information security training
DESCRIPTION
Information Security Training. A Privacy, Security, & Compliance Partnership. Jack McCoy, CISM, CIPP Information Security Officer University of Colorado System. April 12, 2007. - PowerPoint PPT PresentationTRANSCRIPT
Information Security Information Security Training Training
Jack McCoy, CISM, CIPPJack McCoy, CISM, CIPPInformation Security OfficerInformation Security Officer
University of Colorado SystemUniversity of Colorado System
A Privacy, Security, & A Privacy, Security, & Compliance Compliance PartnershipPartnership
April 12, 2007April 12, 2007
““Security is always excessive Security is always excessive until it's not enough" until it's not enough"
- Robbie Sinclair, Head of Security, - Robbie Sinclair, Head of Security, Country Energy, NSW Australia.Country Energy, NSW Australia.
April 12, 2007 Jack McCoy, University of Colorado System 3
Discussion TopicsDiscussion Topics
I.I. Why Should You Worry about Why Should You Worry about Compliance?Compliance?
II.II. Privacy, Security, & Compliance Privacy, Security, & Compliance PartnershipPartnership
III.III. Inter-Campus Education and Inter-Campus Education and AwarenessAwareness
IV.IV. Compliance Training’s Key ChallengesCompliance Training’s Key Challenges
V.V. Group Discussion: Building a Case for Group Discussion: Building a Case for Mandatory TrainingMandatory Training
Part I: Part I: Why Should You Worry Why Should You Worry
about Compliance?about Compliance?
April 12, 2007 Jack McCoy, University of Colorado System 5
Why Should You Worry?Why Should You Worry?Because the Public Is . . .Because the Public Is . . .
Public confidence in HED is under Public confidence in HED is under siege by a steady stream of negative siege by a steady stream of negative presspress Old breaches recycled as media fodder Old breaches recycled as media fodder
Public concerns fuel new Public concerns fuel new laws/regulationslaws/regulations
When your employees handle When your employees handle information, most information, most –if not all––if not all– of them of them are impactedare impacted
April 12, 2007 Jack McCoy, University of Colorado System 6
Compliance is Not Just for Compliance is Not Just for Laws & Regulations Laws & Regulations
AnymoreAnymore Many do not fully understand the compliance Many do not fully understand the compliance
implications of security and privacy policiesimplications of security and privacy policies Policy extends and defines legal/reg Policy extends and defines legal/reg
requirementsrequirements For example, defining “authorized use” of For example, defining “authorized use” of
resources resources Policy becomes an institution’s duty or Policy becomes an institution’s duty or
contract and can be actionable contract and can be actionable Training on policy is essential to complianceTraining on policy is essential to compliance
April 12, 2007 Jack McCoy, University of Colorado System 7
Policy without Training Policy without Training Doesn’t Equal ComplianceDoesn’t Equal Compliance
For example, many breaches are For example, many breaches are NOT caused by failed technologyNOT caused by failed technology but by well-intentioned employeesbut by well-intentioned employees
CIFAC – an NSF/I2 funded studyCIFAC – an NSF/I2 funded study Most incidents caused by insufficient Most incidents caused by insufficient
trainingtraining Having and enforcing policies and Having and enforcing policies and
awareness trainingawareness training were most important were most important factors in preventing incidentsfactors in preventing incidents
Part II: Part II: The Privacy, Security, The Privacy, Security,
and Compliance and Compliance PartnershipPartnership
April 12, 2007 Jack McCoy, University of Colorado System 9
Distributed Management Distributed Management of Information Securityof Information Security
Security Advisory
Committee
Security Advisory
Committee
Univ. Executive Cabinet
Univ. Executive Cabinet
ISO Univ. of Colorado
ISO Univ. of Colorado
Dept. Mgmt, IT Resource Owners
Dept. Mgmt, IT Resource Owners
ISO Boulder
ISO Boulder
ISO Colo.
Springs
ISO Colo.
Springs
Dept. Mgmt, IT Resource Owners
Dept. Mgmt, IT Resource Owners
ISO Denver
ISO Denver
Dept. Mgmt, IT Resource Owners
Dept. Mgmt, IT Resource Owners
ISOSystem Adm.
ISOSystem Adm.
