1. Chapter 5 Developing the Security Program
Presented by: Jennifer, Sergey & Kalagee
Slides by: Ryan

2. Outline Introduction Organizing for Security
Information Security Placement
Components of the Security Program
Information Security Roles and Titles
Security Education, Training, and Awareness

3. Introduction Security Program
Entire set of personnel, plans, and policies related to Information Security
Information Security
Corporate or physical security
Information Security Program
Structured effort to contain risks to information assets

4. Organizing for Security
Security Program Influences
Organizational culture
Company size and available resources
Security personnel and capital budget

5. Organization Sizes Small (10-100 computers)
20% of IT budget
Medium (100-1,000 computers)
11% of IT budget
Large (1,000-10,000 computers)
5% of IT budget security
Very Large (10,000+ computers)
6% of IT budget

6. Information Security Functions
Risk Assessment
Risk Management
Systems Testing
Policy
Legal Assessment
Incident Response
Planning
Vulnerability Assessment
Measurement
Compliance
Centralized Authentication
Systems Security Administration
Training
Network Security Administration

7. Security Function Distribution
Non-technology business units
Legal assessment and training
IT groups outside of information security
Systems and network administration
Information security as customer service
Planning, testing, risk assessment, incident response, vulnerability assessment
Information security as compliance enforcement
Policy, compliance, and risk management

8. Large Org. Staffing

9. Very Large Org. Staffing

10. Medium Org. Staffing

11. Small Org. Staffing

12. Security Placement Openness to new ideas Clout with top management
Respect in the eyes of a wide variety of employees
Comfort and familiarity with information security concepts
Willingness to defend the best interest of the organization in the long run

13. Security Placement Locations
Administrative Services
Insurance and Risk Management
Strategy and Planning
Legal
Internal Audit
Help Desk
Accounting and Finance Through IT
Human Resources
Facilities Management
Operations

14. IT

15. Security

16. Administrative Services

17. Insurance & Risk

18. Strategy & Planning

19. Legal

20. Other Options Internal Audit Help Desk
Accounting and Finance Through IT
Human Resources
Facilities Management
Operations

21. Components of the Security Program
InfoSec needs are unique to culture, size, and budget of organization
Guided by mission and vision statements
CIO and CISO use mission and vision statements to formulate InfoSec program mission statement 21

22. Elements of a Security Program (NIST)
Policy
Program management
Risk management
Life-cycle planning
Personnel and user issues
Contingency and disaster recovery planning
Computer security incident handling 22

23. Elements of a Security Program (NIST)
Awareness and training
Security considerations
Physical and environmental security
Identification and authentication
Logical access control
Audit trails
Cryptography 23

24. Information Security Roles and Titles
Those that define
Provide policies, guidelines, and standards
Those that build
Create and install security solutions
Those that administer
Monitor and improve the security process 24

25. Job Function Categories
Chief Information Security Officer (CISO)
Security manager
Security administrator/analyst
Security technician
Security staffer
Security consultant
Security officer and investigator
Help desk personnel 25

26. Chief Information Security Officer (CISO)
Assessment, management, and implementation of the InfoSec program
Other Titles
Manager for Security
Security Administrator
Most cases reports to CIO 26

27. Security Manager Oversee day-to-day operation of the InfoSec program
Scheduling
Setting priorities
Administering procedural tasks
Report to CISO
Some technical knowledge 27

28. Security Administrator/Analyst
Have both technical knowledge and managerial skill
Manage day-to-day operation of the InfoSec program
Assist in development and delivery of training programs and policies
Security Administrators
Combination of security technician and security manager
Have technical knowledge and managerial skills
Manage day-to-day operations of security technology and assist in the development and conduct of training programs and policies.
Security Analyst
Specialized security administrator
Additional responsibilities include analyzing and designing security solutions within a specific domain such as firewall, ids, and antivirus program. 28

29. Security Technician Subject matter experts Implement security software
Diagnose and troubleshoot problems
Coordinate with administrators to ensure security is properly implemented
Tend to be specialized 29

