information security training

Information Security Information Security Training Training

Jack McCoy, CISM, CIPPJack McCoy, CISM, CIPPInformation Security OfficerInformation Security Officer

University of Colorado SystemUniversity of Colorado System

A Privacy, Security, & A Privacy, Security, & Compliance Compliance PartnershipPartnership

April 12, 2007April 12, 2007

““Security is always excessive Security is always excessive until it's not enough" until it's not enough"

- Robbie Sinclair, Head of Security, - Robbie Sinclair, Head of Security, Country Energy, NSW Australia.Country Energy, NSW Australia.

April 12, 2007 Jack McCoy, University of Colorado System 3

Discussion TopicsDiscussion Topics

I.I. Why Should You Worry about Why Should You Worry about Compliance?Compliance?

II.II. Privacy, Security, & Compliance Privacy, Security, & Compliance PartnershipPartnership

III.III. Inter-Campus Education and Inter-Campus Education and AwarenessAwareness

IV.IV. Compliance Training’s Key ChallengesCompliance Training’s Key Challenges

V.V. Group Discussion: Building a Case for Group Discussion: Building a Case for Mandatory TrainingMandatory Training

Part I: Part I: Why Should You Worry Why Should You Worry

about Compliance?about Compliance?


Why Should You Worry?Why Should You Worry?Because the Public Is . . .Because the Public Is . . .

Public confidence in HED is under Public confidence in HED is under siege by a steady stream of negative siege by a steady stream of negative presspress Old breaches recycled as media fodder Old breaches recycled as media fodder

Public concerns fuel new Public concerns fuel new laws/regulationslaws/regulations

When your employees handle When your employees handle information, most information, most –if not all––if not all– of them of them are impactedare impacted


Compliance is Not Just for Compliance is Not Just for Laws & Regulations Laws & Regulations

AnymoreAnymore Many do not fully understand the compliance Many do not fully understand the compliance

implications of security and privacy policiesimplications of security and privacy policies Policy extends and defines legal/reg Policy extends and defines legal/reg

requirementsrequirements For example, defining “authorized use” of For example, defining “authorized use” of

resources resources Policy becomes an institution’s duty or Policy becomes an institution’s duty or

contract and can be actionable contract and can be actionable Training on policy is essential to complianceTraining on policy is essential to compliance


Policy without Training Policy without Training Doesn’t Equal ComplianceDoesn’t Equal Compliance

For example, many breaches are For example, many breaches are NOT caused by failed technologyNOT caused by failed technology but by well-intentioned employeesbut by well-intentioned employees

CIFAC – an NSF/I2 funded studyCIFAC – an NSF/I2 funded study Most incidents caused by insufficient Most incidents caused by insufficient

trainingtraining Having and enforcing policies and Having and enforcing policies and

awareness trainingawareness training were most important were most important factors in preventing incidentsfactors in preventing incidents

Part II: Part II: The Privacy, Security, The Privacy, Security,

and Compliance and Compliance PartnershipPartnership


Distributed Management Distributed Management of Information Securityof Information Security

Security Advisory

Committee

Security Advisory

Committee

Univ. Executive Cabinet

Univ. Executive Cabinet

ISO Univ. of Colorado

ISO Univ. of Colorado

Dept. Mgmt, IT Resource Owners


ISO Boulder

ISO Boulder

ISO Colo.

Springs

ISO Colo.

Springs



ISO Denver

ISO Denver



ISOSystem Adm.

ISOSystem Adm.




