeting the needs of the business model, policy and training must also comply with federal, state, and even local regulation and laws when applicable. identify different standards and legislations that require organizations to have security awareness programs i.e. ISO & ("Security awareness compliance requirements," 2011).

3 The Workforce Potential obstacles Workforce Mindset Why should I care about security? What s in it for me? Negative perceptions of security. Extra work or just another way to get wrote up. How does it affect me as an employee? What s in it for me?

4 Management Potential obstacles Managements Mindset What will it cost? It will require more man power than it s worth. If it s not broke don t fix it. Extra equipment needed. Lost production lost time to training or securing work processes.

5 Basic concepts and pre-planning Overcoming the Human obstacle Pre-planning principles Assess current level of awareness. Pre-test, questionnaires, or surveys. What awareness, training, and/or education are needed (Wilson & Hash, 2003)? Drive home the most important principles, give examples of incidents, relate the risk to reality using the intranet page, , or some other form of electronic medium. Follow the KISS rule when designing reward and discipline procedures Offer incentives for following protocols and security guidelines. Make sure that the training is relevant to the specific risk of the business Make sure the training is current and has a testing element Have visual cues and reminders such as signs and screen savers as a reminder. Make security vital through management commitment and high visibility

6 Specific action plan Create an awareness training program that fosters awareness and also increases skills (Whitman & Mattord, 2006). Determine all specific regulations and laws that are applicable to business model Determine and categorize all existing security controls and procedures Make sure that all documentation and SOP s are up to date Establish formal review procedures for all policies as they relate to security, SOP s and protocols. Draft outline for specific training for each SOP as it relates to security, internal policies, and all other regulations. Choose a delivery method or third party systems for content delivery and testing. Set a mandatory training schedule. Set a compliance date for employees to complete required training. Setup formal procedure for recognizes significant policy changes that will require new training. Incorporate Awareness training into New Hire orientations Make sure any formal agreements specify the required and mandatory awareness training.

7 Pitfalls - things to avoid Always keep in mind that behavioral changes take time. Set realistic time frames. Self-paced learning may be an option. Have a clear and well defined goal and mission statement for your plan and training. Take the time in the pre-implementation phase to determine who is the target audience, what content they need and how you will convey that information (Spitzner, 2011).

8 What is gained? The most tangible benefit in a successful security awareness plan and training program is increased security for your assets ("Benefits of an information security awareness program," 2012). Changes in attitudes towards security and training as a whole. Good training often becomes value added to an employee through increased knowledge and job skills. Reducing security incidents related to personnel save money and resources that could be spent in ways that grow your business. Prevention of negative PR caused by security incidents. Shows the world and your clients that your company has a strong security posture. Covers and protects management and the company from potential legal liabilities or law suits by incorporating documentation, federal standards, and contractual agreements in your awareness plan and training.

9 References Benefits of an information security awareness program. (2012). Retrieved June 1, 2012, from Native Intelligence, Inc.: benefits.asp. Security awareness compliance requirements. (2011, July 19). Retrieved May 31, 2012, from SANS Institute: Spitzner, L. (2011). How to build an effective information security awareness program (Information Security Management). Retrieved June 1, 2012, from Search Security: techtarget.com/magazinecontent/how-to-build-an-effective- information-security-awarenessprogram. Whitman, M. E., & Mattord, H. J. (2006). Principles of incident response and disaster recovery. Course Technology. Wilson, M., & Hash, J. (2003, October 1). Building and information technology security awareness and training program. Retrieved May 30, 2012, from NIST: gov/publications/nistpubs/800-50/nist-sp pdf.

EXECUTIVE BEHAVIORAL INTERVIEW GUIDE

EXECUTIVE BEHAVIORAL INTERVIEW GUIDE INTERVIEW GUIDE INSTRUCTIONS: This Interview Guide is intended to help hiring executives conduct behavioral interviews for executive classifications covered by the