Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc.

Published byPaul Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc."— Presentation transcript:

1 Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc.

2 “Common sense is not so common.” - Voltaire (1694-1778)

3 The Human Element of Information Security Training “The best security awareness will provide the right messages to the right people at the right time, provide the tools to all to practice what has been learned and provide a mechanism to measure progress.” -- Gary Sheehan, Information Security Project Leader A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. -- Infosecurity Europe 2004 "This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. -- Claire Sellick, Event Director for Infosecurity Europe 2004

4 This Session  The Key Challenges to getting employee buy-in  Getting Started: Some Common Misconceptions  Issues to Consider  Key Principles for Making IS training truly effective

5 The Key Challenges  Systems alone are not enough  Overcoming complacency  Different target audiences  Delivering the program  Ongoing program  Cost-effective  Measuring the results  Demonstrating compliance

6 Developing training solutions - A double challenge Meeting the needs of:  The General Audience  Management

7 Bringing about meaningful behavioral change from information to understanding Awareness (I know it exists) Awareness (I know it exists) Understanding (I know what it is) Understanding (I know what it is) Value (I know why it is worthwhile) Value (I know why it is worthwhile) Ownership (I like it) Ownership (I like it) Commitment (I’ll do it) Commitment (I’ll do it) Communication (I’ll promote it) Communication (I’ll promote it) Development (I’ll help enhance it) Development (I’ll help enhance it) Enterprise Security Cycle  what is it?  why is it important?  how does it apply to me?

8 How do you get started?

9 These are the “no-no’s”!  Just publishing IS policies and procedures is NOT the solution  The IS Officer should NOT be responsible for ALL of the planning, development and implementation of an awareness program  Annual or one-off training will NOT work Common misconceptions about IS training Common misconceptions about IS training

10 Strategic planning  Who gets the training and how many?  What training they get  Where the training takes place  When the training takes place  How the training is delivered  Over the short, medium and long term  Aligned with corporate goals and objectives  Clear business case for all elements

11 Training Needs Analysis (TNA) and Scoping A written report on needs and scope of the project Your project team Other agreed key personnel In-house SMEs In consultation with: Security Officers Marketing/PR IT Support Compliance officer Business unit shareholders Understand the context for training Assess current levels of awareness Analyze the needs of the target audience – key groups Define objectives for training Define measures of success Define requirements: Content Delivery (Technical & Operational for each group) Management reporting What is the deliverable? Who does it?What should be done?

12 TNA - Key factors to be considered  Needs of technical vs. non-technical audience groups  Generic, customized or “created from scratch” content  Appropriate media and delivery channels  Cultural factors  Languages  Time scales  Support requirements Critical factors for success

13 TNA - Learning Technologies Audit  Current infrastructures  Desktop / bandwidth issues  Existing Learning Management System (LMS)?  Learning standards? (AICC/SCORM*)  Section 508 compliance? *SCORM: Shareable Content Object Reference Model * AICC: Aviation Industry CBT Committee

14 Creating the Team Involved in defining content requirements and reviewing customized content in early stages of project. Can also be involved in QA. Review and approve content Subject Matter Experts & Business Representatives Supplies details of your technical requirements at the outset of the project and will be available to provide support and assistance during installation. No ongoing requirement for this role unless significant changes are made to the configuration of your IT systems. Input with technical experts re systems requirements and installation Technical / Systems expert Involved in defining requirements and establishing working procedures in early stages of project. Involved in monitoring progress and co-coordinating your input on an ongoing basis. Develops the overall approach to the program Manages the relationship with various groups Key contact for ongoing program management Project Manager CommitmentTasksYour Roles

15 Needs Analysis Planning Design Development Implementation Evaluation Planning and Implementation Process

16 Critical factors for success Project planning  Develop an overall communications plan  e-learning is just one component  Communicate with and gain buy-in from senior management  Plan beyond initial training  Include technology and integration requirements  Clearly defined roles and responsibilities  Agreed realistic timescales and clear milestones  Regular reporting and reviews

17 Developing the “right” solution

18 What is best? What objectives have you set? What is the size of your organization? What resources do you have? What budget do you have? Can you get management buy-in? “a marketing campaign” This depends on you!

