Upload
milton-phillips
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Creating an Effective Information Security Training, Education and Awareness
Programme
Annual ISACA Kampala Chapter Information Security Workshop
Prof. Venansius Baryamureeba
• Background
• Paradigm shift impact
• Urgent Concerns
• Information Security Threats
• Current Training Focus
• Training and awareness change
• What can be done?
• Focus of Training Needs
Contents
Background
• Information Security What is it? Safe guarding information from
unauthorized access whether digital or non digital Is a more serious issue due to advancement in
technology and more use of digital information More and more information is becoming virtual and
in the hands of the unknown
• Paradigm shift • Work habits (physical –> ubiquitous)
• Personal security –> organizational security
Paradigm shift impact
• There is a rise in social media use and cloud based services
Increases the risks of being attacked through social avenues
Provides an opportunity for the unknown to use and interact with your data, information
• Economical and social aspects • Hacking has become a job for people
• Hacking is used for revenge, fighting capitalism and something for people to feel proud of
Urgent Concerns
• Work life and social life are intertwined Social web applications are becoming the norm for
collaboration and communication Less regulation in the mix of work and social life Tracking what your colleagues are sharing and
exchanging Working from home or ubiquitous working is on the
increase
• Policies and strategies • Privacy controls and copyright • Access to the ever growing amounts of personal data on
people’s profile • Assurance on proper use of personal data by custodians
Information Security Threats
• Hacking • Click jacking attacks and malware • Agile nature of organizations• Privacy and copyright abuse • Managing social media and work life • Virtual neighbor (who exactly is that?)• Data leakage through mobile devices • Security department and other
organizational departments not talking • Ignorance
Current Training Focus
• Security policies and training Focus solely on technology and software that runs it Less attention on the humans that use it, develop it,
sell it and the environment around it Advanced employee behavior during use of
technology
• Organizational security strategies • Training has not entirely focused on the specific
security strategies developed for the organization
• Security of work processes and practices has not been offered priority
Training and awareness change
Information Security Training
Paradigm Shift
Agile nature of organizations
Agile nature of organizations
Advancement in Information Technology
Advancement in Information Technology
Economical AspectsEconomical AspectsSocial Aspects
Focus on Humans
What can be done?
Organizations need to
Organizations need to
evaluate their
evaluate their
understanding of
understanding of
Information Security
Information Security
Constantly develop and Constantly develop and redevelop training based redevelop training based
on level of awarenesson level of awareness
Effective Effective Information Information
Security Training Security Training and and
AwarenessAwarenessOrg
an
izati
on
s n
eed
O
rgan
izati
on
s n
eed
to
dete
rmin
e t
he
to d
ete
rmin
e t
he
gap
s in
In
form
ati
on
g
ap
s in
In
form
ati
on
S
ecu
rity
Secu
rity
19/07/12
Enhanced Information
Security
Information Security
Awareness
Appropriate content to appropriate
people
Information Security
Benchmarking
Focus on People’s
attitudes and behaviors
Engaging and Interactive
Scenario based
MakeTraining
Culturally Relevant
Focus of Training needs