logging in or signing up SecurityAwarenessSF Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 431 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 29, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript IT Security Awareness at three UC campuses: Successes and Challenges : IT Security Awareness at three UC campuses: Successes and Challenges Moderator: Tiki Maxwell: UCSF Security Awareness Program Manager Panel discussion participants: Julie Goldstein: UCSF IT Service Manager, Community and Compliance Gabe Lawrence: UCSD, Administrative Computing and TelecommunicationsUCSF Security Awareness, Training & Education (SATE) Program: UCSF Security Awareness, Training & Education (SATE) Program Overview Presentation By Tiki Maxwell – UCSF SATE Manager July 18, 2006Why Security Awareness at UCSF?: Why Security Awareness at UCSF? Key reasons for security awareness at UCSF UCSF must ensure that each person involved understands his or her roles and responsibilities. The People Vulnerability (e.g., social engineering) - If they are not handling and protecting information in a secure manor, even the best technologies (firewalls, antivirus, intrusion detection systems, etc) are useless measures. The 90/10 rule applies here: information security is 10% technology and 90% people. Federal and State Laws, as well as UC Policy (HIPAA, IS-3, OMB Circular A-130, SB 1386, 650-16)Objectives of the UCSF SATE Program: Objectives of the UCSF SATE Program The objective of the Information Security Awareness, Training and Education program is to change the actual behavior of people by raising awareness and providing appropriate training so that each member of the UCSF community can protect UCSF’s confidential electronic information and: Better understand the risks when using and storing electronic information; Better understand how to reduce the risks to the confidentiality, integrity, and availability of confidential electronic information; Better understand their roles and responsibilities for the protection of information and systems.Challenges of any Security Awareness Program: Challenges of any Security Awareness Program Changing behavior of people – behavior is about responsiveness; applying preventive and detective security measures and responding appropriately in the case of a (potential) threat or vulnerability.Target Audience: Target Audience General Employees (users) Management/Supervisors Technical Support Resources Prime targets for the awareness program are the people who use our IT systems, handle University or personal information or control IT assets. In practice this means practically everyone within the organization; plus contractors, consultants etc. working on our premises.What/How is information being communicated to target audiences?: What/How is information being communicated to target audiences? (the content development will be taken from industry best practices and standards - NIST 800-16 and NoticeBored awareness content service) Security awareness delivered via campaigns - Campaigns are pre-defined organized number of actions aimed at improving the security awareness of a specific target audience and/or about a specific security target. Most security awareness campaigns topics will be prioritized and audience focused. The priority for any campaign will be set to either: high (H), medium (M), or low (L) and is fully dependant on identified risk, EIS Incident report, Help desk trouble ticket statistic, etc. The main focus will be on the high and medium priority topics. The low priority campaigns will provide the highlights of the specific topic. NIST and NoticeBored: NIST and NoticeBored What is NIST? National Institute of Standards and Technology (NIST) is the agency that was established in 1988 by Congress to “assist industry in the development of technology, needed to improve product quality to modernize manufacturing processes, to ensure product reliability. For more information on NIST, visit http://www.nist.gov/ The NIST publication “Information Technology Security Training Requirements: Role and Performance Based Model [NIST 800-16] provides guidelines for identifying training needs throughout the workforce and ensure that everyone receives the appropriate training Provides a course development tool Provides a structure for evaluating learning effectiveness http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf What is NoticeBored? NoticeBored is an awareness content service. NoticeBored supplies security awareness materials for staff, managers and IT professionals, covering a fresh security topic each month. Some of the materials and security awareness topics provided include; briefings, presentations, posters, surveys, screensavers on topics such as Network & systems management, physical security, personal data and privacy protections, contingency planning, incident response, mobile computing, and many more http://www.noticebored.com/ Knowledge Level Framework (Based on NIST 800-16): Knowledge Level Framework (Based on NIST 800-16) Knowledge level framework based on NIST 800-16 Security Awareness Campaign Matrix: Security Awareness Campaign Matrix The topics the security awareness program covers depend on the security awareness needs. The security awareness campaigns covers some general information security (awareness) principles, which include the following: Security policy The security organization - it is important that staff know and understand the way security is organized within the organization and to have knowledge of the key security functions and departments. Responsibilities - Security responsibilities is a key message that will be communicated to security awareness target audiences. The security awareness programs will emphasis that security applies to everyone and is everyone's responsibility. Security risks - All staff members need to know and understand the risks (relevant to their function) that endanger the information assets of the organization.Delivery Security Awareness Methods and Media: Delivery Security Awareness Methods and Media There are of course, many methods to use in an awareness campaign. Some details for the four methods being used and the corresponding media are:Security Awareness Campaign Matrix : Security Awareness Campaign Matrix Program Measurements and Evaluation: Program Measurements and Evaluation The following measurements are used to measure the success of the awareness program: Short questions surveys Face to face interviews The measurements results are used as indicators of new or reappearing awareness gaps. These