Information Security Awareness and Training Program: Taking your program from training to awareness By: Chandos J. Carrow, CISSP System Office - Information.

Slides:



Advertisements
Similar presentations
. . . a step-by-step guide to world-class internal auditing
Advertisements

Report to the KSD Board June 9, Provide Kent School District the necessary guidance and assistance to create an equitable, academically enriching,
Educational Specialists Performance Evaluation System
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Child Safeguarding Standards
Orientation for New Site Visitors CIDA’s Mission, Value, and the Guiding Principles of Peer Review.
Enhancing Education Through Technology Round 9 Competitive.
1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.
IT Governance and Management
Staff Compensation Program Update
IT Planning.
By Saurabh Sardesai October 2014.
Quality evaluation and improvement for Internal Audit
UNDERSTANDING, PLANNING AND PREPARING FOR THE SCHOOL-WIDE EVALUATION TOOL (SET)
Alba Project Partners Introduction Presentation. Typically what people say … We have too many projects –no real priorities We used to know what was going.
Quality Representative Training Version
Measuring Competencies as Way to Increase Your Productivity Suzanne Simpson, Ph.D. President Human Resource Systems Group Ltd. IMAC ’99 Conference.
COACH DEVELOPMENT PROGRAM BOB BIGNEY OYSA Director of Education
Charting a course PROCESS.
Information Technology Audit
Project Human Resource Management
Effectiveness Day : Multi-professional vision and action planning Friday 29 th November 2013 Where People Matter Most.
Graduate Program Review Where We Are, Where We Are Headed and Why Duane K. Larick, Associate Graduate Dean Presentation to Directors of Graduate Programs.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Organization Mission Organizations That Use Evaluative Thinking Will Develop mission statements specific enough to provide a basis for goals and.
© 2003 IBM Corporation July 2004 Technology planning for not-for-profit organizations IBM volunteer name Title, organization.
Implementing Security Education, Training, and Awareness Programs
Demystifying the Business Analysis Body of Knowledge Central Iowa IIBA Chapter December 7, 2005.
NSW DEPARTMENT OF EDUCATION AND COMMUNITIES – UNIT/DIRECTORATE NAME SASSPA Conference21 August 2015 Performance and Development NSW.
Certificate IV in Project Management Introduction to Project Management Course Number Qualification Code BSB41507.
Assessing the Value of Training  Training can result in improved profitability for XYC while lowering staffing costs.  Training can result in a higher.
Certificate IV in Project Management Course Structure Course Number Qualification Code BSB41507.
GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
A COMPETENCY APPROACH TO HUMAN RESOURCE MANAGEMENT
August 7, Market Participant Survey Action Plan Dale Goodman Director, Market Services.
Basic Workshop For Reviewers NQAAC Recognize the developmental engagements Ensure that they operate smoothly and effectively” Ensure that all team members.
South Western School District Differentiated Supervision Plan DRAFT 2010.
Creating a Strategy for Change Before and During an LMS Implementation By Sandra A. Sallum & Sheila Grangeiro.
Programme Objectives Analyze the main components of a competency-based qualification system (e.g., Singapore Workforce Skills) Analyze the process and.
What could we learn from learning outcomes assessment programs in the U.S public research universities? Samuel S. Peng Center for Educational Research.
Take Charge of Change MASBO Strategic Roadmap Update November 15th, 2013.
Office Management.  Is an integral part of the success of a practice  2-3% of a monthly budget should be allocated to marketing.  Some types of marketing.
Strategies for Knowledge Management Success SCP Best Practices Showcase March 18, 2004.
1 Local Readiness Team Lead Meeting June 6, 2007.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Systems Accreditation Berkeley County School District School Facilitator Training October 7, 2014 Dr. Rodney Thompson Superintendent.
Security Training and Awareness Brad Reed, IT Security Analyst OIT – Information Security Office Securing the University – ITSS 2015.
Planning for School Implementation. Choice Programs Requires both district and school level coordination roles The district office establishes guidelines,
People Priorities Framework
Kathy Corbiere Service Delivery and Performance Commission
Enhancing Education Through Technology Round 8 Competitive.
Elementary School Administration and Management GADS 671 Section 55 and 56.
Discuss the analytical skills, including systems thinking, needed for a systems analyst to be successful Describe the technical skills required of a systems.
Marketing Strategies for the Use of Research4Life Resources.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
A Framework for Assessing Needs Across Multiple States, Stakeholders, and Topic Areas Stephanie Wilkerson & Mary Styers REL Appalachia American Evaluation.
© PeopleAdvantage 2013 All Rights Reserved We will Show You How to Easily Conduct Effective Performance Appraisals LCSA Conference 2013.
Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.
Canberra Chapter July PMI Chapter Meeting July 2007 PMCDF Competence Framework A presentation by Chris Cartwright.
Continuous Quality Improvement Basics Created by Michigan’s Campaign to End Homelessness Statewide Training Workgroup 2010.
Selection Criteria and Invitational Priorities School Leadership Program U.S. Department of Education 2005.
TELL Survey 2015 Trigg County Public Schools Board Report December 10, 2015.
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
Build an Enterprise IT Security Training Program
ORGANIZATIONAL Change management
By Jeff Burklo, Director
Welcome to Your New Position As An Instructor
Presentation transcript:

Information Security Awareness and Training Program: Taking your program from training to awareness By: Chandos J. Carrow, CISSP System Office - Information Security Officer Virginia Community College System

Question Why is October important for Information Security Awareness and Training? October is National Cyber Security Awareness Month Started 10 years ago Sponsored by Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center

Basic Information Security Awareness and Training Program Four level approach: – Awareness Designed to be presented to all users to focus their attention on security Intended to allow individuals to recognize IT security concerns and respond accordingly – Training Strives to produce relevant and needed security skills and competencies Builds upon the information gathered from awareness presentations – Education Integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge Strives to produce IT security specialists and professionals capable of vision and proactive response – Professional Development Intended to ensure that users possess a required level of knowledge and competence necessary for their roles Validation of skills typically through certification

Where Do Companies Go Wrong The Information Security Awareness and Training program was thrown together to meet a requirement No planning went into the implementation There was no specific budget provided Mostly considered an IT Security issue and not very well supported in other departments No one is designated as the program administrator or is typically assigned to someone as an additional duty Program only consists of an annual presentation that users review and there is nothing throughout the rest of the year to reinforce what they were presented

Awareness VS Training In order to have a good Information Security Awareness and Training program you must have a great foundation Awareness is that foundation An annual presentation is a great start to awareness, but without constant reinforcement that information obtained by users will not set in Training should focus more on the specifics of your company and the systems you use, and it does not supersede awareness for any position

Creating/Redesigning an Information Security Awareness and Training Program Many companies already have a program, but the steps for creating a new program can be used to redesign your current program as well 1.Ensure you have upper management support a.Resources b.Commitment 2.Create an Information Security Awareness and Training program team a.Most influential members of each department b.Members should be dedicated to the cause and will be active participants c.Do not have to be technically/security savvy to be part of the team d.If team members are not active, they are reported to management and a replacement requested

3.Define the roles and responsibilities that each person/department will play within this program a.Create policies, standards, guidelines, and procedures 4.Determine what type of program management model you will use for your company a.Centralized, Partially Decentralized, or Fully Decentralized 5.Conduct a Needs Assessment a.Complete interviews, surveys, review resource material, etc. 6.Have a clear mission and directives

7.Listen and analyze the user feedback 8.Determine where are the gaps between what is currently being done and what is required 9.Explore your options for deploying your program a.Company generated material, third-party generated material hosted on internal Learning Management System (LMS), or third-party hosted solution 10.Develop the strategy and plan of the program a.Current regulations, scope, goals, target audience, learning objectives, topics, mandatory/optional courses, evidence of learning, frequency

11.Implementation Schedule a.Establish your priorities especially if this implementation is to be done in a phased approach 1.Availability of material/resources 2.Role and organizational impact 3.State of current compliance 4.Critical project dependencies 12.Setting the bar a.Determine the complexity of the material presented based on the target audience 13.Funding the program a.Percent of overall training budget b.Allocation per user by role c.Percent of overall IT budget d.Explicit dollar allocation by component based on overall implementation costs

Delivering Awareness Materials Messages on awareness tools – Pens, key fobs, notepads, bookmarks, etc. Posters Screensavers Popup messages when people log into their computers Newsletters Company wide messages

Videotapes (YouTube videos) Web-based sessions IT security days Changing the IT security webpage – Current awareness theme – Helpful information and tips “Brown bag” seminars Mascots Crossword puzzles and other games Award program Do and Don’t list In-person instructor-led sessions

Keeping Your Program Up-to-date A program is never complete – Always listen for and read about new threats – Policies and standards do change Always be open for feedback from users – The program is designed for them – If they do not like it then they will not take it seriously On at least a semi-annual basis the team should review the materials and presentations of the program – If materials/presentations come from a third-party then they should have some review/update process

Surveys Benchmarking Technology Shifts Focus Groups Interviews Status Reports Independent Observations Evaluation Forms

Success Indicators Sufficient funding to implement the agreed-upon strategy Appropriate organization placement to enable those with key responsibilities to effectively implement the strategy Support for broad distribution and posting of security awareness items Executive/senior level messages to staff regarding security Use of metrics – Decline in security incidents or violations, gap between existing awareness and training coverage and identified needs is shrinking, etc. Managers do not use their status in the organization to avoid security controls Increase in the level of attendance at mandatory security forums/briefings Recognition of security contributions Motivation is demonstrated by those playing key roles in managing/coordinating the security program

Helpful Tips Keep your awareness material interesting and up-to-date Repeating an awareness message and using different ways to present that information will increase the retention by the users Make sure that the delivery of the awareness material is easy to use and understand, is scalable, and does not impact the work production of the users Deliver updates on a monthly/quarterly basis to your Senior Leadership and/or Board of Directors After implementation of the program, continue having at least monthly meetings of your team because a program is never finished it should be continually modified to meet the needs of your company and addresses the new threats on cyber security

Resources

Questions

Thank You Contact info: Chandos Carrow

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.