30. Security Staffer
Individuals who perform routine watch-standing activities
Intrusion detection consoles
Monitor
Perform routine, yet critical, tasks 30

31. Security Consultants Expert in some aspect of InfoSec
Disaster recovery
Business continuity planning
Policy development
Strategic planning 31

32. Security Officers and Investigators
Sometimes necessary to protect highly sensitive data from physical threats
Three G’s of physical security
Guards
Gates
Guns 32

33. Help Desk Personnel
Enhances security team’s ability to identify potential problems
Must be prepared to identify and diagnose problems
Traditional technical problems
Threats to information security 33

34. Security Education, Training, and Awareness (SETA)
Responsibility of CISO
Designed to reduce accidental security breaches
Can improve employee behavior
Inform members of the organization about where to report violations of policy
Allows organizations to hold employees accountable for their actions
Once the infosec program’s place in the organization is established, it’s time to start planning for security education, training, and awareness programs.
SETA is the responsibility of the CIOS
The goal is to reduce the incidence of accidental security breaches by employees, contractors, consultants, vendors, and business partners who come in contact with information assets.
The major benefits of SETA are
Improve employee behavior
Inform members of the organization about where to report policy violations
Enable the organization to hold employees accountable for their actions 34

35. Purpose of SETA Enhance security
By building in-depth knowledge to design, implement, or operate security programs for organizations and systems
By developing skills and knowledge so that computer users can perform their jobs more securely
By improving awareness of the need to protect system resources 35

36. Security Education
Information security training programs must address:
Information security educational components
General education requirements 36

37. Developing InfoSec Curricula
InfoSec standards
ACM
IEEE
ABET
No security curricula models 37

38. Developing InfoSec Curricula
Must carefully map expected learning outcomes
Knowledge map
Helps potential students assess various InfoSec programs
Identifies skills and knowledge clusters obtained by program graduates 38

39. InfoSec Knowledge Map 39

40. Security Training Provides employees with hands-on training
In-house or outsourced
NIST provides free InfoSec training documents
NIST SP 40

41. Security Training Customizing training by functional background
General user
Managerial user
Technical user
Job category
Job function
Technology product 41

42. Security Training Customizing training by skill level Novice
Intermediate
Advanced
Finally, security training can be customized for users by skill level such as novice, intermediate, and advanced.
Now Kalagee will continue and discuss training techniques. 42

43. Training for General Users
Commonly during employee orientation
Employees are educated on a wide variety of policies
Good security practices
Password management
Specialized access controls
Violation reporting 43

44. Training for Managerial Users
Similar to general training
More personalized
Small groups
More interaction and discussion 44

45. Training for Technical Users
Developing advanced technical training
By job category
By job function
By technology product 45

46. Training Techniques Use correct teaching methods
Take advantage of latest learning technology
Use best practices
On-site training is beneficial
Just in time training – training right before users can use it. so the training knowledge is fresh in mind.

47. Delivery Methods Delivery method choice is influenced by
Budget
Scheduling
Needs of organization
Delivery methods
One-on-one
Formal Class
Computer-Based Training (CBT)
One –on one advantages –informal, personal, customized , schedulable …disadvantage – resource intensive
Formal class- adv. – cost-effective , formal training plan, interaction with trainer, team learning …disadv– not flexible, not easily schedulable, not customized
CBT – Adv – very cost effective, schedulable, self-paced Disadv – not customized, no personal interaction, expensive software,

48. Delivery Methods (cont)
Distance learning
Web Seminars
User Support Group
On-Site Training
Self-Study
Distance Learning – Adv.- no cost, can be archived/live..disadv- if archive, not flexible. If live, not schedulable.
Webinars – same as distance learning
User Support groups - Adv. – team learning, informal social settings. Disadv – no formal training model, concentrated topic
On-the-job training – Adv. – inexpensive, applied to task on hand .. Disadv – sink or swim ,
Self Study training – adv. – lowest cost, self-paced, trainee decides the focus point. Disadv- trainee is responsible .

