Information Security Awareness

(1)

TASSCC Annual Conference 2008

Information Security

Awareness

(2)

Orientation-William Tompkins is Information Security Officer at Teacher Retirement

System of Texas. He has more than 25 years of technical, managerial and

consulting experience in information technology and more than 17 years in

information security. He is a Certified Information Systems Security

Professional and a Certified Business Continuity Professional.

He was the Manager of Texas Department of Transportation’s Information

Security Section and Project Manager of the Information Security Program

which was selected as Computer Security Program of the Year 1994 by

CSI (Computer Security Institute).

William was elected to the ISSA Hall of Fame in 2006 by the ISSA

International Board of Directors. (

Information Systems Security Association

)

Mr. Tompkins holds two Bachelor of Science degrees, Psychology and

Computer Information Science, from Troy State University in Alabama and

Certification in Risk Management from University of Texas at Austin

William Tompkins

(3)

By the end of this session

you will be able to identify:

How to . . .

Ensure employees are really aware of security

policies and their responsibilities

Build and/or maintain security awareness

program that is effective through the whole

life of employees.

(4)

Information Security

Awareness Program Goal

To make people understand the

value of the information they

handle and the need to protect it

(5)

Information Security Awareness

Providing Awareness, leads to…

Understanding

Change in Attitude

(6)

Management may ask,

“Why implement a

security awareness campaign?”

Communicate policy to the user community

and encourage compliance

Mitigate the Security versus Usability

equation

Defend against social engineering threat

components

User awareness enhances the overall

security profile

(7)

Employees ask,

“Why have Awareness Education?”

To increase awareness of

Information Security practices

To provide a better understanding of

Information Security

(8)

The Good News . . .

Computer users

want to learn

more about how to protect

themselves and their

(9)

Know your audience

Executives and Senior Managers/Directors

Business Unit Managers & Team Leaders

(10)

Types of message

NEO

(New Employee Orientation)

Business Unit specific

Recurring

Hot topics – home user, recent events

(organization impact ; IT industry impact )

Posters

Walkthrough

(Report to exec & Reward to Users)

(11)

N E O

(New Employee Orientation)

Best Practices = Good Habits

Examples:

Protect access to your electronic accounts

Avoid computer malware

(12)

Manage Risk

sensitive information

financial loss

loss of credibility

failure to produce reliable information

legal liability

Compliance Requirements

Law

Employees ask,

(13)

Laws & Policies

Industry standards

Government regulations

(14)

Information Security

Responsibilities

IT Department – “Dotted line” security

Network, Database, Storage and backup

Printers and Print distribution

Logging

and

monitoring

(15)

Sell Security

Day-to-Day

To be effective

Use marketing concepts

(16)

Advertising

Convert your security policies

to three to five concepts and

taglines that can be

reinforced on a continual

basis in a variety of media.

(17)

Once words have left your

mouth, you can never take

them back!

Protect

Once words have left your

mouth, you can never take

them back!

(18)

You can't unring a bell or

squeeze toothpaste back into the

tube.

And…

You can’t ‘untalk’

about

Protected Health Information

You can't unring a bell or

squeeze toothpaste back into the

tube.

And…

You can’t ‘untalk’

about

Protected Health Information

(19)

Create a brand

Once you have your brand,

think about how to

(20)

Sample Concepts

Protect printouts & access to them

Copies made by whom

Emailing to …??

Active distribution of data…to proper

recipients

(21)

Prizes

gift certificates / “Thank You” letter from CEO

Surveys

annually; user assist in developing

Reminders

“Chalkboard” & “TRS-News”

How to

(22)

Perform ongoing assessment

Don’t wait for your next audit

Test it yourself, or work with a

vendor

Continual testing

Ongoing feedback and revision loops

Assessment is key to identifying

what works and what doesn't.

(23)

Summary

Security information has value; both personally

and professionally

Security policies exist for business-driven

reasons and they are enforced for everyone

Security solutions can impact usability;

communicate before solutions are

(24)

Q U E S T I O N S ?

Thank You

William A. Tompkins

(512) 542-6787

[email protected]

William A. Tompkins

(512) 542-6787

[email protected]

(25)

COBIT doesn't have a section dedicated to

information security awareness

and

training

, but there are specific references to

it in the following sections:

PO6 Communicate management aims and

direction.

PO7 Manage IT human resources.

(26)

The COBIT maturity model for

training

(DS7 - Educate and Train Users)

specifies the following requirements for

each of its 5 maturity levels:

(27)

COBIT - DS7

Educate and Train Users

Level

0 NonExistent

1 Initial/Ad Hoc

-2 -- Repeatable but

Intuitive

3 Defined Process

-4 -- Managed and

Measurable

-Requirement

There is a complete lack of any training and education program. Employees have been identifying and attending training courses on

their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.

Informal training and education classes are taught ... Some of the classes address the issues of ethical conduct and system security awareness and practices.

Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored ...

All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against