Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016.

Published byScot Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016."— Presentation transcript:

1 IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016

2 IAEA Content The Human element in computer security Description of security culture and its role in nuclear security Developing a culture of awareness for computer security 2

3 IAEA Lecture Objectives At the completion of this lecture, the participants will be able to: Describe the human role in computer security Recognize the elements of a security culture Discuss ways an organization can build awareness culture for computer security 3

4 IAEA Security is a people issue, not just a technical issue Without good training, technology cannot be effective Attacks against organizational staff including directed attacks are a common tactic by adversaries Over half of all computer security breaches result from or are complicated by human error People can be the strongest asset or your weakest link in security Security Culture 4 Cyber Dude

5 IAEA 5 “The thickness of a wall is less important than the will to defend it” - Thucydides, Greek historian from the 5 th Century B.C. The Human Factor of Nuclear Security

6 IAEA Two-Tiered Architecture Security Culture National Macro-Level National leadership Adherence to international legal framework and compliance National strategies and policies Industry commitment Involvement of the public Principles Beliefs (There is a threat. Nuclear security is necessary) Management Systems Leadership and Behavior Facility-based Micro-Level Culture 6

7 IAEA Enhanced security level Improved safety in synergy Enhanced management systems Improved personal performance, shared commitment to nuclear security Enhanced employee satisfaction Decreased costs Benefits of Effective Security Culture 7 Regional workshop on nuclear security culture Budapest, Hungary, 18-20 February 2014 7

8 IAEA ”All Organizations involved in implementing Physical Protection should give due priority to the Security Culture; to its development and maintenance necessary to ensure its Effective Implementation in the Entire Organization.” International Legal Instruments 8 Amendment to the Convention on the Physical Protection of Nuclear Material: FUNDAMENTAL PRINCIPLE F

9 IAEA Nuclear Security Series 9 NSS No 20 Nuclear Security Fundamentals Sustaining A Nuclear Security Regime (c) Developing, fostering and maintaining a robust Nuclear Security Culture ; NSS No 13 INFCIRC/225/ Rev. 5 “A Nuclear Security Culture should be pervasive in all elements of the physical protection regime” NSS No 14 “Recommendations on Radioactive Material and Associated Facilities” “All organizations and individuals involved in implementing security should give due priority to the Nuclear Security Culture with regard to radioactive material” NSS No 15 “Recommendations on Nuclear and Other Radioactive material Out of Regulatory Control” “The State should implement relevant elements of the Nuclear Security Culture for the trustworthiness program”

10 IAEA Cyber Security Culture - Foundations Nuclear Security Series No 7: Security Culture defines nuclear security culture as: The assembly of characteristics, attitudes and behaviours of individuals, organizations and institutions which serves as a means to support and enhance nuclear security. Establishing a robust and well integrated computer security culture as a component of the overall security culture is an essential component in any effective security plan 10

11 IAEA Cyber Security Culture - Characteristics Characteristics of a security culture are: beliefs attitudes knowledge behaviours competences management systems The correct and balanced assembly of these elements leads to a more effective security programme 11

12 IAEA Security Culture - Awareness Security awareness is developed through a collection of activities in an organization designed to inform personnel and increase awareness. Activities, besides training: - Seminars and presentations - Posters and notices - Management discussions - Security newsletters and notifications - Publishing lessons learned - Warnings, disciplinary measures - Regular tests 12

13 IAEA Cyber Security Culture - Indicators The following indicators can be used to evaluate information security culture in an organization: 1. Computer security requirements are clearly documented and well- understood by staff 2. Clear and effective processes, protocols and procedures exist for operating computer systems both inside and outside the organization; 3. Staff members understand and are aware of the importance of adhering to the controls within the computer security programme; 4. Computer systems are maintained secure and operated in accordance with computer security baseline and procedures 5. Breaches are regarded by all as serious and undesirable 6. Management are fully committed to and supportive of security initiatives. 13

14 IAEA Programme Inhibitors What are some of the road blocks for implementing and effective security culture? Insufficient Budget Employees Non seriousness Lack of right people to run the awareness activities in house Lack of management support Organization culture Fear and resistance to change from employees Lack of understanding by employees Lack of designated responsibility for implementation Others? 14

15 IAEA Training – Developing Human Capital 15

16 IAEA Awareness and Training Computer Security Awareness Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize information and computer security concerns and respond accordingly. Computer Security Training The purpose of training is to teach and instil relevant and needed security skills and competencies by practitioners of specific functions. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. 16 Ref: NIST SP 800-50: Building an Information Technology Security Awareness and Training Program

