Presentation is loading. Please wait.

Presentation is loading. Please wait.

Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004.

Published byGriffin McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004."— Presentation transcript:

1 Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004

2 2 Overview What is training of IS Importance and Background Common Final Users, The Problem Approaches Re-orientation Awareness, Support and Responsibility The scenario approach Conclusion

3 3 What is Information Security Training? It is not a computer literate training It is not an academic course It is not just for new employees It is not another training It is an urgency! It must be part of the essential policy of the organization

4 4 InfoSec or Cybersecurity training? Not only for IT experts All workers dealing with Information Cover all aspects Prevention oriented rather than Remedial oriented Practical approach rather than theory Continuously

5 5 Information security, what for? Protecting assets: Information resources, including computing time and memory destruction alteration corruption misuse Steal of information Avoiding Intruders Keeping Confidentiality and Privacy

6 6 Possible Consequences Enormous potential costs if Information security is breached Liability Loss of competitive advantages Image damage National interest

7 7 Information Security has changed From teen hackers To serious and professional hackers Information war The number and quality of attacks Is growing rapidly The speed of spread is growing Distributed and evolving attacks

8 8 A growing discipline? Maturity The experience The complexity of subject The coverage and inter-discipline The technical details The changing environment More than 500 enterprises Expenditures of more than $5 billion/year

9 9 Cybersecurity Many organizations involved ACM, NIST, CSI, ISACA, IEEE, ISOC, ISSA, SANS etc. More than 300 universities programs Specialized training and certifications CISSP, CISA, CISM, SSCP, Security+, SCP, GIAC, TICSA A czar, federal agencies: DHA, NSA, OMB, Information Security Act,…

10 10 The problem The security strength is the strength of the weakest part Traditional: high security in Computer Centers Traditional: centralized control of security management and operations Traditional: users only deal with internal data and no external connection

11 11 The problem (continuation) The Internet as The extended information resource The standard way of communication The use of network bandwidth for other purposes The connectivity w/Internet Present version is intrinsically insecure The new unsecured wireless networks The holes in operating systems

12 12 Common Final User Is the employee who manage corporate information through computers and networks, but is not in charge of the function of systems, programs, networks and equipment He/she is not an expert He/she is computer literate Is the most important resource in the organization followed by information

13 13 General Training Approaches Mission oriented Global covering Cost effective oriented But in the case of Information Security Sense of urgency Implications Practical aspects

14 14 Specific Training approaches Information classification – mostly academic Information Systems Development Cycle (SDLC) – mostly professional organizations Standards and Models – mostly certification organizations Around specific software packages

15 15 The NIST approach Security Education, Training and Awareness SETA To divide in three levels of depth Education – Curriculum Training – Organization Awareness – Final users

16 16 Re-orientation Awareness is not enough! What is important in security? Basic understanding Motivation Basic what to do and what not to do Where to go Recognize problems and importance Prevent Follow Policies

17 17 Our approach Similar to INIST But some training is also for Final users Based on Awareness, Support and Responsibility

18 18 Integration Awareness Support Responsibility Prevention through Policies Practical Knowledge Motivation

19 19 Motivation “Raison d’être” For the organization For the department For his/her specific position Improve system Detect problems Understanding of implications The cost of not doing

20 20 Prevention It needs responsibility Follow strictly the policies Do some routine tasks Periodical Review Backup Upgrade It needs support from IT and other users

21 21 Practical Knowledge Identify problems Levels of risk Open to suggestions How to do Passwords Network identification Who to address in case of problem and what to do ( and not to do)

22 22 Responsibility The new element Who is the owner of information? Final user is not a user but he/she is co-responsible of: Data Management of data Basic security and accessibility

23 23 The Scenario Approach The field is so large Less technical information and more decision making abilities What are the basic cases? Simple to Complex problems Interaction with other users Rapid response

24 24 Scenarios (in plural) Illustrate with practical real cases Many variants To identify key issues When to explore? More than one right answer Interactive discussion Graphical presentation

25 25 Conclusion InfoSec Training is and investment Need to Review periodically To update with new problems Challenging user attitudes in: awareness, support and responsibility Use Plain Language The user is an integral part of the solution

26 26 Questions ? Comments?

Download ppt "Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Develop an Information Strategy Plan

Develop an Information Strategy Plan
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
8.

8.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
If this is the information superhighway, it’s

If this is the information superhighway, it’s
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Security Certification

Security Certification
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Chapter 13 Organizing Information System Resources MIS Department Centralization and Decentralization Outsourcing Computer Facilities and Services.

Chapter 13 Organizing Information System Resources MIS Department Centralization and Decentralization Outsourcing Computer Facilities and Services.
SecureAware Building an Information Security Management System.

SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Implementing Security Education, Training, and Awareness Programs

Implementing Security Education, Training, and Awareness Programs

Similar presentations

Ads by Google