Chapter 5 Developing the Security Program Presented by: Jennifer, Sergey & Kalagee Slides by: Ryan

Outline Introduction Organizing for Security Information Security Placement Components of the Security Program Information Security Roles and Titles Security Education, Training, and Awareness

Introduction Security Program Entire set of personnel, plans, and policies related to Information Security Information Security Corporate or physical security Information Security Program Structured effort to contain risks to information assets

Organizing for Security Security Program Influences Organizational culture Company size and available resources Security personnel and capital budget

Organization Sizes Small (10-100 computers) 20% of IT budget Medium (100-1,000 computers) 11% of IT budget Large (1,000-10,000 computers) 5% of IT budget security Very Large (10,000+ computers) 6% of IT budget

Information Security Functions Risk Assessment Risk Management Systems Testing Policy Legal Assessment Incident Response Planning Vulnerability Assessment Measurement Compliance Centralized Authentication Systems Security Administration Training Network Security Administration

Security Function Distribution Non-technology business units Legal assessment and training IT groups outside of information security Systems and network administration Information security as customer service Planning, testing, risk assessment, incident response, vulnerability assessment Information security as compliance enforcement Policy, compliance, and risk management

Large Org. Staffing

Very Large Org. Staffing

Medium Org. Staffing

Small Org. Staffing

Security Placement Openness to new ideas Clout with top management Respect in the eyes of a wide variety of employees Comfort and familiarity with information security concepts Willingness to defend the best interest of the organization in the long run

Security Placement Locations Administrative Services Insurance and Risk Management Strategy and Planning Legal Internal Audit Help Desk Accounting and Finance Through IT Human Resources Facilities Management Operations

IT

Security

Administrative Services

Insurance & Risk

Strategy & Planning

Legal

Other Options Internal Audit Help Desk Accounting and Finance Through IT Human Resources Facilities Management Operations

Components of the Security Program InfoSec needs are unique to culture, size, and budget of organization Guided by mission and vision statements CIO and CISO use mission and vision statements to formulate InfoSec program mission statement 21

Elements of a Security Program (NIST) Policy Program management Risk management Life-cycle planning Personnel and user issues Contingency and disaster recovery planning Computer security incident handling 22

Elements of a Security Program (NIST) Awareness and training Security considerations Physical and environmental security Identification and authentication Logical access control Audit trails Cryptography 23

Information Security Roles and Titles Those that define Provide policies, guidelines, and standards Those that build Create and install security solutions Those that administer Monitor and improve the security process 24

Job Function Categories Chief Information Security Officer (CISO) Security manager Security administrator/analyst Security technician Security staffer Security consultant Security officer and investigator Help desk personnel 25

Chief Information Security Officer (CISO) Assessment, management, and implementation of the InfoSec program Other Titles Manager for Security Security Administrator Most cases reports to CIO 26

Security Manager Oversee day-to-day operation of the InfoSec program Scheduling Setting priorities Administering procedural tasks Report to CISO Some technical knowledge 27

Security Administrator/Analyst Have both technical knowledge and managerial skill Manage day-to-day operation of the InfoSec program Assist in development and delivery of training programs and policies Security Administrators Combination of security technician and security manager Have technical knowledge and managerial skills Manage day-to-day operations of security technology and assist in the development and conduct of training programs and policies. Security Analyst Specialized security administrator Additional responsibilities include analyzing and designing security solutions within a specific domain such as firewall, ids, and antivirus program. 28

Security Technician Subject matter experts Implement security software Diagnose and troubleshoot problems Coordinate with administrators to ensure security is properly implemented Tend to be specialized 29

Security Staffer Individuals who perform routine watch-standing activities Intrusion detection consoles Monitor email Perform routine, yet critical, tasks 30

Security Consultants Expert in some aspect of InfoSec Disaster recovery Business continuity planning Policy development Strategic planning 31

Security Officers and Investigators Sometimes necessary to protect highly sensitive data from physical threats Three G’s of physical security Guards Gates Guns 32

Help Desk Personnel Enhances security team’s ability to identify potential problems Must be prepared to identify and diagnose problems Traditional technical problems Threats to information security 33

Security Education, Training, and Awareness (SETA) Responsibility of CISO Designed to reduce accidental security breaches Can improve employee behavior Inform members of the organization about where to report violations of policy Allows organizations to hold employees accountable for their actions Once the infosec program’s place in the organization is established, it’s time to start planning for security education, training, and awareness programs. SETA is the responsibility of the CIOS The goal is to reduce the incidence of accidental security breaches by employees, contractors, consultants, vendors, and business partners who come in contact with information assets. The major benefits of SETA are Improve employee behavior Inform members of the organization about where to report policy violations Enable the organization to hold employees accountable for their actions 34

Purpose of SETA Enhance security By building in-depth knowledge to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs more securely By improving awareness of the need to protect system resources 35

Security Education Information security training programs must address: Information security educational components General education requirements 36

Developing InfoSec Curricula InfoSec standards ACM IEEE ABET No security curricula models 37

Developing InfoSec Curricula Must carefully map expected learning outcomes Knowledge map Helps potential students assess various InfoSec programs Identifies skills and knowledge clusters obtained by program graduates 38

InfoSec Knowledge Map 39

Security Training Provides employees with hands-on training In-house or outsourced NIST provides free InfoSec training documents NIST SP 800-16 40

Security Training Customizing training by functional background General user Managerial user Technical user Job category Job function Technology product 41

Security Training Customizing training by skill level Novice Intermediate Advanced Finally, security training can be customized for users by skill level such as novice, intermediate, and advanced. Now Kalagee will continue and discuss training techniques. 42

Training for General Users Commonly during employee orientation Employees are educated on a wide variety of policies Good security practices Password management Specialized access controls Violation reporting 43

Training for Managerial Users Similar to general training More personalized Small groups More interaction and discussion 44

Training for Technical Users Developing advanced technical training By job category By job function By technology product 45

Training Techniques Use correct teaching methods Take advantage of latest learning technology Use best practices On-site training is beneficial Just in time training – training right before users can use it. so the training knowledge is fresh in mind.