Distributed Management Distributed Management of Education and Awarenessof Education and Awareness

University ISO sets standards for University ISO sets standards for campus education programscampus education programs

Central education focuses on user Central education focuses on user responsibilities responsibilities identifies campus-specific resources identifies campus-specific resources

Campus education programs are robust, Campus education programs are robust, providing the full complement of providing the full complement of training training

““If we do not hang together, If we do not hang together, we will all hang separately” we will all hang separately”

Benjamin Franklin Benjamin Franklin


Privacy, Security, & Privacy, Security, & Compliance:Compliance:

“Kissing Cousins”“Kissing Cousins”Related, but Different ObjectivesRelated, but Different Objectives

Privacy: Privacy: protect the individualprotect the individual given the given the security, business, and compliance needssecurity, business, and compliance needs

Security: Security: protect the informationprotect the information given the given the privacy, business, and compliance needsprivacy, business, and compliance needs

Compliance: Compliance: protect the organizationprotect the organization given the privacy, security, business, & given the privacy, security, business, & ext requirementsext requirements


CPO, ISO, CO CPO, ISO, CO Similar RolesSimilar Roles

Privacy, Security, & Compliance officers:Privacy, Security, & Compliance officers: Serve as senior advisors to university Serve as senior advisors to university

leadershipleadership Responsible for managing a “Program”Responsible for managing a “Program” Provide tactical guidance as neededProvide tactical guidance as needed Respond as a team to incidents & emerging Respond as a team to incidents & emerging

issuesissues


Partnership BenefitsPartnership Benefits

Cross pollination of knowledgeCross pollination of knowledge Current / emerging law, policy, business needs, Current / emerging law, policy, business needs,

etc.etc. Shared language – e.g., Shared language – e.g., protected personal protected personal

informationinformation Consistent and clear messages to leadershipConsistent and clear messages to leadership More opportunities to “sit at the table”More opportunities to “sit at the table” Greater political power on common issuesGreater political power on common issues


Partnering on Policy, Partnering on Policy, Incidents, Pressing Issues, Incidents, Pressing Issues,

EducationEducation Central online training covers Central online training covers privacyprivacy

andand securitysecurity Course quizzes – measures learning Course quizzes – measures learning

effectivenesseffectiveness Participation tracking – assists Participation tracking – assists compliance compliance

assuranceassurance Building a support infrastructure to Building a support infrastructure to

monitor & manage training efforts across monitor & manage training efforts across the institutionsthe institutions

Building a case for mandatory trainingBuilding a case for mandatory training

Part III: Part III: Inter-Campus Inter-Campus Education and Education and

AwarenessAwareness


Campus Education Campus Education and Awareness Programsand Awareness Programs

Campus programs are nearing maturityCampus programs are nearing maturity Provide targeted, campus-specific Provide targeted, campus-specific

informationinformation Face-to-face, web, email, posters, etc.Face-to-face, web, email, posters, etc. May be brandedMay be branded

CU-Boulder’s “You Don’t Know Jack” CU-Boulder’s “You Don’t Know Jack” programprogram

http://www.colorado.edu/ITS/security/awarehttp://www.colorado.edu/ITS/security/awareness/ness/


CU Boulder’s Awareness CU Boulder’s Awareness CampaignCampaign

““Never offer to teach a fish to Never offer to teach a fish to swim” swim”

- Proverb- Proverb


Centralized Efforts Centralized Efforts for Education and for Education and

AwarenessAwareness Designed to Designed to complement, support, complement, support,

and extend and extend campus effortscampus efforts Focus on key issues common to all Focus on key issues common to all

campusescampuses Address issues at a high levelAddress issues at a high level

Set expectations for behaviorSet expectations for behavior Defer to campus resources for campus-Defer to campus resources for campus-

specific information and assistance specific information and assistance


Centralized Efforts Centralized Efforts for Education and for Education and Awareness Awareness (cont’)(cont’)

Online delivery is favoredOnline delivery is favored Relatively inexpensiveRelatively inexpensive Flexible – anytime, any place deliveryFlexible – anytime, any place delivery Participation trackingParticipation tracking Learning assessmentsLearning assessments

Great for monitoring compliance, Great for monitoring compliance, measuring training effectiveness, measuring training effectiveness, minimizing staff timeminimizing staff time


