A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance K P M G L L P Graham J. Hill IT Advisory ServicesNovember 21, 2007
Overview • Information Security Governance - Policy and Procedure and their Relationship with Training and Awareness • Security Awareness and Training • Business Drivers • Program Framework • Compliance • Audit and Assessment: • Methodology • Different types
Objectives Gain an understanding of: • Relationships between corporate policy and training and awareness • The business drivers • Manage Risk • Promote a culture of awareness • Empower employees • Protect the Company and its Assets!!! • Components of an effective awareness program • Assessing or auditing the program
The Corporate Information Security Policy • The “House Rules” • Conveys Senior Management expectations to employees • Helps to show Due Diligence in Security • Meant to address risk the company faces • Address Malicious or non-malicious activity • Sets a baseline for behavior • Conveys enforcement criteria • Sets the stage for development of procedures, standards and guidelines
Information Security Policy - Development Considerations in the development of Security Policy: • Business Risk Profile • Protection of assets (tangible and non-tangible) • Legal, Statutory, Regulatory, and Contractual • SOX, HIPPA, GLBA, etc., etc., etc, • Business Requirements for Information Processing that support operations • Inter-connectivity profile • IT usage profile • Leveraging Industry Accepted Standards: • ISO 17799 – International Standards Organization • CoBIT – Control Objectives for IT • NIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16) • Security Trends in the industry • Emerging cyber-threats • The “human” factor
The Relationship between Corporate Policy and Awareness & Training Business drivers for implementing an awareness program: • Communicate policy • Explain risks the organization faces • Communicate risk mitigation tactics for known threats • Social engineering, Phishing/Pharming, Dumpster Diving • Address typical security issues in the workplace: • Physical security • Mobile Devices – PDA’s, Laptops, etc. • Acceptable usage • Identity Theft!!! • Hotlines, Call Trees, Key Internal Contacts • Outline employee responsibility and accountability • Empower employees!!!
What is the difference between Awareness, Training, and Education? • Characteristics of Awareness – This is the “What” • “For your information” • Meant for recipient to “recognize and retain” • Delivered via sessions, webinars or CBTs, emails, incentives, visible marketing materials • Short term retention • Characteristics of Training – This is the “How” • Knowledge and skill • Delivered via practical instruction • Meant for intermediate retention – training on a specific role • Characteristics of Education – This is the “Why” • Insight and understanding • Delivered via theoretical instruction – study, research • Long term retention
Just some figures…. • Currently, 8 of SANS “Top 20” list end-user Awareness and Training part of the solution • A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recently • Result: The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees….. • The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was not authorized to do. • Result: This resulted in over 26 MILLION veterans having their personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized. • This included one of our Seattle-based Senior Managers
Auditing and Assessing Methodology To test the “design” of the program: • Analyze the Program • Its history and background • Ideological foundation – does it reflect the policy, industry standards, regulatory concerns? • Its framework – is it following a specific standard or ad hoc? • Content • The method of accountability – do training recipients sign off? • Method(s) of delivery • Incorporates Awareness AND Training • Awareness, role-based, performance based • Is the program curriculum reviewed periodically for relevance?
Auditing and Assessing Methodology To test the “effectiveness” of the program: • Sample a set of recipients and test their knowledge • Did they sign-off? • Test the curriculum that is taught • Are awareness recipients able to identify threats? • Are they able to stop the threat prior to realization? • Do they report the attempt?
Third-Party Assessments • Provide an independent view of the current state of the Security Program • Provides a “snapshot in time”, health check • Typically leverages accepted Industry Standards (i.e. ISO 27001 and ISO 17799/27002) • Prioritizes risk areas, provides direction, and provides business case
Standards-Based Audits • Payment Card Industry (PCI) Compliance Assessment • ISO17799/27001 Certification • AICPA • Systrust • Webtrust • NIST
Other Audits and Assessments • Vendor and Partner Security Assessments • Security in Mergers and Acquisitions • Planning an IT Merger • Security? • Regulatory Compliance?
On the Horizon • Regulation “Du Joir” • Increased legislation for businesses • Changes in frameworks and standards • Use of automated “performance measurement” tools • Integrating security other standards such as ITIL
Thank you Graham Hill ,CISSP, CISM, ITIL Manager, IT Advisory – Information Protection Services KPMG LLP - Seattle, WA. email@example.com 206-913-4069
References • ISO 17799/27001 • NIST 800 Series • CoBIT v4.0 • “A DESIGN THEORY FOR INFORMATION SECURITYAWARENESS”, Petri Puhakainen