1 / 18

K P M G L L P

A D V I S O R Y. Information Security: Policy, Awareness and Training, and Compliance. K P M G L L P. Graham J. Hill IT Advisory Services November 21, 2007. Overview. Information Security Governance - Policy and Procedure and their Relationship with Training and Awareness

viveca
Download Presentation

K P M G L L P

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance K P M G L L P Graham J. Hill IT Advisory ServicesNovember 21, 2007

  2. Overview • Information Security Governance - Policy and Procedure and their Relationship with Training and Awareness • Security Awareness and Training • Business Drivers • Program Framework • Compliance • Audit and Assessment: • Methodology • Different types

  3. Objectives Gain an understanding of: • Relationships between corporate policy and training and awareness • The business drivers • Manage Risk • Promote a culture of awareness • Empower employees • Protect the Company and its Assets!!! • Components of an effective awareness program • Assessing or auditing the program

  4. The Corporate Information Security Policy • The “House Rules” • Conveys Senior Management expectations to employees • Helps to show Due Diligence in Security • Meant to address risk the company faces • Address Malicious or non-malicious activity • Sets a baseline for behavior • Conveys enforcement criteria • Sets the stage for development of procedures, standards and guidelines

  5. Information Security Policy - Development Considerations in the development of Security Policy: • Business Risk Profile • Protection of assets (tangible and non-tangible) • Legal, Statutory, Regulatory, and Contractual • SOX, HIPPA, GLBA, etc., etc., etc, • Business Requirements for Information Processing that support operations • Inter-connectivity profile • IT usage profile • Leveraging Industry Accepted Standards: • ISO 17799 – International Standards Organization • CoBIT – Control Objectives for IT • NIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16) • Security Trends in the industry • Emerging cyber-threats • The “human” factor

  6. The Relationship between Corporate Policy and Awareness & Training Business drivers for implementing an awareness program: • Communicate policy • Explain risks the organization faces • Communicate risk mitigation tactics for known threats • Social engineering, Phishing/Pharming, Dumpster Diving • Address typical security issues in the workplace: • Physical security • Mobile Devices – PDA’s, Laptops, etc. • Acceptable usage • Identity Theft!!! • Hotlines, Call Trees, Key Internal Contacts • Outline employee responsibility and accountability • Empower employees!!!

  7. Information Security Awareness & TrainingAlways on the move…

  8. What is the difference between Awareness, Training, and Education? • Characteristics of Awareness – This is the “What” • “For your information” • Meant for recipient to “recognize and retain” • Delivered via sessions, webinars or CBTs, emails, incentives, visible marketing materials • Short term retention • Characteristics of Training – This is the “How” • Knowledge and skill • Delivered via practical instruction • Meant for intermediate retention – training on a specific role • Characteristics of Education – This is the “Why” • Insight and understanding • Delivered via theoretical instruction – study, research • Long term retention

  9. Just some figures…. • Currently, 8 of SANS “Top 20” list end-user Awareness and Training part of the solution • A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recently • Result: The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees….. • The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was not authorized to do. • Result: This resulted in over 26 MILLION veterans having their personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized. • This included one of our Seattle-based Senior Managers

  10. Auditing and Assessing Methodology To test the “design” of the program: • Analyze the Program • Its history and background • Ideological foundation – does it reflect the policy, industry standards, regulatory concerns? • Its framework – is it following a specific standard or ad hoc? • Content • The method of accountability – do training recipients sign off? • Method(s) of delivery • Incorporates Awareness AND Training • Awareness, role-based, performance based • Is the program curriculum reviewed periodically for relevance?

  11. Auditing and Assessing Methodology To test the “effectiveness” of the program: • Sample a set of recipients and test their knowledge • Did they sign-off? • Test the curriculum that is taught • Are awareness recipients able to identify threats? • Are they able to stop the threat prior to realization? • Do they report the attempt?

  12. Third-Party Assessments • Provide an independent view of the current state of the Security Program • Provides a “snapshot in time”, health check • Typically leverages accepted Industry Standards (i.e. ISO 27001 and ISO 17799/27002) • Prioritizes risk areas, provides direction, and provides business case

  13. Standards-Based Audits • Payment Card Industry (PCI) Compliance Assessment • ISO17799/27001 Certification • AICPA • Systrust • Webtrust • NIST

  14. Other Audits and Assessments • Vendor and Partner Security Assessments • Security in Mergers and Acquisitions • Planning an IT Merger • Security? • Regulatory Compliance?

  15. On the Horizon • Regulation “Du Joir” • Increased legislation for businesses • Changes in frameworks and standards • Use of automated “performance measurement” tools • Integrating security other standards such as ITIL

  16. Questions and Comments???

  17. Thank you Graham Hill ,CISSP, CISM, ITIL Manager, IT Advisory – Information Protection Services KPMG LLP - Seattle, WA. ghill@kpmg.com 206-913-4069

  18. References • ISO 17799/27001 • NIST 800 Series • CoBIT v4.0 • “A DESIGN THEORY FOR INFORMATION SECURITYAWARENESS”, Petri Puhakainen

More Related