Information Security Awareness Program Proposal



Similar documents
TEL2813/IS2820 Security Management

Security Awareness & Securing the Human. By: Chandos J. Carrow, CISSP System Office - Information Security Officer Virginia Community College System

Nexed s Privacy Policy tells you what information we use, collect or disclose to third parties about our users.

Wright State University Information Security

Academic Unit Action Plan: SOCIAL WORK

INJURY AND ILLNESS PREVENTION PROGRAM. For SOLANO COMMUNITY COLLEGE DISTRICT

FEDERAL ELECTION COMMISSION OFFICE OF INSPECTOR GENERAL

Information Resources Security Guidelines

Request for Change in Delivery of Graduate Certificate

Privacy and Security Awareness, Education and Training Policy

Information Security Training & Awareness

Elmira City School District. Every Student Succeeds. Communication Plan Elmira City School District 951 Hoffman Street Elmira, NY

Texas System of Care Social Marketing Plan

College of Human Environmental Sciences Strategic Plan for

Information Security Awareness Training and Phishing

Strategic Plan, 2006 Department of Physics Texas Tech University. Department of Physics Mission Statement. Department of Physics Vision Statement

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

R345, Information Technology Resource Security 1

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DOE CYBER SECURITY EBK: CORE COMPETENCY TRAINING REQUIREMENTS Key Cyber Security Role: Authorizing Official (AO)

Priority III: A National Cyberspace Security Awareness and Training Program

INFORMATION SECURITY AT THE HEALTH RESOURCES AND SERVICES ADMINISTRATION NEEDS IMPROVEMENT BECAUSE CONTROLS WERE NOT FULLY IMPLEMENTED AND MONITORED

Network Security Policy

Caldwell Community College and Technical Institute

OPP CITY SCHOOLS JOB DESCRIPTION. (1) Master s degree from an accredited educational institution.

933 COMPUTER NETWORK/SERVER SECURITY POLICY

D.C. OFFICE OF THE ATTORNEY GENERAL GOVERNMENT OF THE DISTRICT OF COLUMBIA POSITION VACANCY ANNOUNCEMENT

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Hotline and Case Management System Now that you have them, what do you do with them?

InItIatIves for IndustrIal Customers employee energy awareness PlannInG GuIde

Davis Applied Technology College Public Relations Policy and Procedures Approval Date: December 12, 2011

Policy Governing Computer Security and Resource Allocation

Standards and Criteria for Promotion and Tenure. School of Social Work and Human Service Social Work Department

WELCOME TO THE POLICE DEPARTMENT

Role of Awareness and Training for Successful InfoSec Security Program 1

Western Kentucky University, The Center. The Michael Minger Act Report for 2015 Activity Reported for Calendar Year 2014

APHIS INTERNET USE AND SECURITY POLICY

Strategic Plan University Libraries Virginia Tech

SBBC: JJ-002 FL: 28 THE SCHOOL BOARD OF BROWARD COUNTY, FLORIDA JOB DESCRIPTION. Approved School-based Administrators Salary Schedule

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

To specify the minimum Occupational Safety and Health (OSH) program requirements for safety and health training for National Park Service:

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

CITY OF MARQUETTE, MICHIGAN CITY COMMISSION POLICY

Internet Security Awareness Program in Georgia funded by ISOC Community Grants Programme

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Software Contract and Compliance Review

-A Scavenger Hunt for College Students

GENERATION SAFE 360 SELF ASSESSMENT: PRINTABLE VERSION. Page 1

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Meditech Patient Care System Clinical Documentation Nursing Student Pre Training Overview

Information Security Policy

STRATEGIC OBJECTIVES

STELLENBOSCH UNIVERSITY DEPARTMENT OF CIVIL ENGINEERING POST GRADUATE STUDIES AT THE CHAIR IN CONSTRUCTION ENGINEERING AND MANAGEMENT

Free Medical Billing. Insurance Payment Posting: The following instructions will help guide you through Insurance Payment Posting Procedures.

A Human Resource Capacity Tool for First Nations // planning for treaty

Caldwell Community College and Technical Institute

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Strategic Plan The College of Business Oregon State University. Strategic Plan. Approved June 2012 Updated June 2013 Updated June 2014

CREDIT CARD SECURITY POLICY PCI DSS 2.0

UA Student Security Awareness/Anti- Phishing Campaign

Specific observations and recommendations that were discussed with campus management are presented in detail below.