17 IAEA Awareness and Training Metrics Implementation Metrics: 1. Have employees received adequate training to fulfil their security responsibilities? 2. Are employee training and professional development documented and monitored? 3. The percentage of employees with significant security responsibilities who have received specialized training 4. Are significant security responsibilities defined, with qualifications criteria, and documented? 5. Are records kept of which employees have specialized security responsibilities? 6. How many employees in your agency (or agency component, as applicable) have significant security responsibilities? 17

18 IAEA Awareness and Training Metrics Implementation Metrics: 7. Are training records maintained? (Training records indicate the training that specific employees have received.) 8. Do training plans state that specialized training is necessary? 9. How many of those with significant security responsibilities have received the required training stated in their training plan? 10. If all personnel have not received training, what are the reasons (Insufficient funding, Insufficient time, Courses unavailable, Employee has not registered for course) 11. Ratio of the number of employees with significant security responsibilities who have received required training to the number of employees with significant security responsibilities. 18

19 IAEA Awareness and Training Metrics Effectiveness Metrics: 1. ….A much harder evaluation – what are some items 2. Awareness tests 3. Metrics relating number of system compromises/breaches 4. Metrics on employees asking questions – identifying suspicious activities 5. Number of human errors in security 6. What are some other ones? 19

20 IAEA Summary Computer Security Culture Computer security should be part of the overall site security plan and operational requirements Awareness is needed by all Directed training needed by key personnel – including senior management and decision makers A security programme without a strong human element is an open door for compromise 20

21 IAEA Questions? 21

Download ppt "IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016."

Similar presentations

Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.

ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
ROUND TABLE SESSION 2 Have we got the right training strategy for developing and sustaining knowledge and competence? Panelist: Eliana C. S. Amaral IRD/CNEN.

ROUND TABLE SESSION 2 Have we got the right training strategy for developing and sustaining knowledge and competence? Panelist: Eliana C. S. Amaral IRD/CNEN.
EFFECTIVE DELEGATION AND SUPERVISION

EFFECTIVE DELEGATION AND SUPERVISION
LLNL-PRES-658863 Lawrence Livermore National Laboratory is operated by Lawrence Livermore National Security, LLC, for the U.S. Department of Energy, National.

LLNL-PRES Lawrence Livermore National Laboratory is operated by Lawrence Livermore National Security, LLC, for the U.S. Department of Energy, National.
INSAG DEVELOPMENT OF A DOCUMENT ON HIGH LEVEL SAFETY RECOMMENDATIONS FOR NUCLEAR POWER Milestone Issues: Group C. Nuclear Safety. A. Alonso (INSAG Member)

INSAG DEVELOPMENT OF A DOCUMENT ON HIGH LEVEL SAFETY RECOMMENDATIONS FOR NUCLEAR POWER Milestone Issues: Group C. Nuclear Safety. A. Alonso (INSAG Member)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Protection Against Occupational Exposure

Protection Against Occupational Exposure
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Project Human Resource Management

Project Human Resource Management
IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.

IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.
International Atomic Energy Agency 0 Meeting on Security Culture Embassy of Hungary, Vienna, 24 April 2012 Towards a CBRN Security Culture: Sharing Nuclear.

International Atomic Energy Agency 0 Meeting on Security Culture Embassy of Hungary, Vienna, 24 April 2012 Towards a CBRN Security Culture: Sharing Nuclear.
Technical Meeting on Evaluation Methodology for Nuclear Power Infrastructure Development 10-12 December, 2008 Nuclear Safety in Infrastructure Building.

Technical Meeting on Evaluation Methodology for Nuclear Power Infrastructure Development December, 2008 Nuclear Safety in Infrastructure Building.
IAEA International Atomic Energy Agency How do you know how far you have got? How much you still have to do? Are we nearly there yet? What – Who – When.

IAEA International Atomic Energy Agency How do you know how far you have got? How much you still have to do? Are we nearly there yet? What – Who – When.
Building nuclear security culture through education and training

Building nuclear security culture through education and training
Association for Biblical Higher Education February 13, 2013 Lori Jo Stanfield Evaluator Team Training for Business Officers.

Association for Biblical Higher Education February 13, 2013 Lori Jo Stanfield Evaluator Team Training for Business Officers.
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

Similar presentations

Ads by Google