1 / 37

IT Best Practices for Community Colleges Part 4: Awareness Training

IT Best Practices for Community Colleges Part 4: Awareness Training. Donald Hester April 20, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 254482. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.

megara
Download Presentation

IT Best Practices for Community Colleges Part 4: Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Best Practices for Community Colleges Part 4: Awareness Training Donald Hester April 20, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 254482

  2. Housekeeping • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window.

  3. Adjusting Audio • If you’re listening on your computer, adjust your volume using the speaker slider. • If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

  4. Saving Files & Open/close Captions • Save chat window with floppy disc icon • Open/close captioning window with CC icon

  5. Emoticons and Polling • Raise hand and Emoticons • Polling options

  6. Donald Hester IT Best Practices for Community Colleges Part 4: Awareness Training

  7. What is Security Awareness? • Awareness is not training • The purpose of awareness presentations is simply to focus attention on security • Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly • Security awareness efforts are designed to change behavior or reinforce good security practices

  8. How does Training differ from Awareness • In awareness activities, the learner is the recipient of information • the learner in a training environment has a more active role • Awareness relies on reaching broad audiences with attractive packaging techniques • Training is more formal, having a goal of building knowledge and skills

  9. Cycle of Security Training Awareness Program • Establish a policy • Assign responsibility (CIO, Director) • Needs assessment • Develop Awareness and Training Materials • Implementation of the program • Update and monitor program

  10. Program

  11. Needs Assessment • What awareness, training and/or education are needed? • What is currently being done to meet these needs? • How well is it working? • Which needs are most critical? • NIST SP 800-50 has a Sample Needs Assessment and Questionnarie

  12. Needs Assessment

  13. Establish Priorities • Availability of Material/Resources • In house or outsourced • Role and Organizational Impact • How ill this help people do their job • How will this help us reach our overall goals • State of Current Compliance • How informed are staff and students about security and privacy practices • Critical Project Dependencies • Funding

  14. Materials • “What behavior do we want to reinforce?” (awareness) • “What skill or skills do we want the audience to learn and apply?” (training) • Watch out for the “we’re here because we have to be here” attitude • An awareness and training program can be effective, if the material is interesting and current

  15. Practice • One way to get users involved and invested in the training is to make the training cover topics they are interested in • For example a class on “FaceBook” or “MySpace” • Users are interested in what they are interested in, use it to your advantage

  16. Possible Topics • Password usage and management • Unknown e-mail attachments • Policy • Personal use and gain issues • System and application patching • Personal systems at work • Web usage • Data backup and storage • Social engineering • Inventory and property transfer • Portable device issues • Laptop security • Physical security • Software licensing • Use acknowledgements

  17. Campaign • Use marketing skills • Get students involved • Assignment for class • Branding • Use Social Media • Use Posters • Use Email reminders • Leverage Safety Awareness • Mascots • Alerts

  18. Use multiple vectors Use real life examples of incidents Use incidents as an opportunity to teach “what not to do” The news has stories everyday you can use The best stories are often those “closest to home” • Website notices • RSS Feeds • Posters • Emails • Announcements • Logon banners • Seminars and classes • Games and contests • Awards

  19. Initial User Training • Upon hire and annually thereafter • Must complete before access is granted • Serves as notification (legal) • What do they need to know to do their job • A basic IT security course – often online

  20. Reminders http://blogs.technet.com/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx Some people question the usefulness of these warnings However it serves at the least as a subconscious reminder Legal questions arise

  21. Sample Posters(Government)

  22. Buy Posters

  23. Short and to the point

  24. NIST Posters

  25. Maintenance of the Program • Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.”

  26. Input for Updates

  27. Maintain the Program • Frequency that each target audience should be exposed to material • Documentation, feedback, and evidence of learning for each aspect of the program • Evaluation and update of material for each aspect of the program • Is this working???

  28. Goal of Training • Training is separate from awareness but there overlapping areas • The goal of training is to produce relevant and needed skills and competencies • It is crucial that the needs assessment identify those individuals with significant IT security responsibilities, assess their functions, and identify their training needs

  29. Training • Training plan should identify an audience, or several audiences, that should receive training tailored to address their IT security responsibilities • Each user may need specific training for their job • Network admins may need Windows or Cisco security training • Admissions may need special training for handling student records

  30. Example of Training • This course falls under training • Focus on job roll skills and competencies • Specifically tailored for managers and decision makers • Designed to help them (You) with their job function • Online delivery (CCCConfer) • Live instructor and recorded archive

  31. KPI (Key Performance Indicators) • Sufficient funding to implement the agreed-upon strategy • Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy • Support for broad distribution (e.g., web, e-mail, TV) and posting of security awareness items • Executive/senior level messages to staff regarding security • Use of metrics (e.g., to indicate a decline in security incidents or violations) • Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file • Level of attendance at mandatory security forums/briefings • Recognition of security contributions (e.g., awards, contests) • Motivation demonstrated by those playing key roles in managing/coordinating the security program

  32. Resources • Consider Partnerships • Other community colleges have the same needs – work together • Books • Managing an Information Security and Privacy Awareness and Training Program ISBN 978-1439815458 • Standards and Guidance • NIST SP 800-50 Building an IT Security Awareness and Training Program • Posters • Monthly subscriptions http://www.securityawareness.com/postersub.htm • New York http://www.cscic.state.ny.us/cscorner/events/2008/index.cfm • Social Media Example • http://www.facebook.com/group.php?gid=245570977486

  33. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & Associates @One / San Diego City College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Q&A

  34. Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpIT4

  35. Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/ IT Best Practices for Community Colleges Part 4: Awareness Training

More Related