Slide 1 - Information Security Management

Document Sample
Slide 1 - Information Security Management Powered By Docstoc
					          Guide to Implementing an
        Effective Security Education &
             Awareness Program
                                 Presented by:
 Calvin Weeks, Director, OU Cyber Forensics Lab, University of Oklahoma
  Shirley Payne, Director, Security Coordination and Policy, University of
                                    Virginia
 Krizi Trivisani, Chief Security Officer, The George Washington University


Copyright Calvin Weeks, Shirley Payne, Krizi Trivisani 2004. This
work is the intellectual property of the authors. Permission is
granted for this material to be shared for non-commercial,
educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the
copying is by permission of the author. To disseminate otherwise
or to republish requires written permission from the authors.
         Overview

    This presentation will offer help in
    implementing a security awareness
program that teaches physical and system
 security precautions, establishes realistic
  expectations, and decreases the overall
 cost of securing an enterprise network by
teaching users to share best practices with
   peers and by improving security in the
       workplace and in home work
               environments.
                                           2
         Calvin Weeks

Introduction and Definitions
Audience
Roles and Responsibilities




                               3
          Shirley Payne

Collaboration
Institutional Culture




                          4
        Krizi Trivisani

Policies
Key issues and Pitfalls
Resources and Samples
Measurement of Success




                          5
            Introduction
Security programs cannot be successful without good
leadership from the very top of your organization down.
Even with all the staff, technology, resources, and
budget, a Chief Information Officer (CIO) or Chief
Security Officer (CSO) will not and cannot secure an
environment without the rest of the organization. Every
person in your organization plays a very important role in
the security of all physical and virtual assets. But, why
would anyone be motivated to participate in security?
What are the key issues and concerns for your
organization, CIO, CSO, directors, staff, faculty,
students, parents, system / network administrators,
contractors, guests, and many other types of people
internally and externally? How do these people know
what their role or responsibilities are?
                                                         6
           EDUCAUSE Security
           Awareness & Education Task
           Force
Mission/Purpose:
 The Education and Awareness Initiative
 team will identify and take steps to
 implement and/or publicize various
 methods by which awareness of
 information technology security issues are
 raised amongst university and college
 computer and network users,
 administrators, and executives.

                                              7
              EDUCAUSE Security
              Awareness & Education Task
              Force
Team Goals/ Expected Outcomes (Deliverables and
  Metrics):
The team will:
  1) Identify current projects and current materials and
  methods (primarily developed within the higher
  education and non-profit communities, but also vended
  products where they have been proven to be (or may be)
  particularly useful to universities and colleges.
  2) Use existing methods available via EDUCAUSE to
  publicize identified offerings.
  3) Where gaps may exist in available offerings,
  commission development of programs or materials as
  needed.

                                                       8
               EDUCAUSE Security
               Awareness & Education Task
               Force
Boundaries for the Team (Scope of Work & Authority):
The team will concern itself with education and awareness
  of
  1) end-users (essentially faculty, staff, and students)
  2) technicians and administrators who maintain systems
  for campuses
  3) executives.
  The team will not venture into the realm of educating
  security professionals, or into formal for-credit curriculum
  development.



                                                             9
           EDUCAUSE Security
           Awareness & Education Task
           Force

Team Leadership:
Co-Chairs:
 Kelley Bogart, University of Arizona
 Mark Bruhn, Indiana University




                                        10
            Definition
Webster’s New World Dictionary, Third College
 Edition
 Awareness – Knowing or realizing; conscious;
 informed.
 Training – the process or experience of being
 trained. [train] – to instruct so as to make
 proficient or qualified.
 Education – knowledge, ability, etc. thus
 developed. [develop] – to become larger, fuller,
 better, etc.; grow or evolve, esp. by natural
 processes.

