1 / 31

Information Security Training

Information Security Training. A Privacy, Security, & Compliance Partnership. Jack McCoy, CISM, CIPP Information Security Officer University of Colorado System. April 12, 2007.

belie
Download Presentation

Information Security Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Training A Privacy, Security, & Compliance Partnership Jack McCoy, CISM, CIPP Information Security Officer University of Colorado System April 12, 2007

  2. “Security is always excessive until it's not enough" - Robbie Sinclair, Head of Security, Country Energy, NSW Australia.

  3. Discussion Topics • Why Should You Worry about Compliance? • Privacy, Security, & Compliance Partnership • Inter-Campus Education and Awareness • Compliance Training’s Key Challenges • Group Discussion: Building a Case for Mandatory Training Jack McCoy, University of Colorado System

  4. Part I: Why Should You Worry about Compliance?

  5. Why Should You Worry?Because the Public Is . . . • Public confidence in HED is under siege by a steady stream of negative press • Old breaches recycled as media fodder • Public concerns fuel new laws/regulations • When your employees handle information, most –if not all– of them are impacted Jack McCoy, University of Colorado System

  6. Compliance is Not Just for Laws & Regulations Anymore • Many do not fully understand the compliance implications of security and privacy policies • Policy extends and defines legal/reg requirements • For example, defining “authorized use” of resources • Policy becomes an institution’s duty or contract and can be actionable • Training on policy is essential to compliance Jack McCoy, University of Colorado System

  7. Policy without Training Doesn’t Equal Compliance • For example, many breaches are NOT caused by failed technology • but by well-intentioned employees • CIFAC – an NSF/I2 funded study • Most incidents caused by insufficient training • Having and enforcing policies and awareness training were most important factors in preventing incidents Jack McCoy, University of Colorado System

  8. Part II: The Privacy, Security, and Compliance Partnership

  9. Distributed Management of Information Security Security Advisory Committee Univ. Executive Cabinet ISO Univ. of Colorado ISO Boulder ISO Colo. Springs ISO Denver ISO System Adm. Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Jack McCoy, University of Colorado System

  10. Distributed Management of Education and Awareness • University ISO sets standards for campus education programs • Central education focuses on user responsibilities • identifies campus-specific resources • Campus education programs are robust, providing the full complement of training Jack McCoy, University of Colorado System

  11. “If we do not hang together, we will all hang separately” Benjamin Franklin

  12. Privacy, Security, & Compliance:“Kissing Cousins” Related, but Different Objectives • Privacy: protect the individual given the security, business, and compliance needs • Security: protect the information given the privacy, business, and compliance needs • Compliance: protect the organization given the privacy, security, business, & ext requirements Jack McCoy, University of Colorado System

  13. CPO, ISO, CO Similar Roles Privacy, Security, & Compliance officers: • Serve as senior advisors to university leadership • Responsible for managing a “Program” • Provide tactical guidance as needed • Respond as a team to incidents & emerging issues Jack McCoy, University of Colorado System

  14. Partnership Benefits • Cross pollination of knowledge • Current / emerging law, policy, business needs, etc. • Shared language – e.g., protected personal information • Consistent and clear messages to leadership • More opportunities to “sit at the table” • Greater political power on common issues Jack McCoy, University of Colorado System

  15. Partnering on Policy, Incidents, Pressing Issues, Education • Central online training covers privacyandsecurity • Course quizzes – measures learning effectiveness • Participation tracking – assists compliance assurance • Building a support infrastructure to monitor & manage training efforts across the institutions • Building a case for mandatory training Jack McCoy, University of Colorado System

  16. Part III: Inter-Campus Education and Awareness

  17. Campus Education and Awareness Programs • Campus programs are nearing maturity • Provide targeted, campus-specific information • Face-to-face, web, email, posters, etc. • May be branded • CU-Boulder’s “You Don’t Know Jack” program • http://www.colorado.edu/ITS/security/awareness/ Jack McCoy, University of Colorado System

  18. CU Boulder’s Awareness Campaign Jack McCoy, University of Colorado System

  19. “Never offer to teach a fish to swim” - Proverb

  20. Centralized Efforts for Education and Awareness • Designed to complement, support, and extend campus efforts • Focus on key issues common to all campuses • Address issues at a high level • Set expectations for behavior • Defer to campus resources for campus-specific information and assistance Jack McCoy, University of Colorado System

  21. Centralized Efforts for Education and Awareness (cont’) • Online delivery is favored • Relatively inexpensive • Flexible – anytime, any place delivery • Participation tracking • Learning assessments • Great for monitoring compliance, measuring training effectiveness, minimizing staff time Jack McCoy, University of Colorado System

  22. Examples of Shared Training Topics • Strong passwords • Central training: strong passwords, no post-it notes • Campus training: use 8 characters, 3 of 4 classes • Storing sensitive information mobile devices • Central training: Don’t store unless business need exists and adequate safeguards are in place • Campus training: Contact help desk for assistance with encryption or storing data on shared drives Jack McCoy, University of Colorado System

  23. Part IV: Key Challenges in Training for Compliance

  24. Balancing Training Needs & Employee Time • People are hesitant to participate because they: • Are already over trained • Feel they’re over worked • Don’t see training as a valuable use of their time • Training needs may be conceded to get employees to the training table • Subscribing to the “least you need to know” principle Jack McCoy, University of Colorado System

  25. Managing Training Across Campuses and Departments • How do you identify the targeted individuals? • Creating and maintaining a database • How do individuals find out about their training needs/requirements and progress? • Courses taken, remaining, deadlines, scores, etc. • Who monitors participation and performance? • And provides certificates of completion, awards Jack McCoy, University of Colorado System

  26. Designating a Training Course as “Mandatory” • “Mandatory” can be a four-letter word in the land of shared governance • What courses should be mandatory? • Who is responsible for tracking & reporting? • Who is to enforce participation? • What to do if “enforcement” becomes “endorsement” or something less? Jack McCoy, University of Colorado System

  27. Part VI: Group Exercise:Building a Case for Mandatory Training

  28. A Case for Mandatory Training • Assemble into groups of 3-5 people • Group discussion (15 minutes) • Group reports and analysis (15 minutes) Jack McCoy, University of Colorado System

  29. A Case for Mandatory Training Identify a need for mandatory training and answer: • Who would you go to for support? • What justifications would you use to garner that support? • How would participation be enforced? • What positive benefits (“carrots”) would facilitate employee participation & acceptance? • What is your fall back plan? Jack McCoy, University of Colorado System

  30. Final Thoughts • It’s not all or nothing – plan on using your gains as stepping stones to the next level Jack McCoy, University of Colorado System

  31. References Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, R.. (2005). Final report of the computer incident factor analysis and categorization (CIFAC) project. Retrieved March 15, 2007 from the EDUCAUSE Web site: http://www.educause.edu/ir/library/pdf/CSD4207.pdf Jack McCoy, University of Colorado System

More Related