Information Security Awareness

Similar documents
Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015

Thank You! Contents. Promoting SmartDollar Implementing SmartDollar SmartDollar Resource Center Internal Communications...

Information Security Risk Management

Corporate Compliance and Ethics Program Effective as adopted on February 21, 2012

Measuring and Evaluating Results

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Chapter 1 The Scope of Corporate Finance

Workshop agenda. Data Quality Metrics and IT Governance. Today s purpose. Icebreaker. Audience Contract. Today s Purpose

Case Study: Hiring a licensed Security Provider

IT Governance: The benefits of an Information Security Management System

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

Sample Lesson How to Brush Your Teeth

Marketing Management

How to plan marketing communications?

Marketing Strategy Guide NewZapp.co.uk Introduction. Where are you now?

Accounting Course Descriptions

OMNI TECHNICAL SOLUTIONS. Business Ethics, Compliance, Anti-Corruption and Anti-Money Laundering Policy

Oct 29 th, 2013 Importance of Security Awareness training John Ecken

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

It is clear the postal mail is still very relevant in today's marketing environment.

North Texas ISSA CISO Roundtable

2015 WSSFC Practice Management Track Session 5 Creating a Firm Marketing Plan and Sticking to it

APPS APPS MEDIA MEDIA SOCIAL SOCIAL ENGINE ENGINE SEARCH SEARCH MARKETING MARKETING WEB DESIGN ADVERTISING WEB DESIGN & REPORTING & REPORTING

Effective Marketing Solutions for your Small Business

ASAE s Job Task Analysis Strategic Level Competencies

8/28/2015. How to Manage Records. Overview. Learning Objectives. Do you have? Does your office look like this?

Chief Information Officer

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Marketing: Promotion Basics

Principal Certification Course Catalog

Software Testing as a Managed Service An Engagement model to extend business operations

The Next Generation of Security Leaders

Designing and Implementing Your Communication s Dashboard: Lessons Learned

Market Research. What is market research? 2. Why conduct market research?

Build It and They Will Come: Employee Wellness Programming that Works

Corporate Security Awareness. The Common Sense of Compliance

CHAPTER 14: THE ROLE OF ACCOUNTANTS AND ACCOUNTING INFORMATION

Jason I. Miletsky Perspectives on branding

Interpreting the HIPAA Audit Protocol for Health Lawyers

COMPLIANCE PROGRAM GUIDANCE FOR MEDICARE FEE-FOR-SERVICE CONTRACTORS

<COMPANY> P01 - Information Security Policy

Non-Profit Direct Mail

Best Practices for Designing and Implementing Communication Strategies: Presenters Notes

WITH THE MARKETING EFFICIENCY CLOUD FROM BRANDMAKER

United Healthcare Certification Details

Training Catalogue. Ace Service Training Catalogue Ver 7.0. Ace Services

Employee Web-use Monitoring at BNSF Railway

MBA 695 B Advertising and Promotions UNC-GREENSBORO

CLASSIFICATION SPECIFICATION FORM

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Internet Marketing Implementation Course MKTG13; 3 Days, Instructor-led

Nonprofit risk management

Boosting your Sales Through Direct Marketing & Public Relations

Certified Nonprofit Consultant (CNC)

Georgia Department of Education

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

Information Security Training & Awareness

F G F O A A N N U A L C O N F E R E N C E

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Laboratory Information Management Systems. Presented By: Happy Mashigo & Vuyiswa Kenke

Employee Embezzlement and Fraud. Defending Against Insider Threats

Kevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor

Achieve. Performance objectives

Best Practices. How to Turn Leads Into Sales. Powered by. About this document

IRS GUIDELINES FOR FORM 1099 FOR STATE AND LOCAL GOVERNMENTS IRS Webinar:

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Strategic Planning Developing an Effective Customer Service Strategy for Agencies

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

For More Free Marketing Information, Tips & Advice, visit

Transcription:

TASSCC Annual Conference 2008 Information Security Awareness -Beyond New Employee Orientation- 1 William Tompkins, CISSP, CBCP Teacher Retirement System of Texas August 11, 2008

