330 likes | 564 Views
Information Security Training . A Privacy, Security, & Compliance Partnership. Jack McCoy, CISM, CIPP Information Security Officer University of Colorado System. April 12, 2007.
E N D
Information Security Training A Privacy, Security, & Compliance Partnership Jack McCoy, CISM, CIPP Information Security Officer University of Colorado System April 12, 2007
“Security is always excessive until it's not enough" - Robbie Sinclair, Head of Security, Country Energy, NSW Australia.
Discussion Topics • Why Should You Worry about Compliance? • Privacy, Security, & Compliance Partnership • Inter-Campus Education and Awareness • Compliance Training’s Key Challenges • Group Discussion: Building a Case for Mandatory Training Jack McCoy, University of Colorado System
Why Should You Worry?Because the Public Is . . . • Public confidence in HED is under siege by a steady stream of negative press • Old breaches recycled as media fodder • Public concerns fuel new laws/regulations • When your employees handle information, most –if not all– of them are impacted Jack McCoy, University of Colorado System
Compliance is Not Just for Laws & Regulations Anymore • Many do not fully understand the compliance implications of security and privacy policies • Policy extends and defines legal/reg requirements • For example, defining “authorized use” of resources • Policy becomes an institution’s duty or contract and can be actionable • Training on policy is essential to compliance Jack McCoy, University of Colorado System
Policy without Training Doesn’t Equal Compliance • For example, many breaches are NOT caused by failed technology • but by well-intentioned employees • CIFAC – an NSF/I2 funded study • Most incidents caused by insufficient training • Having and enforcing policies and awareness training were most important factors in preventing incidents Jack McCoy, University of Colorado System
Distributed Management of Information Security Security Advisory Committee Univ. Executive Cabinet ISO Univ. of Colorado ISO Boulder ISO Colo. Springs ISO Denver ISO System Adm. Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Dept. Mgmt, IT Resource Owners Jack McCoy, University of Colorado System
Distributed Management of Education and Awareness • University ISO sets standards for campus education programs • Central education focuses on user responsibilities • identifies campus-specific resources • Campus education programs are robust, providing the full complement of training Jack McCoy, University of Colorado System
“If we do not hang together, we will all hang separately” Benjamin Franklin
Privacy, Security, & Compliance:“Kissing Cousins” Related, but Different Objectives • Privacy: protect the individual given the security, business, and compliance needs • Security: protect the information given the privacy, business, and compliance needs • Compliance: protect the organization given the privacy, security, business, & ext requirements Jack McCoy, University of Colorado System
CPO, ISO, CO Similar Roles Privacy, Security, & Compliance officers: • Serve as senior advisors to university leadership • Responsible for managing a “Program” • Provide tactical guidance as needed • Respond as a team to incidents & emerging issues Jack McCoy, University of Colorado System
Partnership Benefits • Cross pollination of knowledge • Current / emerging law, policy, business needs, etc. • Shared language – e.g., protected personal information • Consistent and clear messages to leadership • More opportunities to “sit at the table” • Greater political power on common issues Jack McCoy, University of Colorado System
Partnering on Policy, Incidents, Pressing Issues, Education • Central online training covers privacyandsecurity • Course quizzes – measures learning effectiveness • Participation tracking – assists compliance assurance • Building a support infrastructure to monitor & manage training efforts across the institutions • Building a case for mandatory training Jack McCoy, University of Colorado System
Campus Education and Awareness Programs • Campus programs are nearing maturity • Provide targeted, campus-specific information • Face-to-face, web, email, posters, etc. • May be branded • CU-Boulder’s “You Don’t Know Jack” program • http://www.colorado.edu/ITS/security/awareness/ Jack McCoy, University of Colorado System
CU Boulder’s Awareness Campaign Jack McCoy, University of Colorado System
Centralized Efforts for Education and Awareness • Designed to complement, support, and extend campus efforts • Focus on key issues common to all campuses • Address issues at a high level • Set expectations for behavior • Defer to campus resources for campus-specific information and assistance Jack McCoy, University of Colorado System
Centralized Efforts for Education and Awareness (cont’) • Online delivery is favored • Relatively inexpensive • Flexible – anytime, any place delivery • Participation tracking • Learning assessments • Great for monitoring compliance, measuring training effectiveness, minimizing staff time Jack McCoy, University of Colorado System
Examples of Shared Training Topics • Strong passwords • Central training: strong passwords, no post-it notes • Campus training: use 8 characters, 3 of 4 classes • Storing sensitive information mobile devices • Central training: Don’t store unless business need exists and adequate safeguards are in place • Campus training: Contact help desk for assistance with encryption or storing data on shared drives Jack McCoy, University of Colorado System
Balancing Training Needs & Employee Time • People are hesitant to participate because they: • Are already over trained • Feel they’re over worked • Don’t see training as a valuable use of their time • Training needs may be conceded to get employees to the training table • Subscribing to the “least you need to know” principle Jack McCoy, University of Colorado System
Managing Training Across Campuses and Departments • How do you identify the targeted individuals? • Creating and maintaining a database • How do individuals find out about their training needs/requirements and progress? • Courses taken, remaining, deadlines, scores, etc. • Who monitors participation and performance? • And provides certificates of completion, awards Jack McCoy, University of Colorado System
Designating a Training Course as “Mandatory” • “Mandatory” can be a four-letter word in the land of shared governance • What courses should be mandatory? • Who is responsible for tracking & reporting? • Who is to enforce participation? • What to do if “enforcement” becomes “endorsement” or something less? Jack McCoy, University of Colorado System
Part VI: Group Exercise:Building a Case for Mandatory Training
A Case for Mandatory Training • Assemble into groups of 3-5 people • Group discussion (15 minutes) • Group reports and analysis (15 minutes) Jack McCoy, University of Colorado System
A Case for Mandatory Training Identify a need for mandatory training and answer: • Who would you go to for support? • What justifications would you use to garner that support? • How would participation be enforced? • What positive benefits (“carrots”) would facilitate employee participation & acceptance? • What is your fall back plan? Jack McCoy, University of Colorado System
Final Thoughts • It’s not all or nothing – plan on using your gains as stepping stones to the next level Jack McCoy, University of Colorado System
References Rezmierski, V.; Rothschild, D; Kazanis, A.; Rivas, R.. (2005). Final report of the computer incident factor analysis and categorization (CIFAC) project. Retrieved March 15, 2007 from the EDUCAUSE Web site: http://www.educause.edu/ir/library/pdf/CSD4207.pdf Jack McCoy, University of Colorado System