Part 1 : STRATEGIC : But let s begin with WHY : Why are we doing this?

Similar documents
Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

FUNNELBRAIN ONLINE MARKETING GET EDUCATED ON THE SITE THE DELIVERS QUALIFIED STUDENTS TO YOUR SCHOOL. FunnelBrain

Reports Analyzing Your Performance

Selling Hosted MS Exchange 2010 & SharePoint

/Endpoint Security and More Rondi Jamison

Phone Systems Buyer s Guide

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

Information Security for the Rest of Us

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons

(Why) Should Research Universi6es Have Schools of Educa6on?

How To Protect Virtualized Data From Security Threats

UAB Cyber Security Ini1a1ve

Big Data. The Big Picture. Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas

Special Report. RESULTS BASED Onboarding Evalua/on Tools and Metrics. Sign up to get your free report today!

NETWORK DEVICE SECURITY AUDITING

Corporate Account Takeover (CATO) Risk Assessment

HOW TO CREATE APPS FOR TRAINING. A step- by- step guide to crea2ng a great training app for your company

Are you Smarter than a Scam Artist? 2015 AASC National Conference Nashville, Tennessee

Landmark Company Overview

Governance as Leadership: Reframing the Work of Nonprofit Boards

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

Project Por)olio Management

Building an Effec.ve Cloud Security Program

Understanding Cloud Compu2ng Services. Rain in business success with amazing solu2ons in Cloud technology

MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term

Exchange of experience from a SuccessFactors LMS Implementa9on

A Guide to Information Technology Security in Trinity College Dublin

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013

National Cyber Security Month 2015: Daily Security Awareness Tips

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

How To Manage A Mobile Device Management At Harvard

Introducing BRAD - the New Standard for Print on Demand

How to Use Windows Firewall With User Account Control (UAC)

NSF/Intel Partnership on Cyber- Physical Systems Security and Privacy (CPS- Security)

IT Change Management Process Training

Member Municipality Security Awareness Training. End- User Informa/on Security Awareness Training

Encrypted Opening and Replying to a Secure Message

Migrating to Hosted Telephony. Your ultimate guide to migrating from on premise to hosted telephony.

An Integrated Approach to Manage IT Network Traffic - An Overview Click to edit Master /tle style

The 10 step communication plan

Hint: Best actions: Find out more in videos and FAQ: Hint: Best actions: Find out more in videos and FAQ:

PALO ALTO SAFE APPLICATION ENABLEMENT

Retail Pharmacy Clinical Services: Influence of ACOs & Healthcare Financing Models

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

DDC Sequencing and Redundancy

Franciscan University of Steubenville Information Security Policy

Defensive Training for Social Engineering

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Online Enrollment Op>ons - Sales Training Benefi+ocus.com, Inc. All rights reserved. Confiden>al and Proprietary 1

HSyE HIPAA Training. Summer 2015

Challenges of PM in Albania and a New. Professional Perspec8ve. Prepared by: Dritan Mezini, MBA, MPM B.S. CS

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Transcription:

Part 1 : STRATEGIC : Why DO we care?? What is YOUR cri=cal message? And WHO do you need to reach? : I ll try and give you some pointers and ideas for where to look and how to figure that out for your cons=tuents and your ins=tu=on Part 2 : TACTICAL : Who delivers the message How : effec=ve methods for outreach, delivery, and determining effec=veness What : are some of the essen=al awareness topics to consider : But let s begin with WHY : Why are we doing this? 1

Why are we COMPELLED to provide Security Awareness training? WHAT is our MOTIVATION?? If you dis=ll the reasons down to their core components, it is clear, it is primal 2

it is not hunger (although cookies can be a persuasive mo=vator) Fear comes in many forms, it affects people differently, and it causes people to respond. It is a spectacularly effec=ve mo=vator : ( as history perpetually proves ) So : what are your Info Security fears? Your : Boss s, your students, Or your friends fears? Or your Uncle Bob what are his fears? 3

Think strategic level : C Levels have big picture fears Compliance with : Governance policies Laws and regula=ons Control : Informa=on Is POWER! - - actually, the FLOW of informa=on is Power, and that s what you need to control the full InfoSec CIA spectrum : Confiden=ality, Integrity, and Availability of informa=on flow : as it shapes percep=on and reputa=on So, our awareness goals should address these fears, and u=lize these fears! 4

What DO users fear? How are Staff fears different from student fears? And what do Faculty fear? When I ask this ques=on, frequently it is : fear of being electronically violated : computer compromised, informa=on stolen If you Find out their fears, and your awareness program addresses them, people will come and they will listen! 5

What do YOU fear? I fear failure or the consequences to others if I fail. OK, let s just say that LOTS of things scare me, 6

Use FEAR, but use it WISELY! this is classic personal safety training concept : convert their fears into situa<onal awareness, and then give them the tools to respond when crap happens. THAT Is what your Awareness Program should strive to do! 7

