Study of Security Awareness Training
|
|
- Angelica Sullivan
- 8 years ago
- Views:
Transcription
1 Study of Security Awareness Training Steve Kruse,Security RSA Bill Pankey, Group Paradox Explanations Conclusions Innovation Norway Feb 04, 2010 CSI / FBI Computer Crime Survey Annual study of infosec events & security practice in US Estimates losses from computer crime Type and frequency of exploits Survey of security practice / response to threats Commonly used baseline for Risk assessments Security budget justification 1
2 2007 CSI Finding: Minimal UAT* Budgets % of security budget spent on UAT 22% 48% 6% 2007 Security budgets average between 3-5% of total IT budget * UAT: Security Awareness Training Counter Indications Convention wisdom among US security practitioners is that end users are the greatest security threat: 85% of security breaches involve end users ~ Forester End user web surfing primary source of network infection ~ Symantec borne compromise of end user accounts has been has been the initial entry vector for 100% of advanced persistent threats (APT) ~ Mandiant. Any basic handbook of computer security 2
3 The Paradox You can t service pack the end user - Mike Nash, Microsoft Is there an inverse Pareto principle i at work: spend the least on the biggest problem? High recognition of end user involvement with security breaches Relatively low spending on user security awareness training Is the security industry guilty of risk management malpractice? Study resolved to understand / explain this apparent paradox 2009 Survey of Security Awareness & Training 57 questions UAT budgeting & rationale UAT metrics & accountability UAT practices Respondents recruited from: UseNet / yahoo UAT interest groups Metricon audience Disclaimer: No sampling control Suspect bias in self-report survey results: More, rather than less interest in UAT than among typical security practitioners Natural tendency to over-estimate the quality of their security program 3
4 Sample validates CSI Finding Survey sample places only slightly greater emphasis on UAT than CSI study 55% less than 2% of security budget 13% greater than 8% of security budget Difference are either not significant or indicate a very slight increased emphasis on UAT Security UAT budget in context True cost of UAT typically masked: Security budgets typically are not burdened with the cost of the users time spent on UAT Only 1 respondent reported that UAT training time is charged against security budget Total cost of user training time is likely to be the most costly component of UAT 93% of respondent companies require UAT for all employees at hire; 75% annual refresher training 53% of respondents require at least 1 hr per employee 4
5 Security UAT budget in context (2) Security program s UAT expenditure is either very efficient or very wasteful of company (human) resources UAT budget includes preparation, delivery and management costs for a significant expenditure of corporate resources Normalized UAT management cost metric: security program UAT budget / total # of user training hours * loaded labor rate Measure of efficiency? or inattention? Questions about the rationale for UAT? Is there formal documentation ti of anticipated i t UAT benefits? If so, where? Security plan: 65% Security policy: 42% (pro-forma?) UAT business case: 35% Individual campaign proposal: 5% But, often there is no accountability for benefit statements: 60% of respondents report no management review or approval of the above 5
6 UAT Rationale What is used to justify the commitment t of users time to UAT Regulatory requirement: 73% Unspecified security benefit : 65% External Auditor report: 45% Expected increase in user accountability: 15% Basis for rejection of requests for increase in mandated UAT (100 % of respondents)? Unspecified management priorities: 70% Weak business case: 16% Lack of UAT Effectiveness Performance Measurement Few companies tracked meaningful measures of UAT performance Training completion / compliance rate: 100% (User) Behavioral \ attitude measures: 13% Correlation w/ security incident metrics: 7% Management satisfaction determined by: CSO \ CISO: 67% CIO: 25% Compliance: 13% HR: 13% 6
7 Illusory UAT Management you can t manage what you don t measure Drucker 60% claim success of UAT to Reduce security incidents Address root causes of security breaches Increase compliance with security policy While focusing on cost, Rate of training completion But Avoiding collection of UAT performance / effectiveness metrics Few Meaningful UAT Metrics Focus on activity rather than benefit realization. Security Metrics, Jacquith % of staff completing security awareness training? (6) Correlation of tailgating rates w/ training latency Metrics for IT Service Management, ITSM % of staff not at optimal training level? (10) Poll of callers to service desk SP Performance Measurement Guide for Information Security, NIST % of employees in security roles receiving specialized security training (1) 7