William Tompkins William Tompkins is Information Security Officer at Teacher Retirement System of Texas. He has more than 25 years of technical, managerial and consulting experience in information technology and more than 17 years in information security. He is a Certified Information Systems Security Professional and a Certified Business Continuity Professional. He was the Manager of Texas Department of Transportation s Information Security Section and Project Manager of the Information Security Program which was selected as Computer Security Program of the Year 1994 by CSI (Computer Security Institute). William was elected to the ISSA Hall of Fame in 2006 by the ISSA International Board of Directors. (Information Systems Security Association) Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education. 2

By the end of this session you will be able to identify: How to... Ensure employees are really aware of security policies and their responsibilities Build and/or maintain security awareness program that is effective through the whole life of employees. Comprehensive Effective Security Awareness Program 3

Information Security Awareness Program Goal To make people understand the value of the information they handle and the need to protect it 4

Information Security Awareness Providing Awareness, leads to Understanding Change in Attitude Change in Behavior! 5

Management may ask, Why implement a security awareness campaign? Communicate policy to the user community and encourage compliance Mitigate the Security versus Usability equation Defend against social engineering threat components User awareness enhances the overall security profile 6

Employees ask, Why have Awareness Education? To increase awareness of Information Security practices To provide a better understanding of Information Security 7

The Good News... Computer users want to learn more about how to protect themselves and their computers 8

Know your audience Executives and Senior Managers/Directors Business Unit Managers & Team Leaders Regular Staff, Temp Hires & Contractors 9

Types of message NEO (New Employee Orientation) Business Unit specific Recurring Hot topics home user, recent events (organization impact ; IT industry impact ) Posters Walkthrough (Report to exec & Reward to Users) Inform users of InfoSec activities 10

N E O (New Employee Orientation) Best Practices = Good Habits Examples: Protect access to your electronic accounts Avoid computer malware Perform routine backup procedures Policy 11

Employees ask, Why is security needed? Manage Risk sensitive information financial loss loss of credibility failure to produce reliable information legal liability Compliance Requirements Law Policy 12

Laws & Policies Industry standards Government regulations Organization policy 13

Information Security Responsibilities IT Department Dotted line security Network, Database, Storage and backup Printers and Print distribution Logging and monitoring Secure programming 14

Sell Security Day-to-Day To be effective Use marketing concepts Advertising Branding 15

Advertising Convert your security policies to three to five concepts and taglines that can be reinforced on a continual basis in a variety of media. 16

Once words have left your mouth, you can never take them back! Protect TRS member information 17

You can't unring a bell or squeeze toothpaste back into the tube. And You can t untalk about Protected Health Information 18

Create a brand Once you have your brand, think about how to communicate your three to five concepts. 19

Sample Concepts Protect printouts & access to them Copies made by whom Emailing to?? Active distribution of data to proper recipients Appropriate attachments 20

How to Reinforce the message Prizes gift certificates / Thank You letter from CEO Surveys annually; user assist in developing Reminders Chalkboard & TRS-News Posters Recurring emails & Intranet Highlights 21

Perform ongoing assessment Don t wait for your next audit Test it yourself, or work with a vendor Continual testing Ongoing feedback and revision loops Assessment is key to identifying what works and what doesn't. 22

Summary Security information has value; both personally and professionally Security policies exist for business-driven reasons and they are enforced for everyone Security solutions can impact usability; communicate before solutions are implemented Security awareness is a long term process 23

Q U E S T I O N S? Thank You William A. Tompkins (512) 542-6787 William.Tompkins@trs.state.tx.us 24

Assessment COBIT doesn't have a section dedicated to information security awareness and training, but there are specific references to it in the following sections: PO6 Communicate management aims and direction. PO7 Manage IT human resources. DS5 Ensure systems security. DS7 Educate and train users. 25

Assessment The COBIT maturity model for training (DS7 - Educate and Train Users) specifies the following requirements for each of its 5 maturity levels: 26

COBIT - DS7 Educate and Train Users Level 0 -- Non-Existent - - - - - - 1 -- Initial/Ad Hoc - - - - - - 2 -- Repeatable but Intuitive - - - - - - - - - 3 -- Defined Process - - - 4 -- Managed and Measurable - - - - - - 5 -- Optimized - - - - - - - Requirement There is a complete lack of any training and education program. Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices. Informal training and education classes are taught... Some of the classes address the issues of ethical conduct and system security awareness and practices. Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored... All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance... Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles. 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information