                                                    11
                 Awareness
“Awareness is not training. The purpose of
awareness presentations is simply to focus
attention on security. Awareness
presentations are intended to allow
individuals to recognize IT security
concerns and respond accordingly.”
National Institute of Standards and Technology (NIST), Special Publication
                                  800-50



                                                                             12
          Awareness

What behavior are we wanting to influence?
Examples:
 “Change your password every 60 days”
 “Sec-U-R-IT-y”
 “Secure-IT”
 “Time for a checkup: Patches, Virus
 definitions, passwords”

                                         13
             Awareness Links


http://www.itsa.ufl.edu/posters/passwords.pdf
http://www.itsa.ufl.edu/posters/10reasons.pdf
http://www.asu.edu/it/security/s101/
https://www.itso.iu.edu/howto/
http://security.ou.edu/bestpractices/index.html




                                                  14
Bookmarks




            15
                 Training


“Training strives to produce relevant and
needed security skills and competencies.”
National Institute of Standards and Technology (NIST), Special Publication
                                  800-50




                                                                             16
           Training

What skills do we want to have learned?
Examples:
 Professional development training
 Seminars
 Workshops
 Conferences
 Employment job duty performance

                                          17
         Sample Programs

http://security.ou.edu/sec_catalog.htm
http://www.it.ufl.edu/training/
http://register.perfectorder.com/it/2005/wor
kshop.php
http://sans.org/




                                           18
                 Education
“Education integrates all of the security
skills and competencies of the various
functional specialties into a common body
of knowledge…and strives to produce IT
security specialists and professionals
capable of vision and proactive response.”
National Institute of Standards and Technology (NIST), Special Publication
                                  800-50



                                                                             19
          Education

What knowledge do we have to
 share/collaborate?
Examples:
 EduCause National Conference, College
 degree, 10 years experience, and 400
 contact hours of training.



                                         20
         Why?

HIPAA
FERPA
GLBA
Sarbanes Oxley Act
Grant requirements
Compliance
other local state and federal regulations.

                                             21
        Does it make a difference?

RPC vulnerability and the Welchia/Nachia
attacks – users aware
SQL Slammer attacks – technical
education
SoBIG.F e-mail attacks – users aware and
technical training



                                       22
               Centers of Academic
               Excellence
The Centers of Academic Excellence in Information Assurance
Education (CAEIAE) program, established in November 1998, helps
NSA partner with colleges and universities across the nation to
promote higher education in information assurance (IA). This
program is an outreach effort that was designed and is operated in
the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton
Administration's Policy on Critical Infrastructure Protection, dated
May 1998. The program is now jointly sponsored by the NSA and
Department of Homeland Security (DHS) in support of the
President's National Strategy to Secure Cyberspace, February
2003. The goal of the program is to reduce vulnerability in our
national information infrastructure by promoting higher education in
information assurance (IA), and producing a growing number of
professionals with IA expertise in various disciplines.
59 Centers throughout the US.



                                                                    23
         Who is our Audience?

Faculty
Staff
Students
Parents
Contractors
Visitors
Community/industry partners - outreach

                                         24
          Target your Audience!
General
Technical/non-technical
Local/remote
Faculty/researchers/professors
Management/staff
System/network administrators/support staff
Students/parents
Home/travel users
HIPAA, FERPA, GLBA, Sarbanes Oxley
Contractors/new employees

                                              25
         Roles

President or Head
CIO/CSO
Information System Security Officer
 Security T.E.A. Program Manager
Directors/managers
Faculty/staff/students/Users


                                      26
           T.E.A. Manager

Training, Education, and Awareness (T.E.A.)
  Program/Curriculum development
  Course and Instructor coordination
  Program promotions
  Measure expectations/requirements vs.
  outcomes/results.


                                          27
Questions?




             28
                    When I Go To U.Va….




http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov




                                                                            29
      Collaboration

Or, Great Security Education and
 Awareness With A Little Help
       From Your Friends!
            IT Security Staffing
            Landscape
What percent of surveyed institutions have a chief
IT security officer?

What is the average number of full-time security
staff at surveyed doctoral institutions? At
baccalaureate institutions?

What percent of surveyed institutions have no
formal awareness programs for students, faculty
and staff?

