Part 1 : STRATEGIC : But let s begin with WHY : Why are we doing this?

Transcription

1 Part 1 : STRATEGIC : Why DO we care?? What is YOUR cri=cal message? And WHO do you need to reach? : I ll try and give you some pointers and ideas for where to look and how to figure that out for your cons=tuents and your ins=tu=on Part 2 : TACTICAL : Who delivers the message How : effec=ve methods for outreach, delivery, and determining effec=veness What : are some of the essen=al awareness topics to consider : But let s begin with WHY : Why are we doing this? 1

2 Why are we COMPELLED to provide Security Awareness training? WHAT is our MOTIVATION?? If you dis=ll the reasons down to their core components, it is clear, it is primal 2

3 it is not hunger (although cookies can be a persuasive mo=vator) Fear comes in many forms, it affects people differently, and it causes people to respond. It is a spectacularly effec=ve mo=vator : ( as history perpetually proves ) So : what are your Info Security fears? Your : Boss s, your students, Or your friends fears? Or your Uncle Bob what are his fears? 3

4 Think strategic level : C Levels have big picture fears Compliance with : Governance policies Laws and regula=ons Control : Informa=on Is POWER! - - actually, the FLOW of informa=on is Power, and that s what you need to control the full InfoSec CIA spectrum : Confiden=ality, Integrity, and Availability of informa=on flow : as it shapes percep=on and reputa=on So, our awareness goals should address these fears, and u=lize these fears! 4

5 What DO users fear? How are Staff fears different from student fears? And what do Faculty fear? When I ask this ques=on, frequently it is : fear of being electronically violated : computer compromised, informa=on stolen If you Find out their fears, and your awareness program addresses them, people will come and they will listen! 5

6 What do YOU fear? I fear failure or the consequences to others if I fail. OK, let s just say that LOTS of things scare me, 6

7 Use FEAR, but use it WISELY! this is classic personal safety training concept : convert their fears into situa<onal awareness, and then give them the tools to respond when crap happens. THAT Is what your Awareness Program should strive to do! 7

8 In the past, my experience with Info Sec awareness educa=on and training has been both REACTIONARY and AD HOC, That s not Bad, always good to take advantage of adversity But, it has NOT been comprehensively planned, and well designed to meet the STRATEGIC info security needs of the ins=tu=on and of our cons=tuents. SO: { What are our ins=tu=onal needs? ARE our efforts mee=ng those needs? Or the needs of our cons=tuents? } And the harder ques=on : How do we know if they are? Are there metrics or methods for assessing the effec<veness of our Awareness Educa=on and Training efforts? 8

9 I invite you to make the conscious effort to look at your Security Awareness Program" in the broader context of the overall security needs and security profile of the ins=tu=on, so that your efforts and your program most effec<vely align with those cri=cal needs One way to do this : Look at your Comprehensive WriLen Informa<on Security Program : You have one, right? (Hope it s not like my old one : write once, read never ) Lots of legal and regulatory mandates require one, so put it to use! Your Awareness and Training program should be suppor=ng this overarching goal. 9

10 Take your control structure, and look at each domain group : Note : regardless of what security control solu=ons you implement here be it a firewall rules, change management process, access control seongs, door locks, heat sensors, security cameras, phish mail blocks, vulnerability scan alerts, you name it in the end, there is a HUMAN involved in managing, maintaining, or monitoring those controls SO, again WHY are we doing this? 10

11 because PEOPLE are the weakest link in any security environment : When you look at the security walls we create with our breadth of controls and barriers, what is the universal solvent to ALL of these security control walls and barriers? its HUMANS!!! 11

12 NB: the dis=nc=on between AWARENESS Educa=on and TRAINING : ul=mately, goals of both are changing human behavior. awareness : bring issues to people that they ought to know or that would benefit them to know, but there is no impera<ve that they know it; eg, if a student s hard drive crashes, it would be god if they knew to make a backup beforehand. Training : provides knowledge that we require people to know and abide by, such as policy compliance or safe classified data handling; there may be externally imposed consequences to failure to abide, and there should be in place a means to verify that users have understood the training material. This could be as simple as an AUP click through, up to requiring that an employee become cer=fied for specific training and knowledge Awareness ini=a=ves can be both rela<vely easy, and high profile; whereas actual training will be harder to implement, harder to execute and verify, and more resource intensive. But, while awareness efforts might seem like they are a high priority, from an ins1tu1onal risk perspec1ve, you may need to focus on those areas where actual training is required NB : Business process integra=on of Info Sec into other projects : I m seeing an increase in this, as people become more familiar with both the need and my availability and exper=se. 12

13 or, coming down to ground level from 30,000 feet. Two approaches I am currently working on are : (1) Using the security framework sub- domains, extrac=ng awareness and training topics and mapping to key cons=tuency groups (A) Target awareness educa=on and training at the domains where the risk profile is highest, or where you ll get the most Risk mi<ga<on benefit for your efforts. (2) Compiling a comprehensive list of policy and regulatory compliance mandates, and again extrac=ng awareness and training topics and mapping to key cons=tuency groups My Goal : let cons=tuents take ownership of Informa=on Security issues and solu=ons on their own ini=a=ve - - and become ac=ve security prac==oners 13

14 Randall Munroe s unique perspec=ve on the weakest link 14

15 My for this part of the day : Provide some review of the day s presenta=ons, and perhaps a bit of addi=onal bits to get your thoughts and ques=ons ready for the panel discussion I was told I should. pull everyone and everything back together So, everyone, please pull yourselves and your notes from the day together while I distract you with a few more slides 15

16 IT Staff : includes : User Support Services / Help desk Academic support staff yes, even occasionally, technical staff including the SNS admins from the dark dungeons of the data center Departmental staff : target technophile department liaisons, keep them engaged, feed them the Kool- aid Student works & student groups : They ve got energy, and they hear what s going on in that large target community Commisera=ng peers from surrounding ins=tu=ons form a security group Senior Staff : if you can get their public buy- in, you are GOLDEN 16

17 Just a few slides on some common Awareness hot topics : 17

18 **** A dynamic domain, as the variety and number of networkable devices grows. END POINT SECURITY : BEST PRACTICES Secure Communica=ons : Client protec=on : OS & SW updates and security patch AV, malware, spyware, ransomware, etc. protec=on Data protec=on : local encryp=on regular backups to mul=ple repositories Device protec=on : keep it secure or keep it with you access code locks 18

19 19

20 Your password, to quote Gandalf in The Fellowship of the Rings : is it secret? Is it safe? 20

21 A few of the more common outlet categories for your panel discussion thoughts 21

22 22

23 Don t forget, AWARENESS IS GOOD FOR EVERYONE not just your ins=tu=on! Possible canned speech topics : ITSec - in one sentence? client security in a nutshell safe web best prac<ces in a nutshell Top three IS issues By Tutorial I mean a short, single topic, catchy informa=on blast 23

24 You should explore ways to measure the EFFECTIVENESS of your educa=onal and training efforts NB: The last bullet item : could either be from successful C- Level awareness prosely=zing, or from money laundering, so just watch out for that. Possible training and awareness resources : EDUCause training materials SANS training resources lynda.com other.edu training op=ons that can be obtained LMS (Bb, moodle, other) training course(s) : esp. for new hires 24

25 25