In the past, my experience with Info Sec awareness educa=on and training has been both REACTIONARY and AD HOC, That s not Bad, always good to take advantage of adversity But, it has NOT been comprehensively planned, and well designed to meet the STRATEGIC info security needs of the ins=tu=on and of our cons=tuents. SO: { What are our ins=tu=onal needs? ARE our efforts mee=ng those needs? Or the needs of our cons=tuents? } And the harder ques=on : How do we know if they are? Are there metrics or methods for assessing the effec<veness of our Awareness Educa=on and Training efforts? 8

I invite you to make the conscious effort to look at your Security Awareness Program" in the broader context of the overall security needs and security profile of the ins=tu=on, so that your efforts and your program most effec<vely align with those cri=cal needs One way to do this : Look at your Comprehensive WriLen Informa<on Security Program : You have one, right? (Hope it s not like my old one : write once, read never ) Lots of legal and regulatory mandates require one, so put it to use! Your Awareness and Training program should be suppor=ng this overarching goal. 9

Take your control structure, and look at each domain group : Note : regardless of what security control solu=ons you implement here be it a firewall rules, change management process, access control seongs, door locks, heat sensors, security cameras, phish mail blocks, vulnerability scan alerts, you name it in the end, there is a HUMAN involved in managing, maintaining, or monitoring those controls SO, again WHY are we doing this? 10

because PEOPLE are the weakest link in any security environment : When you look at the security walls we create with our breadth of controls and barriers, what is the universal solvent to ALL of these security control walls and barriers? its HUMANS!!! 11

NB: the dis=nc=on between AWARENESS Educa=on and TRAINING : ul=mately, goals of both are changing human behavior. awareness : bring issues to people that they ought to know or that would benefit them to know, but there is no impera<ve that they know it; eg, if a student s hard drive crashes, it would be god if they knew to make a backup beforehand. Training : provides knowledge that we require people to know and abide by, such as policy compliance or safe classified data handling; there may be externally imposed consequences to failure to abide, and there should be in place a means to verify that users have understood the training material. This could be as simple as an AUP click through, up to requiring that an employee become cer=fied for specific training and knowledge. - - - Awareness ini=a=ves can be both rela<vely easy, and high profile; whereas actual training will be harder to implement, harder to execute and verify, and more resource intensive. But, while awareness efforts might seem like they are a high priority, from an ins1tu1onal risk perspec1ve, you may need to focus on those areas where actual training is required. - - - - - - - - - - - - - - - - NB : Business process integra=on of Info Sec into other projects : I m seeing an increase in this, as people become more familiar with both the need and my availability and exper=se. 12

or, coming down to ground level from 30,000 feet. Two approaches I am currently working on are : (1) Using the security framework sub- domains, extrac=ng awareness and training topics and mapping to key cons=tuency groups (A) Target awareness educa=on and training at the domains where the risk profile is highest, or where you ll get the most Risk mi<ga<on benefit for your efforts. (2) Compiling a comprehensive list of policy and regulatory compliance mandates, and again extrac=ng awareness and training topics and mapping to key cons=tuency groups My Goal : let cons=tuents take ownership of Informa=on Security issues and solu=ons on their own ini=a=ve - - and become ac=ve security prac==oners 13

Randall Munroe s unique perspec=ve on the weakest link 14

My for this part of the day : Provide some review of the day s presenta=ons, and perhaps a bit of addi=onal bits to get your thoughts and ques=ons ready for the panel discussion I was told I should. pull everyone and everything back together So, everyone, please pull yourselves and your notes from the day together while I distract you with a few more slides 15

IT Staff : includes : User Support Services / Help desk Academic support staff yes, even occasionally, technical staff including the SNS admins from the dark dungeons of the data center Departmental staff : target technophile department liaisons, keep them engaged, feed them the Kool- aid Student works & student groups : They ve got energy, and they hear what s going on in that large target community Commisera=ng peers from surrounding ins=tu=ons form a security group Senior Staff : if you can get their public buy- in, you are GOLDEN 16

Just a few slides on some common Awareness hot topics : 17

**** A dynamic domain, as the variety and number of networkable devices grows. END POINT SECURITY : BEST PRACTICES Secure Communica=ons : Client protec=on : OS & SW updates and security patch AV, malware, spyware, ransomware, etc. protec=on Data protec=on : local encryp=on regular backups to mul=ple repositories Device protec=on : keep it secure or keep it with you access code locks 18

19

Your password, to quote Gandalf in The Fellowship of the Rings : is it secret? Is it safe? 20

A few of the more common outlet categories for your panel discussion thoughts 21

22

Don t forget, AWARENESS IS GOOD FOR EVERYONE - - - not just your ins=tu=on! Possible canned speech topics : ITSec - in one sentence? client security in a nutshell safe web best prac<ces in a nutshell Top three IS issues By Tutorial I mean a short, single topic, catchy informa=on blast 23

You should explore ways to measure the EFFECTIVENESS of your educa=onal and training efforts NB: The last bullet item : could either be from successful C- Level awareness prosely=zing, or from money laundering, so just watch out for that. Possible training and awareness resources : EDUCause training materials SANS training resources lynda.com other.edu training op=ons that can be obtained LMS (Bb, moodle, other) training course(s) : esp. for new hires 24

25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information