                        From 2003 EDUCAUSE Center for Applied Research Survey
                                                                        31
         Typical Responsibilities of
         Security Officers
Strategic Planning
Awareness, Education & Technical
Training
Technical Communications (Alerts)
Policy Development
Compliance
Risk Assessment & Business Continuity
Incident Detection & Response
                                        32
         These Responsibilities Require
         Many Roles To Be Filled


Strategic Planner   Policy Writer
Champion            Lawyer
Communications      Enforcer
Expert              Watch Dog
Teacher             Incident Responder
Technical Expert    Etc., etc., etc.

                                         33
         Which Roles Suffer First?



Strategic Planner   Policy Writer
Champion            Lawyer
Communications      Enforcer
Expert              Watch Dog
Teacher             Incident Responder
Technical Expert    Etc., etc., etc.

                                         34
       Collaborations Make All The
       Difference!

New ideas
Access to others' competencies
Expanded scope of influence
Shared labor and cost




                                 35
               Executives
Examples:
  Boards of Trustees
  Presidents
  Vice Presidents & Provosts
  Deans & Department Heads
  Chiefs of Staff


Potential Gains:
  Policy approval
  Funding and staffing approval
  Influence (directives, reviews, role-models)
  Appropriate expectations
                                                 36
                         Testimonial




                http://security.gmu.edu/HennesseyResponse.mpg




            Tom Hennessey, Chief of Staff, George Mason University                             37
Shown with permission from the producer Cathy Hubbs, IT Security Coordinator, George Mason University
              Faculty, Staff, & Student
              Leaders
Examples:
  Chief of Human Resources
  Faculty Senate Chair
  Dean of Students
  Student Council
  Dorm Resident Advisors
  Student Honor Committee


Potential Gains:
  Input on security awareness plans
  New champions
  Peer-to-peer influence
                                          38
               Central IT Staff
Examples:
  Network and System Engineers
  User Support Staff, e.g. Help Desk


Potential Gains:
  Identification of problem areas, emerging threats, and
  priorities
  Security alerts
  Security awareness tool development


                                                           39
               Departmental Staff
Examples:
  System Administrators
  Office Managers


Potential Gains:
  Input on security awareness needs and priorities
  Input on guidelines and policies
  Security champions in their departments
  Dissemination of security alerts within their departments


                                                          40
               Departments with
               Security Interests
Examples:
  Audit Department
  Legal Council
  Campus Police


Potential Gains:
  Participation in awareness events
  Input on awareness priorities
  Contribution to development of guidelines and policies


                                                           41
              Interested Faculty &
              Students
Examples:
  Instructors
  Student class projects



Potential Gains:
  Participation in awareness events
  Input on awareness tool design
  Tool development


                                      42
               Communications Experts
Examples:
  Public Relations Office
  Campus and Community Press



Potential Gains:
  Design of professional literature
  Development of creative marketing tools that deliver the
  security message in unique and innovative ways
  Communication of alerts, events and other information

                                                         43
                      Security Experts &
                      Organizations
Examples:
  EDUCAUSE http://www.educause.edu/security
  Virginia Alliance for Secure Computing & Networking
  http://vascan.org
  Others                 •SANS Institute http://www.sans.org
                         •CERT Coordination Center http://www.cert.org
                         •CERIAS http://www.cerias.purdue.edu
                         •NIST Computer Security Resource Center http://csrc.nist.gov
                         •and many more

Potential Gains:
  Multiple perspectives
  Fresh ideas
  Eliminates wheel reinvention

                                                                              44
         Back to that U.Va. video…

Collaborators:
 Concept and story board – IT Publications
  staff
 Video production – School of Continuing &
  Professional Studies
 Actors: children of IT staff
 Closed captioning – local commercial firm
Cost was less that $3,000

                                              45
Making Collaborations Work
          Choose Long-term
          Collaborators Carefully

Should have common goals

Should be recognized benefits on both sides

Should be based upon mutual trust


                                        47
          Manage the
          Collaborations
Set realistic expectations
Communicate well
Resolve issues quickly
Periodically review collaboration health
Recognize their contributions




