Donald HesterApril 20, 2010

For audio call Toll Free 1-888-886-3951

and use PIN/code 254482

IT Best Practices for Community Colleges Part 4: Awareness TrainingIT Best Practices for Community Colleges Part 4: Awareness Training

• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.

HousekeepingHousekeeping

Adjusting AudioAdjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close CaptionsSaving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Emoticons and PollingEmoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Donald Hester

IT Best Practices for Community Colleges Part 4: Awareness TrainingIT Best Practices for Community Colleges Part 4: Awareness Training

Awareness is not training The purpose of awareness presentations

is simply to focus attention on security Awareness presentations are intended to

allow individuals to recognize IT security concerns and respond accordingly

Security awareness efforts are designed to change behavior or reinforce good security practices

7

In awareness activities, the learner is the recipient of information

the learner in a training environment has a more active role

Awareness relies on reaching broad audiences with attractive packaging techniques

Training is more formal, having a goal of building knowledge and skills

8

9

Cycle of Security Training Awareness ProgramCycle of Security Training Awareness Program

Establish a policy Assign responsibility (CIO, Director) Needs assessment Develop Awareness and Training

Materials Implementation of the program Update and monitor program

11

What awareness, training and/or education are needed?

What is currently being done to meet these needs?

How well is it working? Which needs are most critical? NIST SP 800-50 has a Sample Needs

Assessment and Questionnarie

12

13

Availability of Material/Resources• In house or outsourced

Role and Organizational Impact• How ill this help people do their job

• How will this help us reach our overall goals

State of Current Compliance• How informed are staff and students about security

and privacy practices

Critical Project Dependencies • Funding

14

“What behavior do we want to reinforce?” (awareness)

“What skill or skills do we want the audience to learn and apply?” (training)

Watch out for the “we’re here because we have to be here” attitude

An awareness and training program can be effective, if the material is interesting and current

15

One way to get users involved and invested in the training is to make the training cover topics they are interested in

For example a class on “FaceBook” or “MySpace”

Users are interested in what they are interested in, use it to your advantage

16

17

•Password usage and management •Unknown e-mail attachments •Policy•Personal use and gain issues •System and application patching•Personal systems at work

•Web usage•Data backup and storage •Social engineering•Inventory and property transfer •Portable device issues•Laptop security•Physical security•Software licensing•Use acknowledgements

Use marketing skills Get students involved Assignment for class Branding Use Social Media Use Posters Use Email reminders Leverage Safety Awareness Mascots Alerts

18

Website notices RSS Feeds Posters Emails Announcements Logon banners Seminars and classes Games and contests Awards

19

Use real life examples of incidents

Use incidents as an opportunity to teach “what not to do”

The news has stories everyday you can use

The best stories are often those “closest to home”

Upon hire and annually thereafter Must complete before access is granted Serves as notification (legal) What do they need to know to do their job A basic IT security course – often online

20

21

http://blogs.technet.com/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx

Some people question the usefulness of these

warnings

Some people question the usefulness of these

warnings

However it serves at the least as a subconscious

reminder

However it serves at the least as a subconscious

reminder

Legal questions ariseLegal questions arise

22

23

24

25

26

27

Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.”

28

Frequency that each target audience should be exposed to material

Documentation, feedback, and evidence of learning for each aspect of the program

Evaluation and update of material for each aspect of the program

Is this working???

29

Training is separate from awareness but there overlapping areas

The goal of training is to produce relevant and needed skills and competencies

It is crucial that the needs assessment identify those individuals with significant IT security responsibilities, assess their functions, and identify their training needs

30

Training plan should identify an audience, or several audiences, that should receive training tailored to address their IT security responsibilities

Each user may need specific training for their job• Network admins may need Windows or Cisco

security training

• Admissions may need special training for handling student records

31

This course falls under training Focus on job roll skills and competencies

• Specifically tailored for managers and decision makers

• Designed to help them (You) with their job function

Online delivery (CCCConfer) Live instructor and recorded archive

32

Sufficient funding to implement the agreed-upon strategy Appropriate organizational placement to enable those with key

responsibilities to effectively implement the strategy Support for broad distribution (e.g., web, e-mail, TV) and posting of

security awareness items Executive/senior level messages to staff regarding security Use of metrics (e.g., to indicate a decline in security incidents or

violations) Managers do not use their status in the organization to avoid security

controls that are consistently adhered to by the rank and file Level of attendance at mandatory security forums/briefings Recognition of security contributions (e.g., awards, contests) Motivation demonstrated by those playing key roles in

managing/coordinating the security program

33

Consider Partnerships• Other community colleges have the same needs – work together

Books• Managing an Information Security and Privacy Awareness and

Training Program ISBN 978-1439815458

Standards and Guidance• NIST SP 800-50 Building an IT Security Awareness and Training

Program

Posters• Monthly subscriptions

http://www.securityawareness.com/postersub.htm

• New York http://www.cscic.state.ny.us/cscorner/events/2008/index.cfm

Social Media Example• http://www.facebook.com/group.php?gid=245570977486

34

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+

Maze & Associates

@One / San Diego City College

www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486

Q&AQ&A

Evaluation Survey LinkEvaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/10SpIT4

Thanks for attendingFor upcoming events and links to recently archived

seminars, check the @ONE Web site at:

http://onefortraining.org/

IT Best Practices for Community Colleges Part 4: Awareness TrainingIT Best Practices for Community Colleges Part 4: Awareness Training