Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User



Similar documents
Introducing... FedVTE and FedCTE

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

2.0 ROLES AND RESPONSIBILITIES

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Department of Homeland Security Federal Government Offerings, Products, and Services

NASA OFFICE OF INSPECTOR GENERAL

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Role-Based Security Training

Dr. Anton Security Warrior Consulting

National Initiative for Cybersecurity Education

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

National Cyber Security Awareness Month. Week Two: Creating a Culture of Cybersecurity at Work

Information Systems Security Line of Business (ISS LoB)

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Cybersecurity Framework: Current Status and Next Steps

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Cybersecurity in the States 2012: Priorities, Issues and Trends

National Initiative for Cyber Security Education

Understanding the Federal IT Security Professional (FITSP) Certification

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Professional Services Overview

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

Small Business. Leveraging SBA IT resources to support America s small businesses

In Brief. Smithsonian Institution Office of the Inspector General

How To Improve Nasa'S Security

EC-Council. Certified Ethical Hacker. Program Brochure

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Developing National Frameworks & Engaging the Private Sector

NASCIO 2014 State IT Recognition Awards

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

NASA S PROCESS FOR ACQUIRING INFORMATION TECHNOLOGY SECURITY ASSESSMENT AND MONITORING TOOLS

Cybersecurity The role of Internal Audit

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

North Texas ISSA CISO Roundtable

The Intersection of Internal Controls and Cyber Security

The DS Information Assurance and Cybersecurity Role-Based Training Program. Diplomatic Security Training Center (DSTC) Dunn Loring, VA

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

How To Protect Your State From Cybercrime

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

State of South Carolina Initial Security Assessment

IT Security Handbook. Security Awareness and Training

Threats to Local Governments and What You Can Do to Mitigate the Risks

Portal Storm: A Cyber/Business Continuity Exercise. Cyber Security Initiatives

Enterprise Service Management (ESM)

Updating U.S. Federal Cybersecurity Policy and Guidance

Role of Awareness and Training for Successful InfoSec Security Program 1

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

NIST Cyber Security Activities

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

CForum: A Community Driven Solution to Cybersecurity Challenges

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

Hosted by Lunarline: School of Cyber Security

Agency for State Technology

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Patent Public Advisory Committee Quarterly Meeting Patent Quality

NIST Cloud Computing Program Activities

Report on CAP Cybersecurity November 5, 2015

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis

GEARS Cyber-Security Services

Cyber Security Management

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Building Security In:

How To Improve Federal Network Security

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Table of Contents CYBER SECURITY STRATEGIC PLAN VERSION 1.0

Italy. EY s Global Information Security Survey 2013

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

California Counties Information Security Programs A look into the progress and future plans across counties

National Institute of Standards and Technology Smart Grid Cybersecurity

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

National Cyber Security Policy -2013

National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints. Continuous. - Continuous Monitoring. - Continuous Assessment

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent

2014 Audit of the Board s Information Security Program

Transcription:

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User Valarie Burks Deputy Chief Information Officer, IT Security Division National Aeronautics and Space Administration (NASA)

Agenda From the C-Suite to the End-User The Security Education Mission NASA IT Security Awareness Campaign» Overview» Goals The 2013 Awareness Campaign» Leadership Projects» Role-Based Projects» General User Projects 2013 Campaign Results 2013 Campaign Return On Investment» Road Show» Cyber Security Expo» Training IREC Survey Results The Road Forward» Challenges» Planned Actions 1

From the C-Suite to the End-User IT security professionals alone cannot provide the needed impact on the organization s security posture it is an ALL HANDS effort coordinated by the OCIO Engage Senior leadership fully:» Informed of issues, challenges and compliance status» Influence decisions and messaging Support continuing education of the security experts:» Outreach to promulgate policy changes» Targeted training focused on current challenges Engage the workforce in day-to-day security:» Enhance understanding of personal role in cyber security» Open communication to support cyber security collaboration OCIO Cyber Security Program 2

The Security Education Mission Enhance security through improved awareness» Of issues and challenges» Of the impact to the organization mission» Of the impact to each user s job Cyber Security training must make the connections among:» Senior leadership business / mission imperatives» OCIO policies / procedures» End-User job facilitation Cyber Security training, education and awareness programs must engage all levels and facets of the organization Knowledge Drives Security 3

Regulatory Policy & Guidance 4

NASA IT Security Awareness Campaign Overview Improved communication and coordination on IT Security matters with Senior leadership, Center CIOs and CISOs, Mission Program directors and End-users Complements, not replaces the IT security training program» Required periodic training typically seen as a check in the box» Awareness campaign leverages major themes of required training and makes them real to employees Driving Security through Knowledge requires recognition that:» Leadership must be engaged» IT security must be personal to users» Training and education efforts must be in synch with leadership messaging 5