                                           48
Institutional Culture

 Or, When in Rome….
               What Defines Culture?
Strategic Planning and Decision-Making
 Examples:
   • Top-down
   • Bottom-up
   • Consensus-based


Institutional Values
 Examples:
   •   Student honor code
   •   Strong faculty influence
   •   Emphasis on accountability at all levels of institution
   •   High bond rating

                                                                 50
            What Defines Culture?

Control of Operational Functions
 Examples:
   • Centralized
   • Decentralized


Long-term Institutional Priorities
 Examples:
   • Increase research
   • Increase community outreach


Other influences on culture?
                                     51
                     Ideas For Using Culture

              Decentralized Control Over Computing




Formalize and leverage network of departmental system administrators



                          How? Some Examples:
                     University of Virginia LSP Program
                        http://www.itc.virginia.edu/dcs/lsp
                   George Mason University SALT Group
            http://itu.gmu.edu/security/sysadmin/salt-description.html
                                                                         52
               Ideas For Using Culture

          Increasing Emphasis on Compliance




Spotlight Federal Regulations Related to Security & Privacy

                      How? Some Examples:
      IT Security for Higher Education: A Legal Perspective
          http://www.educause.edu/ir/library/pdf/csd2746.pdf
             Family Educational Rights & Privacy Act
        http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.html
                      Gramm Leach Bliley Act
             http://www.ftc.gov/privacy/glbact/index.html
         Health Insurance Portability & Accountability Act        53
                     http://www.hhs.gov/ocr.hipaa
               Ideas For Using Culture

               Strong Leadership at the Top




       Make Executive-level Awareness a Top Priority

                              How?
        ACE Letter to Presidents Regarding Cybersecurity
   http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm
             Information Security: A Difficult Balance
          http://www.educause.edu/pub/er/erm04/erm0456.asp
Gaining the President’s Support for IT Initiatives at Small Colleges
        http://www.educause.edu/apps/eq/eqm04/eqm0417.asp
       Presidential Leadership for Information Technology              54
          http://www.educause.edu/ir/library/pdf/erm0332.pdf
          Changing Culture

Awareness, education, and training
change attitudes
Changing attitudes can force change in
institutional culture.
Also, major security incidents should
initiate examination of cultural influences
and possible need for change


                                              55
     Changing Culture



     Real Life Example
(real name changed to protect the guilty)




                                            56
 Changing Culture


I hear and I forget.
I see and I remember.
I do and I understand.

            Chinese Proverb




                              57
                Exercise
Divide into groups
Assign target audience to each group:
   Executives
   Administrative staff
   Students
   Faculty
   Researchers
   IT professionals
Brainstorm ideas for building awareness
 8 minutes
 Prepare bulleted list
 Select spokesperson
Share results

                                          58
 Cool Examples!

        Policies
 Key issues and Pitfalls
Resources and Samples
Measurement of Success
                 Let’s Play!
I’ve Got Email is an                                                           I’ve Got EMAIL
educational form of bingo that                                     www.securityawareness.com
incorporates IT security
related words and phrases.            E               M                 A                  I                 L
This is a good activity for a
security or IT department.           Virus              Phishing              Privacy              Password       Alert
Play it as a normal bingo
game but when someone gets                                 Certifi-
five in a row (or four corners,    Router                  cation           Interface               Solution     Monitor

etc) they shout “I’ve Got
Email!” To add an additional      Standards             User ID                FREE                Detection     Modules
educational affect to it, you                                                         1

might ask them to explain
                                                                              Authoriz-
each of the terms in the             Risk            Reliability
                                                                               ation
                                                                                                  Architecture   Firewall

winning row.
                                      Infor-                                                           Tech-
                                     mation               Linux               Sniffer                            Policies
                                                                                                       nology
                                     Warfare

                                             Copyright 2000-2004 Security Awareness, Inc - All Rights Reserved
                                                                                                                          60
                    Security Implementation
                    Relies On:
 Policies must be                           Systems must
   developed,                                 be built to
 communicated,                               technically
 maintained and                            adhere to policy
     enforced         Process Technology
 Processes must
be developed that                         People must
show how policies         People       understand their
     will be                            responsibilities
  implemented                          regarding policy


                                                       61
          Policies

The cornerstone of an effective
information security architecture is a well-
written policy statement. This is the
source from which all other directives,
standards, procedures, guidelines and
other supporting documents will spring.
As with any foundation, it is important to
establish a strong footing.