gaps will be addressed in new campaigns. Measuring is being done to continuously help answer the following questions: Do employees understand and remember the information? Do they apply the learned rules properly? Do they comply with the security policies? The results and conclusions of the measurements are properly evaluated and taken into account for future security awareness campaigns. The results of the awareness campaigns are evaluated against the objectives and are reported to the Information Security Officer and Information Security Committee quarterly and/or as requested.Success Factors: Success Factors Formal security awareness policy – Planned 07 Executive Management support – a number of surveys (e.g., from Ernst & Young’ and Information Security forum) indicate that it might prove to be the most important success factor of all UCSF Management openly supports SATE program Behavior accountability Continuous process – security awareness activities must not be a one-time effort; they must be a continuous process – security awareness must be reinforced on a regular basis 2006 – 2007 Accomplishments: 2006 – 2007 Accomplishments Distribution of Information Security Awareness Handbook “Your Key to Success” to 18,200 UCSF faculty, staff and students Delivered over 15 security awareness presentations to departments Hosted 3rd annual Security Awareness Day at UCSF Partnering with UCSF Technical Support Partners (TSP) program to host security training courses through the TSP Hosted four Security awareness workshops Introduction to Enterprise Information Security Organization and Security Awareness program Wireless Security Software Security tools UCSF Security Policies Security Awareness Planned Activities for FY 06/07: Security Awareness Planned Activities for FY 06/07 Start up campaign Kick-off announcement and a publicity campaign with promotional items, posters. e-mail announcements and invitations Presentation to supervisors and management –these special presentations will be conducted to ensure their cooperation. General awareness presentations to all UCSF faculty, staff and students Continuous or recurrent awareness campaigns/activities Awareness campaigns (training) for new employees Yearly refreshers for all personnel and management (e.g., HIPAA) An intranet website that centralizes all security awareness information Exit interviews for departing employees with nondisclosure agreements, if necessary – (Planned) Security leaflets or brochures for visitors Awareness sessions for third parties with access to the premises or systems (e.g., consultants. Contractors, Business associates, etc.) Use of enforcing methods (e.g., mandatory signing of confidentiality agreements for staff members – possibly third parties) Specific awareness campaigns –These campaigns will target a security topic that requires special attention. Examples are: Poster campaigns to increase awareness about the importance of securing mobile devices or keeping user passwords and ID’s secret A flash card to promote the incident hotline An email campaign to promote visiting the security intranet web siteQuestions: Questions Thank you! For additional security awareness information Contact UCSF SATE Manager Tiki Maxwell at 514-1363 or tmaxwell@its.ucsf.edu You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
SecurityAwarenessSF Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 431 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 29, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript IT Security Awareness at three UC campuses: Successes and Challenges : IT Security Awareness at three UC campuses: Successes and Challenges Moderator: Tiki Maxwell: UCSF Security Awareness Program Manager Panel discussion participants: Julie Goldstein: UCSF IT Service Manager, Community and Compliance Gabe Lawrence: UCSD, Administrative Computing and TelecommunicationsUCSF Security Awareness, Training & Education (SATE) Program: UCSF Security Awareness, Training & Education (SATE) Program Overview Presentation By Tiki Maxwell – UCSF SATE Manager July 18, 2006Why Security Awareness at UCSF?: Why Security Awareness at UCSF? Key reasons for security awareness at UCSF UCSF must ensure that each person involved understands his or her roles and responsibilities. The People Vulnerability (e.g., social engineering) - If they are not handling and protecting information in a secure manor, even the best technologies (firewalls, antivirus, intrusion detection systems, etc) are useless measures. The 90/10 rule applies here: information security is 10% technology and 90% people. Federal and State Laws, as well as UC Policy (HIPAA, IS-3, OMB Circular A-130, SB 1386, 650-16)Objectives of the UCSF SATE Program: Objectives of the UCSF SATE Program The objective of the Information Security Awareness, Training and Education program is to change the actual behavior of people by raising awareness and providing appropriate training so that each member of the UCSF community can protect UCSF’s confidential electronic information and: Better understand the risks when using and storing electronic information; Better understand how to reduce the risks to the confidentiality, integrity, and availability of confidential electronic information; Better understand their roles and responsibilities for the protection of information and systems.Challenges of any Security Awareness Program: Challenges of any Security Awareness Program Changing behavior of people – behavior is about responsiveness; applying preventive and detective security measures and responding appropriately in the case of a (potential) threat or vulnerability.Target Audience: Target Audience General Employees (users) Management/Supervisors Technical Support Resources Prime targets for the awareness program are the people who use our IT systems, handle University or personal information or control IT assets. In practice this means practically everyone within the organization; plus contractors, consultants etc. working on our premises.What/How is information being communicated to target audiences?: What/How is information being communicated to target audiences? (the content development will be taken from industry best practices and standards - NIST 800-16 and NoticeBored awareness content service) Security awareness delivered via campaigns - Campaigns are pre-defined organized number of actions aimed at improving the security awareness of a specific target audience and/or about a specific security target. Most security awareness campaigns topics will be prioritized and audience