49. Selecting Training Staff
Local training program
Continuing education department
External training agency
Hire a professional trainer
Hire a consultant, or someone from an accredited institution to conduct on-site training
organize and conduct training in-house using its own employees.
In-house could be challenging as you need special skills to deliver a class/training. Different from giving a advise.

50. Implementing Training
Identify program scope, goals and objectives
Identify training staff
Identify target audiences
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program
Identify program scope, goals and objectives
Identify training staff
Identify target audiences - Divide the target audience by level of awareness, job category, job tasks, computer knowledge and systems they use. It is boring for the audience otherwise.
Motivate management and employees – show the mgt. Losses which can occur from security breaches. Show employees the losses and what it means for company
Administer the program – administrating program with these factors: visibility, training methods, training topics, material and presentations. Presentation style, length, frequency.
Maintain the program – keep the program up-to-date with laws, standards regulations.
Evaluate the program – evaluate program so we know whether program is working or not. By feedback form, web form, monitoring security incidents, monitoring the activities.

51. Security Awareness
Change organizational culture to realize importance of InfoSec
Users need to be reminded of the standards and procedures
Gives employees sense of responsibility and importance
Reminding users that they need to follow the procedures
Awareness sets the stage for training to make employees realize the importance of training and security.

52. Security Awareness Program
Focus on people
Don’t use technical jargon
Use every available medium
Defines a learning objective
Helps users understand their roles
Don’t overload users with too much information
Take advantage of in-house communication
Make the awareness program formal
Provide good information early
Make it formal program

53. Employee Behavior and Awareness
Educate employees on how to
Properly handle information
Use applications
Operate within the organization
This minimizes risk of accidental compromise, damage, or destruction of information
Its all about people. People of company, how they handle the information and how should they be to protect information from accidental damage.
By Awareness program, users discovers the penalties of security violations. And employees will only follow the security rules if
They fear penalties
They fear they may be caught
They believe that if they get caught, there is penalty
Upper management needs to be a role model .

54. Employee Accountability
Effective training programs make employees accountable for their actions
“Ignorance of the law excuses no one”
A constant reminder of the consequences of abusing or misusing information resources can help protect the organization against lawsuits
Ignorance of the law excuses no one is valid for criminal court but not true for civil court. Awareness program saves employer from getting sued with lawsuit.

55. Awareness Techniques Changes based on intended audience
Security awareness program
can use many methods to deliver its message
developed with the assumption that people tend to practice a tuning out process
awareness techniques should be creative and frequently changed
Security awareness program delivery methods in next section. Bottom line is be creative.

56. Developing Security Awareness Components
Videos
Posters and banners
Lectures and conferences
Computer-based training
Newsletters
Brochures and flyers
Trinkets
Bulletin boards
We will discuss few of the components in detail

57. Posters Displayed in common areas There should be series of posters
Be creative.
Usually developed in-house
Simple and visually interesting

58. Newsletters Cost-effective
Distributed via s, hard-copy or intranet
Consists of front page, index, volume, contact information.
May contains articles, policies, how-to’s, security events, upgrades, incidents, etc.
Distribute SANS newsletter
SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system

59. Trinket Program Most expensive Gets attention instantly
Mugs, calendars, t-shirts, pens, holders, etc.
Distribution across organization is costly

60. InfoSec Awareness Website
Tips
Don’t reinvent
Plan ahead
Minimal page loading time
Attractive look and feel
Always seek feedback
Test everything. Assume nothing
Promote the website
Don’t reinvent- use resources and materials already available.
Plan ahead – avoid recoding, plan on paper
Minimal page loading time – avoid big images otherwise its discouraging for users to visit the website
Attractive look and feel
Always seek feedback – there is always a room for improvement
Test everything. Assume nothing – multiple browsers, OS
Promote the website – send notifications to everyone in company.

61. Conclusions
Information security programs can be dramatically different for organizations of varying size but they all have the same goal
To secure information and information assets
This is achieved by
Optimal placement of InfoSec within organization
Security, education, and awareness training (SETA)

62. Questions?