                                               62
           Why Implement a
           Security Policy?
In the absence of an established policy, the
University’s current and past activities become
the de facto policy.
Since there is no formal policy with which to be
defended, the University may be in greater
danger of a breach of security, loss of
competitive advantage, customer confidence
and government interference.
By implementing policies, the University takes
control of its destiny.

                                                   63
          Why Implement a
          Security Policy?
The goal of an information security policy is to
maintain the integrity, confidentiality and
availability of the information resources.
The basic threats that may prevent the
University from reaching this goal are
unauthorized access, modification, disclosure or
destruction - whether deliberate or accidental -
of the information or the systems and
applications that process the information.

                                               64
           Why Implement a
           Security Policy?
When developing the policy, there is as much
danger in saying too much as there is in saying
too little.
The policy should provide the direction required
by the University while maintaining business unit
management discretion in the actual
implementation of the policy.
The more intricate and detailed the policy, the
more frequent the update requirements and the
more complicated the training process for users.

                                                65
   Policy Structure

       Laws, Regulations, and
          Requirements

               Policy


              Standards


Procedures,               Guidelines
 Practices
                                       66
                   Awareness and Training
                   on the Security Policy

      Now you have a policy… but has
              anyone read it?

 Or better yet… do they understand it?
Policy resources:
http://www.educause.edu/CampusPolicyInitiatives/332




                                                      67
          Key Issues and Pitfalls
Make sure your Implementation Plan for the
Security Policy includes training!
Make sure your training materials and policy are
not in conflict.
Know your audience and adjust your training as
appropriate by keeping their needs in mind.
Get feedback!
BUDGET for training and awareness.
Utilize free resources and solicit volunteers,
interns, and partnerships with departments and
other Universities.

                                               68
              Resources

The Education & Awareness
Working Group of the
EDUCAUSE/Internet2 Security Task
Force compiled cyber security
awareness resources that will be
distributed on a CD.

The resources were collected to
showcase the variety of security
awareness efforts underway at
institutions of higher education and
to provide resources for colleges
and universities that are looking to
jump-start a program for their
organization.                          69
           What’s on the CD?

Book Marks             Pamphlets
Brochures              Links to School’s Security
Checklists             Web Page(s)
Flyers                 Videos
Games                  Security Awareness
Government Resources   Documents
Handouts               Security Cards
Post Cards             Security Quizzes
Presentations          Scripts
                       Surveys
                       Security Tools

                                               70
          Measurement of Success

Surveys
Quizzes
Password Cracking
Reduction/Increase in infections
Audits – baseline then monitor progress
Metrics (and yes, color graphics are worth it
when presenting to management)
Incentives and recognition to most improved and
others actively working to increase security in
their departments
Lather, rinse, repeat!
                                              71
             Measurement of Success

Did you meet the goals of your awareness
program?
Did you set goals?
Samples:
 To reduce risk by implementing best practice information
  security programs while balancing academic freedom
What are the Goals of GW's Security Awareness
Program?
 To educate members of the University community
 To identify and address risk
 To promote and encourage good security habits


                                                             72
           Exercise
Divide into groups
You are planning your first Cyber Security
Awareness Day for your campus.
 What are your goals?
 What will the event involve?
 How will you make it interesting for your audience?
Brainstorm ideas
 8 minutes
 Prepare bulleted list
 Select spokesperson
Share results

                                                        73
           Questions?

Contacts
 Calvin Weeks cweeks@ou.edu
 Shirley Payne payne@virginia.edu
 Krizi Trivisani krizi@gwu.edu




                                     74

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:10/15/2011
language:English
pages:74
tlyaappjdlag tlyaappjdlag
About