Examples of Examples of Shared Training TopicsShared Training Topics

Strong passwordsStrong passwords Central training:Central training: strong passwords, no post-it strong passwords, no post-it

notesnotes Campus trainingCampus training: use 8 characters, 3 of 4 classes: use 8 characters, 3 of 4 classes

Storing sensitive information mobile devicesStoring sensitive information mobile devices Central training:Central training: Don’t store unless business need Don’t store unless business need

exists and adequate safeguards are in placeexists and adequate safeguards are in place Campus training:Campus training: Contact help desk for assistance Contact help desk for assistance

with encryption or storing data on shared drives with encryption or storing data on shared drives

Part IV: Part IV: Key Challenges in Key Challenges in

Training for Training for ComplianceCompliance


Balancing Balancing Training Needs & Employee Training Needs & Employee

TimeTime People are hesitant to participate because People are hesitant to participate because

they:they: Are already over trained Are already over trained Feel they’re over workedFeel they’re over worked Don’t see training as a valuable use of their timeDon’t see training as a valuable use of their time

Training needs may be conceded to get Training needs may be conceded to get employees to the training tableemployees to the training table Subscribing to the “least you need to know” Subscribing to the “least you need to know”

principleprinciple


Managing Training Across Managing Training Across Campuses and DepartmentsCampuses and Departments How do you identify the targeted How do you identify the targeted

individuals?individuals? Creating and maintaining a databaseCreating and maintaining a database

How do individuals find out about their How do individuals find out about their training needs/requirements and progress?training needs/requirements and progress? Courses taken, remaining, deadlines, scores, Courses taken, remaining, deadlines, scores,

etc.etc. Who monitors participation and Who monitors participation and

performance?performance? And provides certificates of completion, awardsAnd provides certificates of completion, awards


Designating a Training Designating a Training Course Course

as “Mandatory”as “Mandatory” ““Mandatory” can be a four-letter word Mandatory” can be a four-letter word

in the land of shared governancein the land of shared governance What courses should be mandatory?What courses should be mandatory? Who is responsible for tracking & Who is responsible for tracking &

reporting?reporting? Who is to enforce participation?Who is to enforce participation? What to do if “enforcement” becomes What to do if “enforcement” becomes

“endorsement” or something less?“endorsement” or something less?

Part VI: Part VI: Group Exercise:Group Exercise:

Building a Case for Building a Case for Mandatory TrainingMandatory Training


A Case for Mandatory A Case for Mandatory TrainingTraining

Assemble into groups of 3-5 peopleAssemble into groups of 3-5 people Group discussion (15 minutes)Group discussion (15 minutes) Group reports and analysis (15 Group reports and analysis (15

minutes)minutes)


A Case for Mandatory A Case for Mandatory TrainingTraining

Identify a need for mandatory training and Identify a need for mandatory training and answer:answer:

1.1. Who would you go to for support? Who would you go to for support?

2.2. What justifications would you use to What justifications would you use to garner that support?garner that support?

3.3. How would participation be enforced?How would participation be enforced?

4.4. What positive benefits (“carrots”) would What positive benefits (“carrots”) would facilitate employee participation & facilitate employee participation & acceptance?acceptance?

5.5. What is your fall back plan?What is your fall back plan?


Final ThoughtsFinal Thoughts

It’s not all or nothing – plan on using It’s not all or nothing – plan on using your gains as stepping stones to the your gains as stepping stones to the next levelnext level


ReferencesReferences

Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, R.. (2005). R.. (2005). Final report of the computer incident Final report of the computer incident factor analysis and categorization (CIFAC) factor analysis and categorization (CIFAC) project. project. Retrieved March 15, 2007 from the Retrieved March 15, 2007 from the EDUCAUSE Web site: EDUCAUSE Web site: http://www.educause.edu/ir/library/pdf/CSD4207.http://www.educause.edu/ir/library/pdf/CSD4207.pdfpdf

information security training

Documents