NASA IT Security Awareness Campaign Goals Engage and update business, mission, and IT leadership in federal compliance progress and challenges Improve collaboration across the Agency IT security professional community Communicate information security issues and challenges to the user community at-large Enhance targeted, role-based training for IT and IT security professionals Provide expanded Cyber Security awareness training to the End-User community as a whole 6

The 2013 Awareness Campaign Leadership Projects Senior Leadership Briefings Update on annual training/awareness program» Progress on compliance and strategic plan FISMA Awareness Briefings» FISMA compliance status» Leadership concerns with IT security impacts Cyber Security Summit» Full day of workshops / panel sessions on transformation of IT / IT security» Specialized training and continuing education credit per NIST SP 800-16 Cyber Security Tips» Agency CIO delivers cyber security tip to senior staff attending weekly staff meeting with Administrator 7

The 2013 Awareness Campaign Role-Based Projects Semi-annual IT Security Advisory Board Face-to-Face» Issues / challenges update and discussion» Focus group meetings for ongoing projects IT Security Awareness WebEx» Quarterly updates on federal and Agency policies, procedures, and issues for personnel with significant security responsibilities» Semi-annual focused training addressing current IT security challenges Cyber Security Training & Certifications» 3-5 day training classes on current relevant topics such as: Encryption, Privacy, Social Engineering, Cloud Computing» Certification training to meet requirements for role-based training such as: CISSP, SCNP, GSEC, ITIL, CEH, MCSE, CCNA, Security+ 8

The 2013 Awareness Campaign General User Projects Annual Cyber Security Expo» Events coordinated with National Cyber Security Awareness Month» IT Security subject matter expert speakers available via webinars Cyber Security Road Shows» Live, interactive training sessions on current, relevant topics» Updates on Agency IT security policies and procedures Cyber Security Electronic Communication» Tweets of Weekly Cyber Security Tips» Email broadcasts of cyber security issues and training module links» Distribution of a monthly IT Security Newsletter Cyber Security Informational Brochure» Concise description of IT security programs and tools» Listing of NASA directives on IT security policy / procedure» Updated annually; distributed electronically and via hard copy 9

2013 Campaign Results OCIO IT Security Division better integrated into HQ functions and activities» Weekly Cyber Security Tips now anticipated by Senior Leadership» Security being consulted as IT and IT-related projects are developed» Active seat at the table with CTO and Enterprise Architecture More widespread interest in enterprise awareness programs» IT security staff and end-user input aimed at improved completion and tracking of required training» Increased coordination among Centers making previous local training more widely available across the Agency Improved communication among IT Security professional community has decreased time to implement new or updated enterprise policy / procedure 10

2013 Campaign Return On Investment Cyber Security Expo Excellent participation in Cyber Security Expo across the Agency» Coordinated with the DHS National Cyber Security Awareness Month» Hundreds of employees attend activities sponsored at each our Centers throughout the month Feedback provided is helping to improve outreach programs Training was incorporated to help achieve annual training goals 11

2013 Campaign Return On Investment Training Training completion statistics on the upswing» 40.1% of employees completed Annual Awareness Training in the First 4 months of FY13 compared To 31.5% in the same period of FY12 External training sources leveraged:» FISMA/NIST 3-day certification training» SANS training for technical certifications» Federal Cybersecurity Training Events (FedCTE) Program offerings such as Continuous Monitoring/Network Monitoring Applied the NICE IT Workforce Assessment for Cybersecurity» Assisted in determining IT Security training requirements across the NASA IT workforce 12

IREC Survey Results Areas Identified for Improvement (Based on User responses & prioritized according to IREC Improvement Opportunity Scores) Present communication & training clearly and logically Focus training on information security policies & procedures Ensure that communication & training is relevant to users day-to-day work Ensure that communication & training defines actions to improve security Ensure that training is interesting Knowledge Drives Security 13

The Road Forward Challenges Keep the message fresh, interesting, & relevant» Ensure leadership messaging and Cybersecurity training and awareness program remain consistent» Ensure communications are timely and aligned with current issues Assessing the impact on Users» Enable the mission within a secure IT environment» Communicate, communicate, communicate! Innovative methods» Incorporate wargaming and exercises» Leverage real world events and incidents Leverage NICE more fully» Continue to improve partnership with DHS» Ensure cybersecurity skills remain aligned with government and industry best practices 14

The Road Forward Planned Actions Complete and analyze updated IREC survey Incorporate enhanced social engineering training in Road Shows» Regularly scheduled penetration testing includes phishing attack scenario» Leverage results of those scenarios to show: this is what happened to you! Leverage lessons learned from other Federal organizations gaming and exercises to enhance our training & awareness activities Develop FY2014 Outreach Campaign Plan» Continue implementing innovative training, messaging, & delivery» Leverage results of NICE/DHS workforce survey» Incorporate recommendations from new IREC survey» Address challenges and vulnerabilities identified by Security Operations Bring the message home to the user! Keep the message fresh communicate always! 15

Questions? Valarie Burks NASA Deputy CIO, Information Technology Security Division valarie.j.burks@nasa.gov 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information