focused. The priority for any campaign will be set to either: high (H), medium (M), or low (L) and is fully dependant on identified risk, EIS Incident report, Help desk trouble ticket statistic, etc. The main focus will be on the high and medium priority topics. The low priority campaigns will provide the highlights of the specific topic. NIST and NoticeBored: NIST and NoticeBored What is NIST? National Institute of Standards and Technology (NIST) is the agency that was established in 1988 by Congress to “assist industry in the development of technology, needed to improve product quality to modernize manufacturing processes, to ensure product reliability. For more information on NIST, visit http://www.nist.gov/ The NIST publication “Information Technology Security Training Requirements: Role and Performance Based Model [NIST 800-16] provides guidelines for identifying training needs throughout the workforce and ensure that everyone receives the appropriate training Provides a course development tool Provides a structure for evaluating learning effectiveness http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf What is NoticeBored? NoticeBored is an awareness content service. NoticeBored supplies security awareness materials for staff, managers and IT professionals, covering a fresh security topic each month. Some of the materials and security awareness topics provided include; briefings, presentations, posters, surveys, screensavers on topics such as Network & systems management, physical security, personal data and privacy protections, contingency planning, incident response, mobile computing, and many more http://www.noticebored.com/ Knowledge Level Framework (Based on NIST 800-16): Knowledge Level Framework (Based on NIST 800-16) Knowledge level framework based on NIST 800-16 Security Awareness Campaign Matrix: Security Awareness Campaign Matrix The topics the security awareness program covers depend on the security awareness needs. The security awareness campaigns covers some general information security (awareness) principles, which include the following: Security policy The security organization - it is important that staff know and understand the way security is organized within the organization and to have knowledge of the key security functions and departments. Responsibilities - Security responsibilities is a key message that will be communicated to security awareness target audiences. The security awareness programs will emphasis that security applies to everyone and is everyone's responsibility. Security risks - All staff members need to know and understand the risks (relevant to their function) that endanger the information assets of the organization.Delivery Security Awareness Methods and Media: Delivery Security Awareness Methods and Media There are of course, many methods to use in an awareness campaign. Some details for the four methods being used and the corresponding media are:Security Awareness Campaign Matrix : Security Awareness Campaign Matrix Program Measurements and Evaluation: Program Measurements and Evaluation The following measurements are used to measure the success of the awareness program: Short questions surveys Face to face interviews The measurements results are used as indicators of new or reappearing awareness gaps. These gaps will be addressed in new campaigns. Measuring is being done to continuously help answer the following questions: Do employees understand and remember the information? Do they apply the learned rules properly? Do they comply with the security policies? The results and conclusions of the measurements are properly evaluated and taken into account for future security awareness campaigns. The results of the awareness campaigns are evaluated against the objectives and are reported to the Information Security Officer and Information Security Committee quarterly and/or as requested.Success Factors: Success Factors Formal security awareness policy – Planned 07 Executive Management support – a number of surveys (e.g., from Ernst & Young’ and Information Security forum) indicate that it might prove to be the most important success factor of all UCSF Management openly supports SATE program Behavior accountability Continuous process – security awareness activities must not be a one-time effort; they must be a continuous process – security awareness must be reinforced on a regular basis 2006 – 2007 Accomplishments: 2006 – 2007 Accomplishments Distribution of Information Security Awareness Handbook “Your Key to Success” to 18,200 UCSF faculty, staff and students Delivered over 15 security awareness presentations to departments Hosted 3rd annual Security Awareness Day at UCSF Partnering with UCSF Technical Support Partners (TSP) program to host security training courses through the TSP Hosted four Security awareness workshops Introduction to Enterprise Information Security Organization and Security Awareness program Wireless Security Software Security tools UCSF Security Policies Security Awareness Planned Activities for FY 06/07: Security Awareness Planned Activities for FY 06/07 Start up campaign Kick-off announcement and a publicity campaign with promotional items, posters. e-mail announcements and invitations Presentation to supervisors and management –these special presentations will be conducted to ensure their cooperation. General awareness presentations to all UCSF faculty, staff and students Continuous or recurrent awareness campaigns/activities Awareness campaigns (training) for new employees Yearly refreshers for all personnel and management (e.g., HIPAA) An intranet website that centralizes all security awareness information Exit interviews for departing employees with nondisclosure agreements, if necessary – (Planned) Security leaflets or brochures for visitors Awareness sessions for third parties with access to the premises or systems (e.g., consultants. Contractors, Business associates, etc.) Use of enforcing methods (e.g., mandatory signing of confidentiality agreements for staff members – possibly third parties) Specific awareness campaigns –These campaigns will target a security topic that requires special attention. Examples are: Poster campaigns to increase awareness about the importance of securing mobile devices or keeping user passwords and ID’s secret A flash card to promote the incident hotline An email campaign to promote visiting the security intranet web siteQuestions: Questions Thank you! For additional security awareness information Contact UCSF SATE Manager Tiki Maxwell at 514-1363 or tmaxwell@its.ucsf.edu