COMPUTER AND NETWORK USAGE POLICY

TITLE: Scripps Compliance Program

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

Undergraduate Academic Assessment Plan

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

RPI Best Practice Standards

Marketing, Recruitment and Admissions. Marketing Strategy

POSTAL REGULATORY COMMISSION

>>> SOCIAL MEDIA MARKETING ROI CHEATSHEET 40 WAYS TO MEASURE YOUR SOCIAL MEDIA ROI. we inspire people to take action

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

TAKE IT TO THE NEXT LEVEL. College of Nursing. Graduate Studies. College of Nursing

Transcription:

Information Security Awareness Program Proposal Michael E. Whitman, Ph.D. Purpose The purpose of information security awareness is improving coherence of the need to protect information and system resources, and defining the user s role in the process. Making computer system users aware of their security responsibilities and disseminating correct practices can help user s change past behaviors. 1

Benefits There are two overriding benefits of awareness, namely: (1) improving employee compliance and (2) increasing the ability to hold employees accountable for their actions. One principal purpose of information security awareness is to reduce errors and omissions. However, it can also reduce fraud and unauthorized activity by increasing employees' knowledge of accountability and the penalties associated with such actions. Accountability Both the dissemination and the enforcement of policy are critical issues that are strengthened through awareness programs. Employees cannot be expected to follow policies and procedures of which they are unaware. 2

Awareness Awareness stimulates and motivates those being trained to care about security and to remind them of important security practices. Explaining what happens to an organization, its mission, customers, and employees if security fails motivates people to take security seriously. Awareness Awareness can take on different forms for particular audiences. Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. Awareness is also used to remind people of basic security practices, such as logging off a computer system or locking doors. 3

Comparative Framework Awareness Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process (also known as acclimation). For this reason, awareness techniques should be creative and frequently changed. 4

Program Implementation Step 1: Identify Program Scope, Goals, and Objectives. Step 2: Identify Training Staff. Step 3: Identify Target Audiences. Step 4: Motivate Management and Employees. Step 5: Administer the Program. Step 6: Maintain the Program. Step 7: Evaluate the Program. Step 1: Identify Program Scope, Goals, and Objectives. Scope: Faculty, Staff and Students in offices, labs and public access ports. Goals: Increase the general level of security awareness. Reduce the incidences of computer fraud, waste and abuse. Create a more security savvy member of the organization s computing community. 5

Step 1: Identify Program Scope, Goals, and Objectives. Objectives: Design a detailed security awareness implementation plan. Create interesting security awareness materials using internal resources whenever possible. Provide variety and creativity in the program. Have program in place and functional within 6 months of approval. Step 2: Identify Training Staff. Primary administrator responsible for program is the Chief Information Security Officer. Assistance will be provided by key security faculty, University outreach training professionals, and select system administrators. Some assistance will be available on a temporary basis from students in Information Security coursework. 6

Step 3: Identify Target Audiences. There are three target audiences: Students Staff Faculty Within these three audiences there are two general categories of users: Managerial users those responsible for managing technology and users of technology. End users those using technology. Step 4: Motivate Management and Employees. This will be accomplished through a series of short presentations on the importance of security and the security awareness program. 7

Step 5: Administer the Program. The program will consist of three main efforts: Security awareness presentations. Security awareness columns in campus newsletters and other dedicated publications. Security awareness materials: Posters Videos CD-ROMs Promotional Materials Program Theme Be SAFE Think before you Click! Security Awareness For Everyone 8

Security Awareness Program Step 6: Maintain the Program. Maintenance will be provided through a joint effort between the CISO, faculty, and selected Information Security students. Step 7: Evaluate the Program. Evaluation of the program will be conducted on a semi-annual basis by the CISO. Costs How to Spend a Dollar on Security recommends that out of every security dollar you spend: 15 cents: Policy 40 cents: Awareness 10 cents: Risk Assessment 20 cents: Technology 15 cents: Process We feel it can be done for much less, for an estimated annual budget of approx $5,000. Many materials (posters, newsletters etc.) will be contributed by security personnel and students. by Patrick McBride (ComputerWorld November 9, 2000) 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information