You are on page 1of 37

IT Best Practices for Community Colleges Part 4:

Awareness Training
Donald Hester
April 20, 2010

For audio call Toll Free 1-888-886-3951


and use PIN/code 254482
Housekeeping

• Maximize your CCC Confer window.


• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio

1) If you’re listening on your computer, adjust your volume using


the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.


Saving Files & Open/close Captions

1. Save chat window with floppy disc icon


2. Open/close captioning window with CC icon
Emoticons and Polling

1) Raise hand and Emoticons


2) Polling options
IT Best Practices for Community Colleges Part 4:
Awareness Training
Donald Hester
What is Security Awareness?

 Awareness is not training


 The purpose of awareness presentations
is simply to focus attention on security
 Awareness presentations are intended to
allow individuals to recognize IT security
concerns and respond accordingly
 Security awareness efforts are designed
to change behavior or reinforce good
security practices
7
How does Training differ from
Awareness
 In awareness activities, the learner is the
recipient of information
 the learner in a training environment has
a more active role
 Awareness relies on reaching broad
audiences with attractive packaging
techniques
 Training is more formal, having a goal of
building knowledge and skills
8
9
Cycle of Security Training
Awareness Program
 Establish a policy
 Assign responsibility (CIO, Director)
 Needs assessment
 Develop Awareness and Training
Materials
 Implementation of the program
 Update and monitor program
Program

11
Needs Assessment

 What awareness, training and/or


education are needed?
 What is currently being done to meet
these needs?
 How well is it working?
 Which needs are most critical?
 NIST SP 800-50 has a Sample Needs
Assessment and Questionnarie

12
Needs Assessment

13
Establish Priorities

 Availability of Material/Resources
• In house or outsourced
 Role and Organizational Impact
• How ill this help people do their job
• How will this help us reach our overall goals
 State of Current Compliance
• How informed are staff and students about
security and privacy practices
 Critical Project Dependencies
14
• Funding
Materials

 “What behavior do we want to reinforce?”


(awareness)
 “What skill or skills do we want the
audience to learn and apply?” (training)
 Watch out for the “we’re here because
we have to be here” attitude
 An awareness and training program can
be effective, if the material is interesting
and current
15
Practice

 One way to get users involved and


invested in the training is to make the
training cover topics they are interested
in
 For example a class on “FaceBook” or
“MySpace”
 Users are interested in what they are
interested in, use it to your advantage

16
Possible Topics

•Password usage and •Web usage


management •Data backup and
•Unknown e-mail storage
attachments •Social engineering
•Policy •Inventory and property
•Personal use and gain transfer
issues •Portable device issues
•System and application •Laptop security
patching •Physical security
•Personal systems at •Software licensing
work •Use acknowledgements

17
Campaign

 Use marketing skills


 Get students involved
 Assignment for class
 Branding
 Use Social Media
 Use Posters
 Use Email reminders
 Leverage Safety Awareness
 Mascots
 Alerts
18
Use multiple vectors
Use real life examples
 Website notices of incidents

 RSS Feeds Use incidents as an


 Posters opportunity to teach
“what not to do”
 Emails
The news has stories
 Announcements everyday you can use
 Logon banners
The best stories are
 Seminars and classes often those “closest to
 Games and contests home”


19
Awards
Initial User Training

 Upon hire and annually thereafter


 Must complete before access is granted
 Serves as notification (legal)
 What do they need to know to do their job
 A basic IT security course – often online

20
Reminders
http://blogs.technet.com/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx

Some people question


the usefulness of these
warnings

However it serves at the


least as a subconscious
reminder

Legal questions arise


21
Sample Posters
(Government)

22
Buy Posters

23
Short and to the point

24
NIST Posters

25
26
Maintenance of the Program

 Continuous
improvement
should always be
the theme for
security awareness
and training
initiatives, as this is
one area where
“you can never do
enough.”
27
Input for Updates

28
Maintain the Program

 Frequency that each target audience


should be exposed to material
 Documentation, feedback, and evidence
of learning for each aspect of the
program
 Evaluation and update of material for
each aspect of the program
 Is this working???

29
Goal of Training

 Training is separate from awareness but


there overlapping areas
 The goal of training is to produce
relevant and needed skills and
competencies
 It is crucial that the needs assessment
identify those individuals with significant
IT security responsibilities, assess their
functions, and identify their training
needs
30
Training

 Training plan should identify an


audience, or several audiences, that
should receive training tailored to
address their IT security responsibilities
 Each user may need specific training for
their job
• Network admins may need Windows or
Cisco security training
• Admissions may need special training for
handling student records
31
Example of Training

 This course falls under training


 Focus on job roll skills and competencies
• Specifically tailored for managers and
decision makers
• Designed to help them (You) with their job
function
 Online delivery (CCCConfer)
 Live instructor and recorded archive

32
KPI (Key Performance Indicators)

 Sufficient funding to implement the agreed-upon strategy


 Appropriate organizational placement to enable those with key
responsibilities to effectively implement the strategy
 Support for broad distribution (e.g., web, e-mail, TV) and posting
of security awareness items
 Executive/senior level messages to staff regarding security
 Use of metrics (e.g., to indicate a decline in security incidents or
violations)
 Managers do not use their status in the organization to avoid
security controls that are consistently adhered to by the rank and
file
 Level of attendance at mandatory security forums/briefings
 Recognition of security contributions (e.g., awards, contests)
 Motivation demonstrated by those playing key roles in
managing/coordinating the security program
33
Resources

 Consider Partnerships
• Other community colleges have the same needs – work together
 Books
• Managing an Information Security and Privacy Awareness and
Training Program ISBN 978-1439815458
 Standards and Guidance
• NIST SP 800-50 Building an IT Security Awareness and Training
Program
 Posters
• Monthly subscriptions
http://www.securityawareness.com/postersub.htm
• New York
http://www.cscic.state.ny.us/cscorner/events/2008/index.cfm
 Social Media Example
• http://www.facebook.com/group.php?gid=245570977486
34
Q&A

Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486
Evaluation Survey Link

Help us improve our seminars by filing


out a short online evaluation survey at:

http://www.surveymonkey.com/s/10SpIT4
IT Best Practices for Community Colleges Part 4:
Awareness Training
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/