1 / 43

Security and your Staff

Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005. Pamela Halpern Easy i , Inc. “Common sense is not so common.” - Voltaire (1694-1778). The Human Element of Information Security Training.

santosa
Télécharger la présentation

Security and your Staff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and your Staff “Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easyi, Inc.

  2. “Common sense is not so common.” - Voltaire (1694-1778)

  3. The Human Element of Information Security Training A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. -- Infosecurity Europe 2004 "This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. -- Claire Sellick, Event Director for Infosecurity Europe 2004 “The best security awareness will provide the right messages to the right people at the right time, provide the tools to all to practice what has been learned and provide a mechanism to measure progress.” -- Gary Sheehan, Information Security Project Leader

  4. This Session • The Key Challenges to getting employee buy-in • Getting Started: Some Common Misconceptions • Issues to Consider • Key Principles for Making IS training truly effective

  5. The Key Challenges • Systems alone are not enough • Overcoming complacency • Different target audiences • Delivering the program • Ongoing program • Cost-effective • Measuring the results • Demonstrating compliance

  6. Developing training solutions - A double challenge • Meeting the needs of: • The General Audience • Management

  7. Bringing about meaningful behavioral changefrom information to understanding Awareness (I know it exists) • what is it? • why is it important? • how does it apply to me? Development (I’ll help enhance it) Understanding (I know what it is) Enterprise Security Cycle Communication (I’ll promote it) Value (I know why it is worthwhile) Commitment (I’ll do it) Ownership (I like it)

  8. How do you get started?

  9. Common misconceptions about IS training These are the “no-no’s”! • Just publishing IS policies and procedures is NOT the solution • The IS Officer should NOT be responsible for ALL of the planning, development and implementation of an awareness program • Annual or one-off training will NOT work

  10. Strategic planning • Who gets the training and how many? • What training they get • Where the training takes place • When the training takes place • How the training is delivered • Over the short, medium and long term • Aligned with corporate goals and objectives • Clear business case for all elements

  11. What should be done? Who does it? What is the deliverable? • Understand the context for training • Assess current levels of awareness • Analyze the needs of the target audience – key groups • Define objectives for training • Define measures of success • Define requirements: • Content • Delivery (Technical & Operational for each group) • Management reporting • Your project team • Other agreed key personnel • In-house SMEs In consultation with: • Security Officers • Marketing/PR • IT Support • Compliance officer • Business unit shareholders • A written report on needs and scope of the project Training Needs Analysis (TNA) and Scoping

  12. Critical factors for success TNA - Key factors to be considered • Needs of technical vs. non-technical audience groups • Generic, customized or “created from scratch” content • Appropriate media and delivery channels • Cultural factors • Languages • Time scales • Support requirements

  13. Critical factors for success TNA - Learning Technologies Audit • Current infrastructures • Desktop / bandwidth issues • Existing Learning Management System (LMS)? • Learning standards? (AICC/SCORM*) • Section 508 compliance? *SCORM: Shareable Content Object Reference Model * AICC: Aviation Industry CBT Committee

  14. Your Roles Tasks Commitment Project Manager • Develops the overall approach to the program • Manages the relationship with various groups • Key contact for ongoing program management • Involved in defining requirements and establishing working procedures in early stages of project. • Involved in monitoring progress and co-coordinating your input on an ongoing basis. Subject Matter Experts & Business Representatives • Review and approve content • Involved in defining content requirements and reviewing customized content in early stages of project. • Can also be involved in QA. Technical / Systems expert • Input with technical experts re systems requirements and installation • Supplies details of your technical requirements at the outset of the project and will be available to provide support and assistance during installation. • No ongoing requirement for this role unless significant changes are made to the configuration of your IT systems. Creating the Team

  15. Planning and Implementation Process Needs Analysis Planning Design Development Implementation Evaluation

  16. Critical factors for success Project planning • Develop an overall communications plan • e-learning is just one component • Communicate with and gain buy-in from senior management • Plan beyond initial training • Include technology and integration requirements • Clearly defined roles and responsibilities • Agreed realistic timescales and clear milestones • Regular reporting and reviews

  17. Developing the “right” solution

  18. What is best? This depends on you! What objectives have you set? What is the size of your organization? What resources do you have? What budget do you have? Can you get management buy-in? “a marketing campaign”

  19. An Awareness Campaign • Core training • Refresher training/awareness • Ongoing awareness/Internal Marketing

  20. Brand and value led Interactive and context led Engaging and innovative Tailored to customer needs

  21. Refresher Training Posters

  22. Refresher Training Newsletters Interactive emails Awareness materials

  23. Newsletters – vary the format of the message

  24. Ongoing Awareness Information Security PortalWhat should this mean in practice? A system for gathering, organizing and communicating information and knowledge that is: • User-friendly • Intuitive • Flexible Web Portals

  25. Feedback and Measurement is Crucial

  26. Feedback and Measurement Feedback and measurement are ESSENTIAL! Delivering awareness solutions via the intranet presents many options. These generally fit into two key categories: 1. Audit/tracking system 2. Learning Management System

  27. Feedback and Measurement • 1. Audit/tracking system • built into the main training program • provides information on the progress and performance of each user • may allow you to export information into other applications • generally provided free with the program purchased

  28. Feedback and Measurement • 2. Learning Management System • provides the infrastructure needed to track, record, schedule and deliver corporate wide learning • many different kinds of LMS – offering different types of functionality • allows you to manage the variety of training programs/resources available from one central point including, online learning, classroom training, registration, instructor availability etc… • can be very expensive! (may be included with courseware if it’s from same provider)

  29. Feedback and Measurement • How do you choose what’s right for your campaign? • Assess how feedback and measurement is currently undertaken for training in other business units – perhaps an LMS is already in place? • What requirements do you and your organization have – now and in the future? • Size of organization • Budget • AICC/SCORM Compliant

  30. Learning Management System The medieval rule of parsimony, or principle of economy, frequently used by Occam came to be known as Occam's Razor. The rule states that plurality should not be assumed without necessity or, in modern English, keep it simple, stupid.

  31. Nine Key Principles for effective IS training

  32. Principle #1 Clarity of Ownership with Executive Buy-In • Clear and unequivocal ownership • Accommodates goals of all business lines • Avoids gaps between words and actions

  33. Principle #2 IntegratedCompliance • It’s hard to do compliance of any kind department by department • An integrated approach yields consistent, cost effective and comprehensive results

  34. Principle #3 Less is always more • It’s about understanding, not just information • We can’t all be experts • Reference materials can be made available, as needed • Retention AND commitment plummet after 60 minutes

  35. Principle #4 Value vs. Cost • Costs relate to scale • The real measure is the effectiveness of the outcome, not the cost per head • Security breaches are much more expensive!

  36. Principle #5 The Right Combination of Spirit and Structure • Keep it light, humorous • But also reinforce personal responsibility and the corporate commitment to getting it right

  37. Principle #6 Relevant Context Setting • Relevant, appropriate, realistic • Actual examples from archives or recent situations are best • The goal is understanding how it fits into their daily routines

  38. Principle #7 Consistency • Messages should be consistent • Training and awareness should be delivered so that it fits within the organization’s culture

  39. Principle #8 Technology Should Enable • And no more! • Be careful of adding too many bells and whistles • It’s better to avoid the possibility of technical glitches • The content is the key

  40. Principle #9 Project Management • It’s the key ingredient • Get everyone on board with the plan • Allow time for testing, feedback and fine-tuning

  41. Information Security Assurance Getting the message through

  42. Questions? Pamela Halpern Easyi pamela.halpern@easyi.com 310 414-0731 www.easyi.com

More Related