19  Core training  Refresher training/awareness  Ongoing awareness/Internal Marketing An Awareness Campaign

20 Brand and value led Interactive and context led Engaging and innovative Tailored to customer needs

21 Refresher Training Posters

22 Interactive emails Awareness materials Newsletters Refresher Training

23 Newsletters – vary the format of the message

24 A system for gathering, organizing and communicating information and knowledge that is: User-friendly Intuitive Flexible Ongoing Awareness Information Security Portal What should this mean in practice? Web Portals

25 Feedback and Measurement is Crucial

26 Feedback and Measurement Feedback and measurement are ESSENTIAL! Delivering awareness solutions via the intranet presents many options. These generally fit into two key categories: 1. Audit/tracking system 2. Learning Management System

27 Feedback and Measurement 1. Audit/tracking system  built into the main training program  provides information on the progress and performance of each user  may allow you to export information into other applications  generally provided free with the program purchased

28 Feedback and Measurement 2. Learning Management System  provides the infrastructure needed to track, record, schedule and deliver corporate wide learning  many different kinds of LMS – offering different types of functionality  allows you to manage the variety of training programs/resources available from one central point including, online learning, classroom training, registration, instructor availability etc…  can be very expensive! (may be included with courseware if it’s from same provider)

29 Feedback and Measurement How do you choose what’s right for your campaign?  Assess how feedback and measurement is currently undertaken for training in other business units – perhaps an LMS is already in place?  What requirements do you and your organization have – now and in the future?  Size of organization  Budget  AICC/SCORM Compliant

30 The medieval rule of parsimony, or principle of economy, frequently used by Occam came to be known as Occam's Razor. The rule states that plurality should not be assumed without necessity or, in modern English, keep it simple, stupid. Learning Management System

31 Nine Key Principles for effective IS training

32 Principle #1 Clarity of Ownership with Executive Buy-In  Clear and unequivocal ownership  Accommodates goals of all business lines  Avoids gaps between words and actions

33 Principle #2 Integrated Compliance  It’s hard to do compliance of any kind department by department  An integrated approach yields consistent, cost effective and comprehensive results

34 Principle #3 Less is always more  It’s about understanding, not just information  We can’t all be experts  Reference materials can be made available, as needed  Retention AND commitment plummet after 60 minutes

35 Principle #4 Value vs. Cost  Costs relate to scale  The real measure is the effectiveness of the outcome, not the cost per head  Security breaches are much more expensive!

36 Principle #5 The Right Combination of Spirit and Structure  Keep it light, humorous  But also reinforce personal responsibility and the corporate commitment to getting it right

37 Principle #6 Relevant Context Setting  Relevant, appropriate, realistic  Actual examples from archives or recent situations are best  The goal is understanding how it fits into their daily routines

38 Principle #7 Consistency  Messages should be consistent  Training and awareness should be delivered so that it fits within the organization’s culture

39 Principle #8 Technology Should Enable  And no more!  Be careful of adding too many bells and whistles  It’s better to avoid the possibility of technical glitches  The content is the key

40 Principle #9 Project Management  It’s the key ingredient  Get everyone on board with the plan  Allow time for testing, feedback and fine-tuning

41 Information Security Assurance Getting the message through

42 Questions? Pamela Halpern Easy i pamela.halpern@easyi.com 310 414-0731 www.easyi.com

43

Download ppt "Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc."

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Implementing a Behavior Based Safety Process at Rockwell Automation
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
A BPM Framework for KPI-Driven Performance Management

A BPM Framework for KPI-Driven Performance Management
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
The Human Firewall Creating a security aware workforce APPLIED INFORMATION SERVICES Andrew Breakwell Business Development Director Compliance Division.

The Human Firewall Creating a security aware workforce APPLIED INFORMATION SERVICES Andrew Breakwell Business Development Director Compliance Division.
Www.businessday.bg. PROFILE Business Day offers outsourcing services in sales. We have extensive experience and expertise in the key to any business and.

PROFILE Business Day offers outsourcing services in sales. We have extensive experience and expertise in the key to any business and.
The HIPAA specialists Partnership Discussion A Winning Partnership for HIPAA E-learning Solutions John Danaher HIPAA Summit V.

The HIPAA specialists Partnership Discussion A Winning Partnership for HIPAA E-learning Solutions John Danaher HIPAA Summit V.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
W w w. f a c t i v a. c o m © 2002 Dow Jones Reuters Business Interactive LLC (trading as Factiva). All rights reserved. The Keys to Successful Strategic.

W w w. f a c t i v a. c o m © 2002 Dow Jones Reuters Business Interactive LLC (trading as Factiva). All rights reserved. The Keys to Successful Strategic.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.

1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.
IT Governance and Management

IT Governance and Management
Health Informatics Series

Health Informatics Series
B&O Committee May 2015 iTRAK - Change Management An Agency Adapting to Change.

B&O Committee May 2015 iTRAK - Change Management An Agency Adapting to Change.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
McGraw-Hill/Irwin © 2005 The McGraw-Hill Companies, Inc. All rights reserved. 13 - 1 13 Chapter The Future of Training and Development.

McGraw-Hill/Irwin © 2005 The McGraw-Hill Companies, Inc. All rights reserved Chapter The Future of Training and Development.
Training and assessing. A background to training and learning 1.

Training and assessing. A background to training and learning 1.

Similar presentations

Ads by Google