understanding the risk management framework & (isc)2 cap module 14: security awareness &...
Post on 09-Feb-2017
97 Views
Preview:
TRANSCRIPT
Presenter
Presentation Notes
© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved
Categorize
Select
Implement
Assess
Authorize
Monitor
Presenter
Presentation Notes
Beyond The Six Steps in the RMF
Presenter
Presentation Notes
Security Awareness & Training Picture: Mt. Rushmore, SD; Photo by Donald E. Hester all rights reserved
Presenter
Presentation Notes
What is Security Awareness? Awareness is not training The purpose of awareness presentations is simply to focus attention on security Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly Security awareness efforts are designed to change behavior or reinforce good security practices
Presenter
Presentation Notes
How does Training differ from Awareness In awareness activities, the learner is the recipient of information the learner in a training environment has a more active role Awareness relies on reaching broad audiences with attractive packaging techniques Training is more formal, having a goal of building knowledge and skills
Presenter
Presentation Notes
The IT Security Learning Continuum Source: NIST SP 800-50 Building an IT Security Awareness and Training Program
Presenter
Presentation Notes
Cycle of Security Training Awareness Program Establish a policy Assign responsibility (CIO, Director) Needs assessment Develop Awareness and Training Materials Implementation of the program Update and monitor program
Presenter
Presentation Notes
Program Source: NIST SP 800-50 Building an IT Security Awareness and Training Program
Presenter
Presentation Notes
Needs Assessment What awareness, training and/or education are needed? What is currently being done to meet these needs? How well is it working? Which needs are most critical? NIST SP 800-50 has a Sample Needs Assessment and Questionnarie
Presenter
Presentation Notes
Needs Assessment Source: NIST SP 800-50 Building an IT Security Awareness and Training Program
Presenter
Presentation Notes
Establish Priorities Availability of Material/Resources In house or outsourced Role and Organizational Impact How will this help people do their job How will this help us reach our overall goals State of Current Compliance How informed are staff and students about security and privacy practices Critical Project Dependencies Funding
Presenter
Presentation Notes
Materials “What behavior do we want to reinforce?” (awareness) “What skill or skills do we want the audience to learn and apply?” (training) Watch out for the “we’re here because we have to be here” attitude An awareness and training program can be effective, if the material is interesting and current
Presenter
Presentation Notes
Practice One way to get users involved and invested in the training is to make the training cover topics they are interested in For example a class on “Facebook” or “MySpace” Users are interested in what they are interested in, use it to your advantage
Presenter
Presentation Notes
Possible Topics Password usage and management Unknown e-mail attachments Policy Personal use and gain issues System and application patching Personal systems at work Web usage Data backup and storage Social engineering Inventory and property transfer Portable device issues Laptop security Physical security Software licensing Use acknowledgements
Presenter
Presentation Notes
Campaign Use marketing skills Get end users involved Awards or gift cards Branding Use Social Media Use Posters Use Email reminders Leverage Safety Awareness Mascots Alerts Images from FTC
Use real life examples of incidents
Use incidents as an opportunity to teach “what not to do”
The news has stories everyday you can use
The best stories are often those “closest to home”
Presenter
Presentation Notes
Use multiple vectors Website notices RSS Feeds Posters Emails Announcements Logon banners Seminars and classes Games and contests Awards Use real life examples of incidents Use incidents as an opportunity to teach “what not to do” The news has stories everyday you can use The best stories are often those “closest to home”
Presenter
Presentation Notes
Initial User Training Upon hire and annually thereafter Must complete before access is granted Serves as notification (legal) What do they need to know to do their job A basic IT security course – often online
However it serves at the least as a subconscious reminder
Some people question the usefulness of these warnings
Presenter
Presentation Notes
Reminders However it serves at the least as a subconscious reminder Some people question the usefulness of these warnings http://blogs.technet.com/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx
Presenter
Presentation Notes
NIST Posters Source: NIST
Presenter
Presentation Notes
Maintenance of the Program Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.” Source: NIST SP 800-50 Building an IT Security Awareness and Training Program
Presenter
Presentation Notes
Input for Updates Source: NIST SP 800-50 Building an IT Security Awareness and Training Program
Presenter
Presentation Notes
Maintain the Program Frequency that each target audience should be exposed to material Documentation, feedback, and evidence of learning for each aspect of the program Evaluation and update of material for each aspect of the program Is this working???
Presenter
Presentation Notes
Goal of Training Training is separate from awareness but there overlapping areas The goal of training is to produce relevant and needed skills and competencies It is crucial that the needs assessment identify those individuals with significant IT security responsibilities, assess their functions, and identify their training needs
Presenter
Presentation Notes
Training Training plan should identify an audience, or several audiences, that should receive training tailored to address their IT security responsibilities Each user may need specific training for their job Network admins may need Windows or Cisco security training Admissions may need special training for handling student records
Presenter
Presentation Notes
Example of Training This course falls under training Focus on job roll skills and competencies Specifically tailored Designed to help with job function Online delivery Live instructor and recorded archive http://iase.disa.mil/eta/diacap/index.htm
http://iase.disa.mil/Pages/index.aspx
Presenter
Presentation Notes
KPI (Key Performance Indicators) Sufficient funding to implement the agreed-upon strategy Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy Support for broad distribution (e.g., web, e-mail, TV) and posting of security awareness items Executive/senior level messages to staff regarding security Use of metrics (e.g., to indicate a decline in security incidents or violations) Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file Level of attendance at mandatory security forums/briefings Recognition of security contributions (e.g., awards, contests) Motivation demonstrated by those playing key roles in managing/coordinating the security program
Control # Control NameAT-1 Security Awareness and Training Policy and ProceduresAT-2 Security Awareness TrainingAT-3 Role-Based Security TrainingAT-4 Security Training RecordsAT-5 Withdrawn
Presenter
Presentation Notes
NIST SP 800-53 Rev 4 Controls AT-1 Security Awareness and Training Policy and Procedures AT-2 Security Awareness Training AT-3 Role-Based Security Training AT-4 Security Training Records AT-5 Withdrawn
Presenter
Presentation Notes
Resources NIST SP 800-50, Building an Information Technology Security Awareness and Training Program SP 800-16 Rev 1, DRAFT Information Security Training Requirements: A Role- and Performance-Based Model Consider Partnerships Other departments or agencies have the same needs – work together Books Managing an Information Security and Privacy Awareness and Training Program ISBN 978-1439815458 Standards and Guidance NIST SP 800-50 Building an IT Security Awareness and Training Program Posters Monthly subscriptions http://www.securityawareness.com/postersub.htm New York http://www.cscic.state.ny.us/cscorner/events/2008/index.cfm Social Media Example http://www.facebook.com/LearnSec
top related