Security Awareness & Training. Steve Kruse, Impruve Bill Pankey, The Tunitas Group



Similar documents
Study of Security Awareness Training

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

SECURITY RISK MANAGEMENT

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

The Impact of HIPAA and HITECH

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

CFPB Readiness Series: Compliant Vendor Management Overview

Achieving ITSM Excellence Through Availability Management

Closed Loop Provisioning via IDM / ITSM Integration

Ed McMurray, CISA, CISSP, CTGA CoNetrix

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

CLASSIFICATION SPECIFICATION FORM

ITIL Foundation for IT Service Management 2011 Edition

Domain 1 The Process of Auditing Information Systems

Dr. Anton Security Warrior Consulting

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

A CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin

Building the business case for ITAM

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Cybersecurity: What CFO s Need to Know

Penetration Testing Is A Bad Idea. Anton Aylward, CISSP, CISA System Integrity

Aberdeen City Council IT Security (Network and perimeter)

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

Which statement about Emergency Change Advisory Board (ECAB) is CORRECT?

Enterprise Management Solutions Protection Profiles

Big Data, Big Risk, Big Rewards. Hussein Syed

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Attachment 7 Requirements Traceability Matrix (RTM) ATMS RFP. New York State Department of Transportation Advanced Traffic Management System

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Appendix A-2 Generic Job Titles for respective categories

Why Test ITSM Applications for Performance? Webinar

ISMS Implementation Guide

Project Governance Concepts Issues and Constraints. Dick Patterson

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Charles Betz Enterprise Architect & Author

The Enterprise Project Management Office

Guidance for the Development of a Models-Based Solvency Framework for Canadian Life Insurance Companies

Role of Awareness and Training for Successful InfoSec Security Program 1

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

HP and netforensics Security Information Management solutions. Business blueprint

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Governance Simplified

Chief Information Officer

Information Security Awareness Training

IT Governance: The benefits of an Information Security Management System

HKITPC Competency Definition

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

New Privacy Laws Impacting the Health Care Work Place

The Future of Cybersecurity Education

Enterprise Service Management (ESM)

NGITS ITSM STRATEGY JAYASHREE RAGHURAMAN SHIVA CHANDRASHEKHER VIKAS SOLANKI

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

The Value of Vulnerability Management*

JOB DESCRIPTION CONTRACTUAL POSITION

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

HIPAA Compliance Review Analysis and Summary of Results

SCAC Annual Conference. Cybersecurity Demystified

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Certified Disaster Recovery Engineer

Governance, Risk, and Compliance (GRC) White Paper

What Directors need to know about Cybersecurity?

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

Security Controls What Works. Southside Virginia Community College: Security Awareness

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Best Practices for PC Lockdown and Control Policies. By Dwain Kinghorn

Transcription:

Security Awareness & Training Steve Kruse, Impruve Bill Pankey, The Tunitas Group

Background Bill Pankey has been involved with information security issues for the past 12 years as a developer, architect, engineer, auditor and consultant. He is a Partner in the Tunitas Group, a healthcare-specific IT management consulting firm. He is a CISSP, CISA. Steve Kruse has been involved with information security since 1989. He has worked for security vendors and the last six years in consulting. He is a CISSP, CISA

Presenter(s) Bias(es) Bill believes the information security awareness discipline is primarily a marketing function and should be evaluated as such Steve believes people should be part of the solution, not part of the problem (similar to a quality initiative) Both believe risk issues lie beyond IT domains

A Paradox? Conventional wisdom: Non-malicious errors of the enterprise workforce (insiders) are responsible for as much as 80% of security breaches Persistent view that has changed little over time Fact: 70% of companies spend less than 2% (48% < 1%) of security budget on activities that would increase the level of care on the part of ordinary users (2007 CSI computer crime survey)