Dept. Mgmt, IT Resource Owners
Dept. Mgmt, IT Resource Owners
April 12, 2007 Jack McCoy, University of Colorado System 10
Distributed Management Distributed Management of Education and Awarenessof Education and Awareness
University ISO sets standards for University ISO sets standards for campus education programscampus education programs
Central education focuses on user Central education focuses on user responsibilities responsibilities identifies campus-specific resources identifies campus-specific resources
Campus education programs are robust, Campus education programs are robust, providing the full complement of providing the full complement of training training
““If we do not hang together, If we do not hang together, we will all hang separately” we will all hang separately”
Benjamin Franklin Benjamin Franklin
April 12, 2007 Jack McCoy, University of Colorado System 12
Privacy, Security, & Privacy, Security, & Compliance:Compliance:
“Kissing Cousins”“Kissing Cousins”Related, but Different ObjectivesRelated, but Different Objectives
Privacy: Privacy: protect the individualprotect the individual given the given the security, business, and compliance needssecurity, business, and compliance needs
Security: Security: protect the informationprotect the information given the given the privacy, business, and compliance needsprivacy, business, and compliance needs
Compliance: Compliance: protect the organizationprotect the organization given the privacy, security, business, & given the privacy, security, business, & ext requirementsext requirements
April 12, 2007 Jack McCoy, University of Colorado System 13
CPO, ISO, CO CPO, ISO, CO Similar RolesSimilar Roles
Privacy, Security, & Compliance officers:Privacy, Security, & Compliance officers: Serve as senior advisors to university Serve as senior advisors to university
leadershipleadership Responsible for managing a “Program”Responsible for managing a “Program” Provide tactical guidance as neededProvide tactical guidance as needed Respond as a team to incidents & emerging Respond as a team to incidents & emerging
issuesissues
April 12, 2007 Jack McCoy, University of Colorado System 14
Partnership BenefitsPartnership Benefits
Cross pollination of knowledgeCross pollination of knowledge Current / emerging law, policy, business needs, Current / emerging law, policy, business needs,
etc.etc. Shared language – e.g., Shared language – e.g., protected personal protected personal
informationinformation Consistent and clear messages to leadershipConsistent and clear messages to leadership More opportunities to “sit at the table”More opportunities to “sit at the table” Greater political power on common issuesGreater political power on common issues
April 12, 2007 Jack McCoy, University of Colorado System 15
Partnering on Policy, Partnering on Policy, Incidents, Pressing Issues, Incidents, Pressing Issues,
EducationEducation Central online training covers Central online training covers privacyprivacy
andand securitysecurity Course quizzes – measures learning Course quizzes – measures learning
effectivenesseffectiveness Participation tracking – assists Participation tracking – assists compliance compliance
assuranceassurance Building a support infrastructure to Building a support infrastructure to
monitor & manage training efforts across monitor & manage training efforts across the institutionsthe institutions
Building a case for mandatory trainingBuilding a case for mandatory training
Part III: Part III: Inter-Campus Inter-Campus Education and Education and
AwarenessAwareness
April 12, 2007 Jack McCoy, University of Colorado System 17
Campus Education Campus Education and Awareness Programsand Awareness Programs
Campus programs are nearing maturityCampus programs are nearing maturity Provide targeted, campus-specific Provide targeted, campus-specific
informationinformation Face-to-face, web, email, posters, etc.Face-to-face, web, email, posters, etc. May be brandedMay be branded
CU-Boulder’s “You Don’t Know Jack” CU-Boulder’s “You Don’t Know Jack” programprogram
http://www.colorado.edu/ITS/security/awarehttp://www.colorado.edu/ITS/security/awareness/ness/
April 12, 2007 Jack McCoy, University of Colorado System 18
CU Boulder’s Awareness CU Boulder’s Awareness CampaignCampaign
““Never offer to teach a fish to Never offer to teach a fish to swim” swim”
- Proverb- Proverb
April 12, 2007 Jack McCoy, University of Colorado System 20
Centralized Efforts Centralized Efforts for Education and for Education and
AwarenessAwareness Designed to Designed to complement, support, complement, support,
and extend and extend campus effortscampus efforts Focus on key issues common to all Focus on key issues common to all
campusescampuses Address issues at a high levelAddress issues at a high level
Set expectations for behaviorSet expectations for behavior Defer to campus resources for campus-Defer to campus resources for campus-
specific information and assistance specific information and assistance
April 12, 2007 Jack McCoy, University of Colorado System 21
Centralized Efforts Centralized Efforts for Education and for Education and Awareness Awareness (cont’)(cont’)
Online delivery is favoredOnline delivery is favored Relatively inexpensiveRelatively inexpensive Flexible – anytime, any place deliveryFlexible – anytime, any place delivery Participation trackingParticipation tracking Learning assessmentsLearning assessments
