security awareness – essential part of security management ilze murane
TRANSCRIPT
Security Awareness – Essential Part of Security Management
Ilze Murane
Agenda
Security management Security awareness in organization Security awareness for home user
Questions for discussion
ISF Standard
Information Security Forum The Standard of Good Practice for
Information Security http://www.isfsecuritystandard.com
Security Management I
Management commitment Security policy Security organization
– Information security function
– Security awareness
– Security classification
– Ownership
– Information risk analysis
Security Management II Secure environment
– Security architecture– Information privacy– Physical protection– Business continuity– Use of cryptography– Remote working
Security Management III Malicious attack
– Virus protection– Intrusion detection– Forensic investigations– Patch management
Management review– Security audit/review– Security monitoring
Security Awareness
Information security awareness is the degree to which every member of staff understands the importance of information security, their individual security responsibilities
…and acts accordingly
Security Awareness in organization
Principle– Specific activities should be undertaken, such as a
security awareness programme, to promote security awareness to all individuals who have access to the information and systems of the enterprise
Objective– To ensure all relevant individuals understand the key
elements of information security and why it is needed, and understand their personal information security responsibilities
IT security lessons: example I
Passwords– Do not share passwords
– Use ‘strong’ passwords
– Don’t write passwords down
IT security lessons: example II
Viruses– Beware of viruses, particularly in e-mail
attachments
– Ensure that anti-virus software is installed and updated
IT security lessons: example III
E-mail and Internet use– Don’t send sensitive information over the
Internet
– Don’t publish your e-mail address in the Internet
– Internet use must comply with corporate policies
Case study
Awareness “history”– IT security– Information security– Business Continuity Testing– Security including physical security
Regular seminars
From awareness to behaviour change
Security-positive behaviour should be encouraged by– making attendance at security awareness
training compulsory– publicizing security successes and failures
throughout the organization– linking security to personal performance
objectives
Security Awareness for home user
No regulations Personal risk experience More electronic information
– Internet banking
Everyone is in theInternet
Lessons for everybody Main risks
– Viruses– Spyware– Phishing– Spam
About– Safe e-mail usage– Safe internet browsing– Securing your computer
At school?
Other security (safety)– road traffic regulation– electricity (physics)– fire protection
IT security...
?
Is IT security concerns everybody How to educate society Special software/game What are our responsibilities ...