430 likes | 445 Views
Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005. Pamela Halpern Easy i , Inc. “Common sense is not so common.” - Voltaire (1694-1778). The Human Element of Information Security Training.
E N D
Security and your Staff “Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easyi, Inc.
“Common sense is not so common.” - Voltaire (1694-1778)
The Human Element of Information Security Training A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. -- Infosecurity Europe 2004 "This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. -- Claire Sellick, Event Director for Infosecurity Europe 2004 “The best security awareness will provide the right messages to the right people at the right time, provide the tools to all to practice what has been learned and provide a mechanism to measure progress.” -- Gary Sheehan, Information Security Project Leader
This Session • The Key Challenges to getting employee buy-in • Getting Started: Some Common Misconceptions • Issues to Consider • Key Principles for Making IS training truly effective
The Key Challenges • Systems alone are not enough • Overcoming complacency • Different target audiences • Delivering the program • Ongoing program • Cost-effective • Measuring the results • Demonstrating compliance
Developing training solutions - A double challenge • Meeting the needs of: • The General Audience • Management
Bringing about meaningful behavioral changefrom information to understanding Awareness (I know it exists) • what is it? • why is it important? • how does it apply to me? Development (I’ll help enhance it) Understanding (I know what it is) Enterprise Security Cycle Communication (I’ll promote it) Value (I know why it is worthwhile) Commitment (I’ll do it) Ownership (I like it)
How do you get started?
Common misconceptions about IS training These are the “no-no’s”! • Just publishing IS policies and procedures is NOT the solution • The IS Officer should NOT be responsible for ALL of the planning, development and implementation of an awareness program • Annual or one-off training will NOT work
Strategic planning • Who gets the training and how many? • What training they get • Where the training takes place • When the training takes place • How the training is delivered • Over the short, medium and long term • Aligned with corporate goals and objectives • Clear business case for all elements
What should be done? Who does it? What is the deliverable? • Understand the context for training • Assess current levels of awareness • Analyze the needs of the target audience – key groups • Define objectives for training • Define measures of success • Define requirements: • Content • Delivery (Technical & Operational for each group) • Management reporting • Your project team • Other agreed key personnel • In-house SMEs In consultation with: • Security Officers • Marketing/PR • IT Support • Compliance officer • Business unit shareholders • A written report on needs and scope of the project Training Needs Analysis (TNA) and Scoping
Critical factors for success TNA - Key factors to be considered • Needs of technical vs. non-technical audience groups • Generic, customized or “created from scratch” content • Appropriate media and delivery channels • Cultural factors • Languages • Time scales • Support requirements
Critical factors for success TNA - Learning Technologies Audit • Current infrastructures • Desktop / bandwidth issues • Existing Learning Management System (LMS)? • Learning standards? (AICC/SCORM*) • Section 508 compliance? *SCORM: Shareable Content Object Reference Model * AICC: Aviation Industry CBT Committee
Your Roles Tasks Commitment Project Manager • Develops the overall approach to the program • Manages the relationship with various groups • Key contact for ongoing program management • Involved in defining requirements and establishing working procedures in early stages of project. • Involved in monitoring progress and co-coordinating your input on an ongoing basis. Subject Matter Experts & Business Representatives • Review and approve content • Involved in defining content requirements and reviewing customized content in early stages of project. • Can also be involved in QA. Technical / Systems expert • Input with technical experts re systems requirements and installation • Supplies details of your technical requirements at the outset of the project and will be available to provide support and assistance during installation. • No ongoing requirement for this role unless significant changes are made to the configuration of your IT systems. Creating the Team
Planning and Implementation Process Needs Analysis Planning Design Development Implementation Evaluation
Critical factors for success Project planning • Develop an overall communications plan • e-learning is just one component • Communicate with and gain buy-in from senior management • Plan beyond initial training • Include technology and integration requirements • Clearly defined roles and responsibilities • Agreed realistic timescales and clear milestones • Regular reporting and reviews
What is best? This depends on you! What objectives have you set? What is the size of your organization? What resources do you have? What budget do you have? Can you get management buy-in? “a marketing campaign”
An Awareness Campaign • Core training • Refresher training/awareness • Ongoing awareness/Internal Marketing
Brand and value led Interactive and context led Engaging and innovative Tailored to customer needs
Refresher Training Posters
Refresher Training Newsletters Interactive emails Awareness materials
Ongoing Awareness Information Security PortalWhat should this mean in practice? A system for gathering, organizing and communicating information and knowledge that is: • User-friendly • Intuitive • Flexible Web Portals
Feedback and Measurement Feedback and measurement are ESSENTIAL! Delivering awareness solutions via the intranet presents many options. These generally fit into two key categories: 1. Audit/tracking system 2. Learning Management System
Feedback and Measurement • 1. Audit/tracking system • built into the main training program • provides information on the progress and performance of each user • may allow you to export information into other applications • generally provided free with the program purchased
Feedback and Measurement • 2. Learning Management System • provides the infrastructure needed to track, record, schedule and deliver corporate wide learning • many different kinds of LMS – offering different types of functionality • allows you to manage the variety of training programs/resources available from one central point including, online learning, classroom training, registration, instructor availability etc… • can be very expensive! (may be included with courseware if it’s from same provider)
Feedback and Measurement • How do you choose what’s right for your campaign? • Assess how feedback and measurement is currently undertaken for training in other business units – perhaps an LMS is already in place? • What requirements do you and your organization have – now and in the future? • Size of organization • Budget • AICC/SCORM Compliant
Learning Management System The medieval rule of parsimony, or principle of economy, frequently used by Occam came to be known as Occam's Razor. The rule states that plurality should not be assumed without necessity or, in modern English, keep it simple, stupid.
Principle #1 Clarity of Ownership with Executive Buy-In • Clear and unequivocal ownership • Accommodates goals of all business lines • Avoids gaps between words and actions
Principle #2 IntegratedCompliance • It’s hard to do compliance of any kind department by department • An integrated approach yields consistent, cost effective and comprehensive results
Principle #3 Less is always more • It’s about understanding, not just information • We can’t all be experts • Reference materials can be made available, as needed • Retention AND commitment plummet after 60 minutes
Principle #4 Value vs. Cost • Costs relate to scale • The real measure is the effectiveness of the outcome, not the cost per head • Security breaches are much more expensive!
Principle #5 The Right Combination of Spirit and Structure • Keep it light, humorous • But also reinforce personal responsibility and the corporate commitment to getting it right
Principle #6 Relevant Context Setting • Relevant, appropriate, realistic • Actual examples from archives or recent situations are best • The goal is understanding how it fits into their daily routines
Principle #7 Consistency • Messages should be consistent • Training and awareness should be delivered so that it fits within the organization’s culture
Principle #8 Technology Should Enable • And no more! • Be careful of adding too many bells and whistles • It’s better to avoid the possibility of technical glitches • The content is the key
Principle #9 Project Management • It’s the key ingredient • Get everyone on board with the plan • Allow time for testing, feedback and fine-tuning
Information Security Assurance Getting the message through
Questions? Pamela Halpern Easyi pamela.halpern@easyi.com 310 414-0731 www.easyi.com