Delivery Methods Delivery method choice is influenced by Budget Scheduling Needs of organization Delivery methods One-on-one Formal Class Computer-Based Training (CBT) One –on one advantages –informal, personal, customized , schedulable …disadvantage – resource intensive Formal class- adv. – cost-effective , formal training plan, interaction with trainer, team learning …disadv– not flexible, not easily schedulable, not customized CBT – Adv – very cost effective, schedulable, self-paced Disadv – not customized, no personal interaction, expensive software,

Delivery Methods (cont) Distance learning Web Seminars User Support Group On-Site Training Self-Study Distance Learning – Adv.- no cost, can be archived/live..disadv- if archive, not flexible. If live, not schedulable. Webinars – same as distance learning User Support groups - Adv. – team learning, informal social settings. Disadv – no formal training model, concentrated topic On-the-job training – Adv. – inexpensive, applied to task on hand .. Disadv – sink or swim , Self Study training – adv. – lowest cost, self-paced, trainee decides the focus point. Disadv- trainee is responsible .

Selecting Training Staff Local training program Continuing education department External training agency Hire a professional trainer Hire a consultant, or someone from an accredited institution to conduct on-site training organize and conduct training in-house using its own employees. In-house could be challenging as you need special skills to deliver a class/training. Different from giving a advise.

Implementing Training Identify program scope, goals and objectives Identify training staff Identify target audiences Motivate management and employees Administer the program Maintain the program Evaluate the program Identify program scope, goals and objectives Identify training staff Identify target audiences - Divide the target audience by level of awareness, job category, job tasks, computer knowledge and systems they use. It is boring for the audience otherwise. Motivate management and employees – show the mgt. Losses which can occur from security breaches. Show employees the losses and what it means for company Administer the program – administrating program with these factors: visibility, training methods, training topics, material and presentations. Presentation style, length, frequency. Maintain the program – keep the program up-to-date with laws, standards regulations. Evaluate the program – evaluate program so we know whether program is working or not. By feedback form, web form, monitoring security incidents, monitoring the activities.

Security Awareness Change organizational culture to realize importance of InfoSec Users need to be reminded of the standards and procedures Gives employees sense of responsibility and importance Reminding users that they need to follow the procedures Awareness sets the stage for training to make employees realize the importance of training and security.

Security Awareness Program Focus on people Don’t use technical jargon Use every available medium Defines a learning objective Helps users understand their roles Don’t overload users with too much information Take advantage of in-house communication Make the awareness program formal Provide good information early Make it formal program

Employee Behavior and Awareness Educate employees on how to Properly handle information Use applications Operate within the organization This minimizes risk of accidental compromise, damage, or destruction of information Its all about people. People of company, how they handle the information and how should they be to protect information from accidental damage. By Awareness program, users discovers the penalties of security violations. And employees will only follow the security rules if They fear penalties They fear they may be caught They believe that if they get caught, there is penalty Upper management needs to be a role model .

Employee Accountability Effective training programs make employees accountable for their actions “Ignorance of the law excuses no one” A constant reminder of the consequences of abusing or misusing information resources can help protect the organization against lawsuits Ignorance of the law excuses no one is valid for criminal court but not true for civil court. Awareness program saves employer from getting sued with lawsuit.

Awareness Techniques Changes based on intended audience Security awareness program can use many methods to deliver its message developed with the assumption that people tend to practice a tuning out process awareness techniques should be creative and frequently changed Security awareness program delivery methods in next section. Bottom line is be creative.

Developing Security Awareness Components Videos Posters and banners Lectures and conferences Computer-based training Newsletters Brochures and flyers Trinkets Bulletin boards We will discuss few of the components in detail

Posters Displayed in common areas There should be series of posters Be creative. Usually developed in-house Simple and visually interesting

Newsletters Cost-effective Distributed via e-mails, hard-copy or intranet Consists of front page, index, volume, contact information. May contains articles, policies, how-to’s, security events, upgrades, incidents, etc. Distribute SANS newsletter SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system

Trinket Program Most expensive Gets attention instantly Mugs, calendars, t-shirts, pens, holders, etc. Distribution across organization is costly

InfoSec Awareness Website Tips Don’t reinvent Plan ahead Minimal page loading time Attractive look and feel Always seek feedback Test everything. Assume nothing Promote the website Don’t reinvent- use resources and materials already available. Plan ahead – avoid recoding, plan on paper Minimal page loading time – avoid big images otherwise its discouraging for users to visit the website Attractive look and feel Always seek feedback – there is always a room for improvement Test everything. Assume nothing – multiple browsers, OS Promote the website – send notifications to everyone in company.

Conclusions Information security programs can be dramatically different for organizations of varying size but they all have the same goal To secure information and information assets This is achieved by Optimal placement of InfoSec within organization Security, education, and awareness training (SETA)

Questions?