1 Building an IT Security Awareness & Training Program Mark Wilson Computer Security Division, ITL National Institute of Standards and Technology - November.

Slides:



Advertisements
Similar presentations
A GUIDE TO CREATING QUALITY ONLINE LEARNING DOING DISTANCE EDUCATION WELL.
Advertisements

Information Technology Awareness Wayne Donald IT Security Officer.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Standard 3: Educational leaders apply technology to enhance their professional practice and to increase their own productivity and that of others.
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
The Commissioning Toolkit. Aims and Objectives Commissioners to leave with an understanding of; The Commissioning Journey The Commissioning Process Familiarisation.
Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Chapter 5 Developing the Security Program
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Information Security Awareness and Training Program: Taking your program from training to awareness By: Chandos J. Carrow, CISSP System Office - Information.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
PRESENTED BY: WARREN PONCSAK, EXECUTIVE DIRECTOR ROZ KELSEY, PRINCIPAL PROJECT CONSULTANT.
1 Ben Woelk RIT Information Security Office Advancing Digital Self Defense Establishing a Culture of Security Awareness at the Rochester Institute of Technology.
Community Planning Training 1-1. Community Plan Implementation Training 1- Community Planning Training 1-3.
Website Hardening HUIT IT Security | Sep
Picture 1 model: ICT lifecycle in a company 1. business needs & business strategy 2. ICT strategy - ICT assessment - ICT strategic plan - ICT implementation/tactical.
Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /
Planning for a Web site Project ITS Web Services - Wendy Dascoli November 1, 2007.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Marketing of Information Security Products. The business case for Information Security Management.
Laura Marin Project Manager JPIAMR Swedish Research Council
Implementing Security Education, Training, and Awareness Programs
Course ILT Computers and society Unit objectives Identify the main uses of computers in daily life, and identify the benefits of using Describe.
Computer Security By: MacKenzie Olson. To be safer and more secure online, make these seven practices part of your online routine.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Skills Online: Building Practitioner Competence in an Inter-professional, Virtual Classroom Canadian Public Health Association 2008 Annual Conference.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
The ITS Professional Capacity Building (PCB) Program.
Blueberry Software IT Security Audit Results. Results: Good.
Windows 2000 Division of Information Technology Windows 2000 Project Team Mary Dickerson, MCSE, Project Leader University of Houston Windows 2000 University.
Session 21 Knowledge is Power: the FSA Schools Portal and IFAP Marcello Rojtman.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Information Technology Security (ITS) Training Carolyn Schmidt Program Manager Information Technology Security (ITS) Awareness, Training, and Education.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.
Pro-active Security Measures
Security Awareness – Essential Part of Security Management Ilze Murane.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security Awareness and Training Department of Commerce NOAA WebShop Conference November 13, 2007.
Membership Development Report Region 4 Meeting January 2010 Tarek Lahdhiri, PhD, PE, PMP, SM-IEEE Region 4 MD Chair 1.
Unit 8: Implementation, Part II Seminar Wednesday pm ET.
Importance of Physical Security Common Security Mistakes 1.Security Awareness 2.Incident Response 3.Poor Password Management 4.Bad administrative.
Chapter 17 MR2100. Advertising is... Advertising is one key element of the promotional mix. Advertising is defined as any direct paid form of mass communication.
US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
University of Wyoming Financial Reporting Initiative Update April 2016.
Security Education, Training, and Awareness Programs Jeff Summits.
Communicate your project Lead Partner Seminar, 25 March 2011.
Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
CHANGE MANAGEMENT - PART 2 MODULE 7
Information Security in Laurier Grant Li Wilfrid Laurier University.
BNU - HKBU United International College 信息科技服务中心 Information Technology Services Centre.
Inter Partner Assistance (IPA)
Introduction to the Federal Defense Acquisition Regulation
Contact Center Security Strategies
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
Presentation transcript:

1 Building an IT Security Awareness & Training Program Mark Wilson Computer Security Division, ITL National Institute of Standards and Technology - November 1, (301) (voice) (301) (fax)

2 Cornerstones for Success Policy Roles and Responsibilities –CIO –IT Security Program Manager –Managers –Users Budget Management Support... Commitment

3 A Life-cycle Approach Identify Needs Design Develop Implement Maintain

4 Designing Your Awareness & Training Program Build a Strategy Determine Organization’s Needs –Needs Assessment –Incorporating Results of Program Reviews Develop an Awareness and Training Plan –Identify Audiences; Scope Needs; Establish Priorities; Set the Bar; Get Mgmt/Org Buy-in!

5 Developing Your Awareness & Training Material Policy and Guidance Issues –Your program is dependent on policy –OMB Circular A-130, Appendix III –NIST guidance - Infrastructure & Deployment Issues –Web-based deployment the common theme –CD-ROM

6 Developing Your Awareness & Training Material Developing Awareness Material: Samples –Password usage/creation/changes –Protection from viruses - scanning and updating –PDA security issues –Laptop security while on travel –Personal use and gain issues –Software patches and security settings on client systems –Software license restriction issues

7 Developing Your Awareness & Training Material Developing Awareness Material: Sources – advisories –On-line IT security daily news websites –Periodicals – – previous conference presentations

8 Developing Your Awareness & Training Material Developing Training Material: Sources –In-house –Contractors/vendors –Mix of in-house and contractor support – –NIST Special Publication

9 Implementing Your Awareness & Training Material Messages on trinkets: e.g., key fobs, post-it notes, notepads, first aid kits, clean-up kits, diskettes with a message, frisbees, “gotcha” cards Posters Access (to my PC) lists “Do and Don’t” lists

10 Implementing Your Awareness & Training Material Screensavers, warning banners/messages Newsletters Desk-to-desk alerts Organization-wide messages Videotapes Web-based sessions Organization’s IT security homepage

11 Implementing Your Awareness & Training Material Computer-based sessions Teleconferencing sessions In-person, instructor-led sessions “Brown bag” seminars Rewards programs - plaques, mugs, letters of appreciation... all-hands meetings (public humiliation) ;-)

12 Maintaining Your Awareness & Training Program Monitoring Success - Use of Evaluation and Feedback –Evaluation forms (classroom) –Web- and computer-based evaluations –Pre- and post-testing –Feedback from management and users

13 Maintaining Your Awareness & Training Program Managing Change –Technological –Architectural –Organizational Raising the Bar

14 Common Themes in Successful Programs Budget = Successful Program Defined Roles = Successful Program Web-based Material Keep Material Interesting and Current Movement Toward Professionalization Training Plans Mix of Awareness and Role-based Training

15 Questions? Mark Wilson NIST (301) (voice) (301) (fax)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.