Great for monitoring compliance, Great for monitoring compliance, measuring training effectiveness, measuring training effectiveness, minimizing staff timeminimizing staff time
April 12, 2007 Jack McCoy, University of Colorado System 22
Examples of Examples of Shared Training TopicsShared Training Topics
Strong passwordsStrong passwords Central training:Central training: strong passwords, no post-it strong passwords, no post-it
notesnotes Campus trainingCampus training: use 8 characters, 3 of 4 classes: use 8 characters, 3 of 4 classes
Storing sensitive information mobile devicesStoring sensitive information mobile devices Central training:Central training: Don’t store unless business need Don’t store unless business need
exists and adequate safeguards are in placeexists and adequate safeguards are in place Campus training:Campus training: Contact help desk for assistance Contact help desk for assistance
with encryption or storing data on shared drives with encryption or storing data on shared drives
Part IV: Part IV: Key Challenges in Key Challenges in
Training for Training for ComplianceCompliance
April 12, 2007 Jack McCoy, University of Colorado System 24
Balancing Balancing Training Needs & Employee Training Needs & Employee
TimeTime People are hesitant to participate because People are hesitant to participate because
they:they: Are already over trained Are already over trained Feel they’re over workedFeel they’re over worked Don’t see training as a valuable use of their timeDon’t see training as a valuable use of their time
Training needs may be conceded to get Training needs may be conceded to get employees to the training tableemployees to the training table Subscribing to the “least you need to know” Subscribing to the “least you need to know”
principleprinciple
April 12, 2007 Jack McCoy, University of Colorado System 25
Managing Training Across Managing Training Across Campuses and DepartmentsCampuses and Departments How do you identify the targeted How do you identify the targeted
individuals?individuals? Creating and maintaining a databaseCreating and maintaining a database
How do individuals find out about their How do individuals find out about their training needs/requirements and progress?training needs/requirements and progress? Courses taken, remaining, deadlines, scores, Courses taken, remaining, deadlines, scores,
etc.etc. Who monitors participation and Who monitors participation and
performance?performance? And provides certificates of completion, awardsAnd provides certificates of completion, awards
April 12, 2007 Jack McCoy, University of Colorado System 26
Designating a Training Designating a Training Course Course
as “Mandatory”as “Mandatory” ““Mandatory” can be a four-letter word Mandatory” can be a four-letter word
in the land of shared governancein the land of shared governance What courses should be mandatory?What courses should be mandatory? Who is responsible for tracking & Who is responsible for tracking &
reporting?reporting? Who is to enforce participation?Who is to enforce participation? What to do if “enforcement” becomes What to do if “enforcement” becomes
“endorsement” or something less?“endorsement” or something less?
Part VI: Part VI: Group Exercise:Group Exercise:
Building a Case for Building a Case for Mandatory TrainingMandatory Training
April 12, 2007 Jack McCoy, University of Colorado System 28
A Case for Mandatory A Case for Mandatory TrainingTraining
Assemble into groups of 3-5 peopleAssemble into groups of 3-5 people Group discussion (15 minutes)Group discussion (15 minutes) Group reports and analysis (15 Group reports and analysis (15
minutes)minutes)
April 12, 2007 Jack McCoy, University of Colorado System 29
A Case for Mandatory A Case for Mandatory TrainingTraining
Identify a need for mandatory training and Identify a need for mandatory training and answer:answer:
1.1. Who would you go to for support? Who would you go to for support?
2.2. What justifications would you use to What justifications would you use to garner that support?garner that support?
3.3. How would participation be enforced?How would participation be enforced?
4.4. What positive benefits (“carrots”) would What positive benefits (“carrots”) would facilitate employee participation & facilitate employee participation & acceptance?acceptance?
5.5. What is your fall back plan?What is your fall back plan?
April 12, 2007 Jack McCoy, University of Colorado System 30
Final ThoughtsFinal Thoughts
It’s not all or nothing – plan on using It’s not all or nothing – plan on using your gains as stepping stones to the your gains as stepping stones to the next levelnext level
April 12, 2007 Jack McCoy, University of Colorado System 31
ReferencesReferences
Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, R.. (2005). R.. (2005). Final report of the computer incident Final report of the computer incident factor analysis and categorization (CIFAC) factor analysis and categorization (CIFAC) project. project. Retrieved March 15, 2007 from the Retrieved March 15, 2007 from the EDUCAUSE Web site: EDUCAUSE Web site: http://www.educause.edu/ir/library/pdf/CSD4207.http://www.educause.edu/ir/library/pdf/CSD4207.pdfpdf