Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.

Slides:



Advertisements
Similar presentations
Effective Supervision
Advertisements

A GUIDE TO CREATING QUALITY ONLINE LEARNING DOING DISTANCE EDUCATION WELL.
Chapter 5. Analyzing Your Audience and Purpose © 2004 by Bedford/St. Martin's1 Categories of Readers by Function A primary audience of people who have.
MANAGEMENT BY OBJECTIVES MBO. What is MBO? Management by objectives (MBO) is a systematic and organized approach that allows management to focus on achievable.
NARA – Records Management Training Program October 5, NARA’s Records Management Training and Certification Program.
Information Security Policies and Standards
Developing the Security Program
3 Chapter Needs Assessment.
Chapter 5 Developing the Security Program
Lecture 11 Information Systems Training (Chapter 11)
CHAPTER 9: LEARNING OUTCOMES
Human Resource Management: Gaining a Competitive Advantage
TEL2813/IS2820 Security Management
Developing the Security Program
Developing the Security Program
Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.
Chapter 8 communication skills Section 8.1 Defining Communication
Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
SEC835 Database and Web application security Information Security Architecture.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Implementing Security Education, Training, and Awareness Programs
Developing the Security Program. Objectives Upon completion of this material you should be able to: –Explain the organizational approaches to information.
Welcome to the Presentation 1. ELITE Inc. 2 3 Group Member Bachelor of Business Administration 24 th Intake 5 th Semester Section: 5 Bangladesh University.
Technical Trainer © 2002 Bradley Lambert Inc. 1 LEVERAGING TECHNICAL EXPERTS: Give them Training Responsibility BRADLEY LAMBERT, INC West Century.
Actions Set a clear aim for the performance of your eligibility system Define why your key audiences (governor, legislature, public) should support it.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 © 2004 Cisco Systems, Inc. All rights reserved. Case Study Cisco Unity Voice Messaging Deployment: Communications Strategy November.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Besides learning how the JCI information system works, you will receive essential details on how to manage the database center application, as well as.
1 Seminar on 2008 SNA Implementation June 2010, Saint John’s, Antigua and Barbuda GULAB SINGH UN Statistics Division Diagnostic Framework: National.
AASP DC Regional Symposium Wednesday, January 21, Presenters: Gail Ferris, Paula Palhus, Michael Ross Office of Development and Alumni Relations.
A Principled Approach to Accountability Assessments for Students with Disabilities CCSSO National Conference on Student Assessment Detroit, Michigan June.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
The Fifteenth National HIPAA Summit Overview of Approaches to Security Officer Training John Parmigiani December 12, 2007.
Training Computer Users Writing For End Users. What is Training? Focus on performing activities building expertise that will be immediately useful.
Designing a Training Program RATIONALE OF THE TRAINING Background or introduction of what the training is all about –Developments in the field/discipline/area.
1© 2010 by Nelson Education Ltd. Chapter Five Training Design.
1© 2013 by Nelson Education Ltd. CHAPTER FIVE Training Design.
Training and Developing Employees 3 Behavioral Objectives s Describe the basic training process. s Explain the nature of at least five training.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Hitting the Leadership Target Through Leadership and Accountability.
Security Training and Awareness Brad Reed, IT Security Analyst OIT – Information Security Office Securing the University – ITSS 2015.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Strategy on creation of the system for continuous professional training of staff employed in social assistance system (for ) draft Ministry of.
Task Analysis 25 February Steps in planning a training session Title Learning outcome Introduction Body (task analysis) Conclusion.
HIPAA Security Final Rule Overview
INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.
DEVELOPING THE WORK PLAN
Thepul Ginige Lecture-7 Implementation of Information System Thepul Ginige.
Continual Service Improvement Methods & Techniques.
Principles of Information System Security: Text and Cases
MANAGEMENT of INFORMATION SECURITY Second Edition.
A Professional Development Series from the CDC’s Division of Population Health School Health Branch Professional Development 101: The Basics – Part 1.
Security Education, Training, and Awareness Programs Jeff Summits.
ORGANIZATIONAL CHANGE AND COMMUNICATION: A Necessary Relationship A Software Release Story of Woe Brief Overview of Prosci© Change Management A Simple.
Organizational Communications and Its Importance to Company Growth. Presented by: Kenneth Martinez Organizational Communications Manager.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Encouraging Security Training in a Corporate Environment Lindsey Bertugli.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 5: D EVELOPING THE S ECURITY P ROGRAM You got to be careful if you don’t know where you’re going, because you.
TEL2813/IS2820 Security Management Developing the Security Program Jan 29, 2008.
TEL2813/IS2820 Security Management Developing the Security Program Jan 24, 2006.
Developing the Security Program
© 2013 by Nelson Education Ltd.
MANAGEMENT BY OBJECTIVES T. Y. B. Com
Presentation transcript:

Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn

Contents Learning Objectives What is SETA? What are its purposes? Security Education Security Training Security Awareness

Learning Objectives Define security education, training and awareness List situations where each strategy is appropriate Identify how organizations can use each strategy to mitigate threats to information security

SETA SETA is an acronym, for Security Education, Training, and Awareness It targets all users in an organization with specific programs for their jobs and level of technical expertise The SETA program is generally the responsibility of the Chief Information Security Officer

Purposes of SETA SETA holds employees accountable for their actions by communicating policy to all users Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems Develops skills and knowledge so that users can perform their jobs using IT systems more securely Improves awareness of the need to protect system resources

Security Awareness Most basic level of SETA Used for employees who are new or unskilled Gets employees to focus on security Least common, but extremely effective

Security Awareness Programs Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, and bulletin boards to reach employees An example of a Security Awareness Topic: ‘Virus Protection’ What would the session cover? How does this benefit all users?

Things to keep in mind… Focus on people both as a part of the problem and as part of the solution. Refrain from using technical jargon; speak the language the users understand. Use every available venue to access all users. Define at least one key learning objective, state it clearly, and provide sufficient detail and coverage to reinforce the learning of it. Keep things light; refrain from "preaching" to users.

In addition… Don't overload the users with too much detail or too great a volume of information. Help users understand their roles in information security and how a breach in that security can affect their jobs. Take advantage of in-house communications media to deliver messages. Make the awareness program formal; plan and document all actions. Provide good information early, rather than perfect information late.

Security Training Intermediate level of SETA According to the NIST SP : Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today's highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

Security Training Programs Provides detailed information and hands-on instruction Teach users what to do and how to do it Employees are divided into general users, technical users, and managerial users at beginner, intermediate, and advanced levels

Things to keep in mind… General users are trained in the policies of the organization such as security practices, password management, violation reporting, and access controls. It is best to do this when they are first hired. Managerial users should be trained in smaller groups to facilitate discussion. Technical users are trained more in-depth than general and managerial users. This is often outsourced because of the high level of expertise required. Technical users are often separated according to job category, job function, and technology product.

Training Techniques Effective training programs are crucial to the success of an organization Wrong training methods can lead to unnecessary expense and frustrated and poorly trained employee’s Good training methods, regardless of delivery method, take advantage of the latest learning technologies and best practices.

Delivery Methods One-on-One Method Formal Class Computer-Based Training Distance learning / Web Seminars User Support Groups On The Job Training Self-Study

Dedicated Training Staff Depending on the training deliver method chosen, A dedicated training staff may be required. They should continually provide specific, effective training programs for an organization’s employee’s. Staff must assess organizational needs, plan effective programs, implement these programs, and evaluate their effectiveness.

Seven Step Methodology For Implementing Security Training Step One: Identify the Programs Scope, Goals, and Objectives Step Two: Identify the training staff Step Three: Identify the Audience Step Four: Motivation Step Five: Administer The Security Training Step Six and Seven: Listen to Employee feedback, evolve the program to increase its effectiveness.

Security Education Highest level of SETA Used for employees in highly technical or skilled positions that demand greater information security

Conclusion Having a good Information Security Program is not enough. SETA is crucial to a successful information security program in an organization. Helps minimize loss of information assets and hold employee’s accountable for breaking policies.

Questions?