2 Approaches to Resolution Engineer around end users Implement MAC and other constraints that limit the ability of end users to make infosec errors Wrong side of the curve? Current business requirements is often to provide more information and more discretion to business users. Train end users to be part of infosec solution Requires maturity in training management Process goals, performance indicators and metrics

NIST 800-16/800-50 800-16 Information Security Training Requirements a Role and Performance-Based Model revised March 20, 2009 (draft) Emphasis on role-based training but topic-centric (as opposed to scenario based) and high level: make sure material is appropriate for the audience 800-50 Building an Information Technology Security Awareness and Training Program more measures on delivering contents instead of content/program effectiveness. 800-50 is scheduled for revision in 2009

Are today s metrics misdirected? Most UAT metrics are measures of compliance that focus on the delivery of training rather than training effectiveness % of staff not at optimal training level? (ITSM) % of staff completing security awareness training? Refresher training per policy? (Jacquith) % of employees in security roles receiving specialized security training (NIST 800-50) Often support a training program designed to be proforma regulatory or other external requirement for security awareness training; (e.g. HIPAA, FFIEC, PCI)

Do these metrics obscure the security objective? Implicitly assume the effectiveness of training Relevance, credibility, appropriateness Anticipate change in end-user behavior Why would we expect end-users to behave differently? What do we base that on? Currently these measures are primarily cost metrics reflecting the scale of resource (end user time) consumption

On Going Survey Online Survey of security awareness training management practices Seek to identify best practices re: Management responsibilities Selection of security objectives Content Measures of effectiveness http://tinyurl.com/djdnlo

Questions 6. Has the Organization realized the expected benefits of the awareness program? No 60% Yes 40% 7. Who determines effectiveness of awareness? CSO/CISO 40% Director of Information Security 20% No one 40% 8. Would you expect increased benefits with further increase in security awareness training? Proportionate to time spent 60% Little or none 40% 53. The company s ordinary users can be and are relied upon to report threats to information security as they recognize them? No 60% Yes 40%

Survey Findings Little to no metrics for UAT effectiveness Simplistic training model based on the entire community instead of role-based Training time for end users is not recognized in financial terms (5,000 end users spent 1 hour/year on class @ $50/hr = $250,000 yet, Respondents are generally satisfied with their UAT program!?

User Awareness Maturity UAT metrics should be calibrated to security program s user maturity model and expectations blissfully unaware consciously incompetent compliant risk aware competent and practiced Different goals and performance indicators at different maturity targets

Maturity Model Blissfully unaware Little recognition or acceptance of most information security threats At this level, prevalent view is that information security is a property of IT systems and largely a matter of architecture and configuration Consciously incompetent Some recognition that there is a information security threat, but: Poor risk assessment skill and intuition Uncertain of action needed to protect company information assets will do nothing rather than create further harm Compliant Aware of risks identified in company policy Will take action identified in company security policy Risk aware Considers information security risk in performance of company duties, but Unsure of appropriate action; sometime will report incidents Competent & Practiced Takes appropriate action within scope of role; otherwise reports incidents

Alternative Approach to UAT Metrics Identify specific security objective of training E.g., avoid inappropriate disclosures verify fax numbers before sending document Track incidents related to security objective # of documents inappropriately faxed Correlate incidents with training (content and individual level) # of incidents related to training objectives # of incidents where individual deviated from training guidance

PDCA Appropriate metrics allow for management of the security objectives of UAT Determine the effectiveness of Content Delivery Frequency and Timing Current UAT is typically guided by instructional theory If that were enough the paradox would not persist

Scenario You walk past an unlocked car in the parking lot, you notice a company laptop in the car. You should: a)lock the car b)take the laptop into the company and give to the receptionist c)take the laptop and give to the help desk d)notify the facilities manager

Call to Action Looking for data to dispute assumptions Some companies devoting > 5% of budget on UAT, are they willing to be interviewed? Evidence that the greater investments brings measurable results? Other parameters we should be tracking/measuring?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information