8 Do UAT metrics obscure the security objective? Common UAT metrics available to establish industry baselines may miss the point Implicitly assume the effectiveness of training, ie, the results of management W/o the relevance, credibility & appropriateness of the training, the completion rate indicates nothing about the security value of the UAT program. Currently these measures are primarily cost metrics reflecting the scale of resource (end user time) consumption Meaningful UAT Metrics imply Strategy Security role of the end user is specific to company and its security strategy. Is the user, a: Threat to be engineered around? An actor whose behavior needs the constraint of policy? A source of detective or corrective control? All of the above? Some of the above? The view of user determines the objectives of UAT (improve user performance in security role) What and how much risk awareness Will vary with industry and company culture These UAT objectives will determine metrics Missing industry benchmarks 8
9 Standardization of Security Awareness Effectiveness of UAT has to be measured against expectations of security strategy Some user roles are expected to have more than less general security / risk awareness Some use roles expected to take specific action in response to events Standardization of user expectation facilitates development of appropriate metrics and establishing meaningful industry baselines Maturity Model for User Security Awareness Blissfully unaware Little recognition or acceptance of most information security threats At this level, l prevalent view is that t information security is a property of IT systems and largely a matter of architecture and configuration. Security largely independnet of user behavior. Consciously incompetent Some recognition that there is a information security threat, but: Poor risk assessment skill and intuition Uncertain of action needed to protect company information assets. Will do nothing rather than create further harm Compliant Aware of risks identified in company policy Will take action identified in company security policy Risk aware Considers information security risk in performance of company duties, but Unsure of appropriate action; sometime will report incidents Competent & Practiced Takes appropriate action within scope of role; otherwise reports incidents 9
10 UAT Goals re Targeted Maturity Level Blissfully unaware User: heads down routine data processing roles No UAT? Complaint User: Industry w/ little discretionary access control (e.g. banking). Users locked down by restrictive policy. UAT: Policy training Metric: Correlate policy violations with training latency Risk aware User: Industry w/ significant discretionary access (e.g. health) UAT: Policy training + Threat identification Metric: # of anomalies reported by users Example Scenario: End user sees what could be a company owned laptop in an unlocked car in the facility parking lot. What is the end user expected to do? Blissfully unaware: Where the company security tolerates the unaware user, e.g. where whole disk encryption has been implemented for all company laptops p ~ nothing Compliant: Where company policy prescribes all security obligations ~ only what is described in policy Risk aware: Where company security model depends upon actions of end users ~ alert company facility manager; security officer 10
11 Conclusions Little accountability for UAT beyond compliance with regulatory mandates Few, if any performance metrics Focus on cost Where there is no accountability, the optimal strategy is to reduce the absolute UAT expenditure UAT management requires new UAT performance metrics Correlate UAT with specific security benefits Lack of industry UAT performance benchmarks Meaningful metrics determined by targeted maturity levels 11
Security Awareness & Training. Steve Kruse, Impruve Bill Pankey, The Tunitas Group
Security Awareness & Training Steve Kruse, Impruve Bill Pankey, The Tunitas Group Background Bill Pankey has been involved with information security issues for the past 12 years as a developer, architect,
More informationITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS
ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationRole of Awareness and Training for Successful InfoSec Security Program 1
Role of Awareness and Training for Successful InfoSec Security Program 1 Role of Awareness and Training for Successful Information Systems Security Program Venkata Siva, Jose R Velez Saint Leo University
More informationCyber ROI. A practical approach to quantifying the financial benefits of cybersecurity
Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationLet Someone Break Rules to Improve Security Compliance
20 September 2012: Let Someone Break Rules to Improve Security Compliance Author Dr. T V Gopal Chairman, Division II [Software], Advisor CSI Communications [CSIC] and Professor Department of Computer Science
More informationWhite Paper from Global Process Innovation. Fourteen Metrics for a BPM Program
White Paper from Global Process Innovation by Jim Boots Fourteen Metrics for a BPM Program This white paper presents 14 metrics which may be useful for monitoring progress on a BPM program or initiative.
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationSecurity Operations Metrics Definitions for Management and Operations Teams
Whitepaper Security Operations Metrics Definitions for Management and Operations Teams Measuring Performance across Business Imperatives, Operational Goals, Analytical Processes and SIEM Technologies Research
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More information2012 Application Security Gap Study: A Survey of IT Security & Developers
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
More information1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.
Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is
More informationWhat Price Peace? Key Expense Management Strategies for Law Firm Data Security. ccmchase.com
Key Expense Management Strategies for Law Firm Data Security Presented at: Thomson Reuter s 5th Annual Law Firm CIO CFO COO Forum June 3, 2015, New York City ccmchase.com Brett C. Don, Chase Cost Management
More informationBREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT
BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationSymantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,
Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security, streamline compliance reporting, and reduce the overall
More information2015 VORMETRIC INSIDER THREAT REPORT
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security RETAIL EDITION #2015InsiderThreat RESEARCH BRIEF RETAIL CUSTOMERS AT RISK ABOUT THIS RESEARCH BRIEF
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationAppendix A-2 Generic Job Titles for respective categories
Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide
More informationDISCLAIMER AND NOTICES
DISCLAIMER AND NOTICES The opinions expressed in this presentation are those of the author and presenter alone. They do not represent the views of any other entity. Nothing in this presentation should
More informationIT Service Metrics Measure What Counts and Manage What Matters Steve Ingall, Head of Service Management, icore Ltd
Data is not Information It is drummed into managers that If you can t measure it, you can t manage it which in business is correct; but there are some things where measurement is less tangible and somewhat
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationISO 20000-1:2005 Requirements Summary
Contents 3. Requirements for a Management System... 3 3.1 Management Responsibility... 3 3.2 Documentation Requirements... 3 3.3 Competence, Awareness, and Training... 4 4. Planning and Implementing Service
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationSIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security
SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationThe economics of IT risk and reputation
Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global
More informationThe Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T
The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationEmployee Surveys: Four Do s and Don ts. Alec Levenson
Employee Surveys: Four Do s and Don ts Alec Levenson Center for Effective Organizations University of Southern California 3415 S. Figueroa Street, DCC 200 Los Angeles, CA 90089 USA Phone: 1-213-740-9814
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationUsing the ITSM Metrics Modeling Tool
Using the ITSM Metrics Modeling Tool ITSM Metrics Model Tool Overview The ITSM Metrics Model is a simple spreadsheet tool that can be used for a variety of measurement and reporting purposes. The model
More information2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013
2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationITSM 101. Patrick Connelly and Sandeep Narang. Gartner. www.it.ufl.edu
ITSM 101 Patrick Connelly and Sandeep Narang Gartner 1 IT Service Management 101 Agenda What is IT Service Management? Why is IT Service Management Important? Speaking a Common Language: Overview of Key
More informationOffice of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits
Office of the Inspector General United States Office of Personnel Management Statement of Michael R. Esser Assistant Inspector General for Audits before the Committee on Appropriations United States Senate
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Developing the Security Program Jan 27, 2005 Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives
More information82-10-40 The Information Security Program Maturity Grid Timothy R. Stacey Payoff
82-10-40 The Information Security Program Maturity Grid Timothy R. Stacey Payoff The Information Security Program Maturity Grid is a tool composed of five stages of security maturity and five measurement
More informationEnterprise Software Management Systems by Using Security Metrics
Enterprise Software Management Systems by Using Security Metrics Bhanudas S. Panchabhai 1, A. N. Patil 2 1 Department of Computer Science, R. C. Patel Arts, Commerce and Science College, Shirpur, Maharashtra,
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationFor Smoother Sailing: Transform Your Help Desk into a Knowledge Center
For Smoother Sailing: Transform Your Help Desk into a Knowledge Center ABS Associates, Inc. Making Technology Work For You 1 When the captain of a ship takes the helm, he is equipped with a plethora of
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationCISM (Certified Information Security Manager) Document version: 6.28.11
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
More informationIntelligence Driven Security
Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationRSA CYBERSECURITY POVERTY INDEX 2015
RSA CYBERSECURITY POVERTY INDEX 2015 OVERVIEW Welcome to RSA s inaugural Cybersecurity Poverty Index. The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations
More informationCyber intelligence in an online world
Cyber intelligence in an online world James Hanlon CISM, CISSP, CMI Cyber Strategy & GTM, EMEA Cyber intelligence in an online world SYMANTEC VISION SYMPOSIUM 2014 2 Software and data powers the world
More informationITSM Reporting Services. Enterprise Service Management. Monthly Metric Report
ITSM Reporting Services Monthly Metric Report October 2011 Contents Introduction 3 Background 3 Purpose 3 Scope 3 AI6 Manage Change 4 Number of Changes Logged 4 Number of Emergency Changes Logged 4 Percentage
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationBIG SHIFT TO CLOUD-BASED SECURITY
GUIDE THE BIG SHIFT TO CLOUD-BASED SECURITY How mid-sized and smaller organizations can manage their IT risks and meet regulatory compliance with minimal staff and budget. CONTINUOUS SECURITY TABLE OF
More informationSecurity Metrics to Manage Change: Which Matter, Which Can Be Measured?
Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:
More informationWhite Paper Software Quality Management
White Paper What is it and how can it be achieved? Successfully driving business value from software quality management is imperative for many large organizations today. Historically, many Quality Assurance
More informationPerceptions about Self-Encrypting Drives: A Study of IT Practitioners
Perceptions about Self-Encrypting Drives: A Study of IT Practitioners Executive Summary Sponsored by Trusted Computing Group Independently conducted by Ponemon Institute LLC Publication Date: April 2011
More informationCISOs Discuss Best Ways to Gain Budget and Buy-in for Security
CISOs Discuss Best Ways to Gain Budget and Buy-in for Security Learn how veteran security leaders strategically manage budgets and sell leadership on the importance of security WISEGATE COMMUNITY VIEWPOINTS
More informationDefending against modern cyber threats
Defending against modern cyber threats Protecting Critical Assets October 2011 Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Agenda 1. The seriousness of today s situation
More informationRisk Management Frameworks
Effective Security Practices Series Driven by a wave of security legislation and regulations, many IT risk management frameworks have surfaced over the past few years. These frameworks attempt to help
More informationThe Role of Security Monitoring & SIEM in Risk Management
The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationInformation Security Awareness Training and Phishing
Information Security Awareness Training and Phishing Audit Report Report Number IT-AR-16-001 October 5, 2015 Highlights The Postal Service s information security awareness training related to phishing
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationControl Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice
1 Week #5 CRISC Exam Prep ~ Domain #4 Bill Pankey Tunitas Group CRISC Control Design Domain Job Practice 4.1 Interview process owners and review process design documentation to gain an understanding of
More informationPresented by Dave Olsen, CPA, President
Presented by Dave Olsen, CPA, President My Frame of Reference 15 Years in Public Practice 11 Years in Tax & Accounting Software (20% of prof. e-files) 3 Year term on IRS ETAAC committee and Security Sub-Group
More informationSample Data Security Policies
This document provides three example data security policies that cover key areas of concern. They should not be considered an exhaustive list but rather each organization should identify any additional
More informationJanuary IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationPatent Public Advisory Committee Meeting. OCIO Update
Patent Public Advisory Committee Meeting OCIO Update John B. Owens II Chief Information Officer September 27, 2012 USPTO Seal IT INFRASTRUCTURE IMPROVEMENT PORTFOLIO - ROAD MAP The Business Problem [In
More informationWhite Paper. Understanding NIST 800 37 FISMA Requirements
White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security
More informationPersonal Security Practices of the CAO
Personal Security Practices of the CAO 1. Do you forward your government email to your personal email account? 2. When is the last time you changed your Enterprise password? Within the last 60 days Within
More informationA Benchmark Study of Multinational Organizations
A Benchmark Study of Multinational Organizations Research Report Independently Conducted by Ponemon Institute LLC January 2011 The True Cost of Compliance Benchmark Study of Multinational Organizations
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationPresented by Brian Woodward
Presented by Brian Woodward Log in with least amount of privileges Always use Firewall and AV Monitor channels for security advisories and alerts Know your system(s) Unpatched Systems are the lowest of
More informationSocial Performance Rating System
Social Performance Rating System methodology report Inclusion [ Social Ratings ] Inclusion [ Africa ] MFI Social Performance Rating System Introduction Inclusion [Social Ratings] has designed its Social
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationContents. Specialty Answering Service. All rights reserved.
[Type text] Contents 1 Introduction... 3 2 Service Metrics... 5 2.1 Accessibility Metrics... 5 2.1.1 Blockage... 5 2.1.2 Hours of Operation... 5 2.1.3 Abandoned Calls... 5 2.2 Speed of Service... 6 2.2.1
More informationSecurity Awareness Campaigns Deliver Major, Ongoing ROI
Security Awareness Campaigns Deliver Major, Ongoing ROI CONTENTS 01 01 02 04 05 06 Introduction The Challenge Immediate Value Evaluating effectiveness Ongoing value Conclusion INTRODUCTION By this point,
More informationSolving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense
Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background
More informationMaximising the Effectiveness of Information Security Awareness
Maximising the Effectiveness of Information Security Awareness This thesis offers a fresh look at information security awareness using research from marketing and psychology. By Geordie Stewart and John
More informationUnit Specific Questions Administrative
Unit Specific Questions Administrative Name of individual completing this report: Charles D. Warner E-mail address of individual completing this report: cwarner@shawnee.edu Goals and Mission 1. How are
More informationHigh Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe
2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationA smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved
A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions
More informationThe Power of Risk, Compliance & Security Management in SAP S/4HANA
The Power of Risk, Compliance & Security Management in SAP S/4HANA OUR AGENDA Key Learnings Observations on Risk & Compliance Management Current State Current Challenges The SAP GRC and Security Solution
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More information