Upload File

building an it security awareness & training program · building an it security awareness &...

  • Home
  • Documents
  • Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute
22
Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute of Standards and Technology - March 6, 2003 - [email protected] (301) 975-3870 (voice) (301) 948-1233 (fax) http://csrc.nist.gov/ 1

Upload: lymien

Post on 11-Apr-2018

217 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Building an IT Security Awareness amp Training

Program Mark Wilson CISSP

Computer Security Division ITL

National Institute of Standards and Technology

- March 6 2003 shymarkwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

1

Cornerstones for Success bull Policy bull Roles and Responsibilities

ndash CIO ndash IT Security Program Manager ndash Managers (and Their Contractors) ndash Users

bull Budget bull Management Support Commitment

2

A Life-cycle Approach

bull Design bull Develop bull Implement bull Maintain

3

What Do We Mean By

bull Awareness is Not Training Training is Not Awareness ndash The purpose of awareness presentations is

simply to focus attention on security allow individuals to recognize IT security concerns and respond accordingly change attitudes and behavior

ndash Training strives to produce relevant and needed security skills and competencies

4

What Do We Mean By

bull In awareness activities the learner receives information in training the learner has a more active role

bull Awareness relies on reaching broad audiences with a single message (or several messages) training is more formal with a goal of building knowledge and skills to facilitate job performance

5

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 2: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Cornerstones for Success bull Policy bull Roles and Responsibilities

ndash CIO ndash IT Security Program Manager ndash Managers (and Their Contractors) ndash Users

bull Budget bull Management Support Commitment

2

A Life-cycle Approach

bull Design bull Develop bull Implement bull Maintain

3

What Do We Mean By

bull Awareness is Not Training Training is Not Awareness ndash The purpose of awareness presentations is

simply to focus attention on security allow individuals to recognize IT security concerns and respond accordingly change attitudes and behavior

ndash Training strives to produce relevant and needed security skills and competencies

4

What Do We Mean By

bull In awareness activities the learner receives information in training the learner has a more active role

bull Awareness relies on reaching broad audiences with a single message (or several messages) training is more formal with a goal of building knowledge and skills to facilitate job performance

5

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 3: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

A Life-cycle Approach

bull Design bull Develop bull Implement bull Maintain

3

What Do We Mean By

bull Awareness is Not Training Training is Not Awareness ndash The purpose of awareness presentations is

simply to focus attention on security allow individuals to recognize IT security concerns and respond accordingly change attitudes and behavior

ndash Training strives to produce relevant and needed security skills and competencies

4

What Do We Mean By

bull In awareness activities the learner receives information in training the learner has a more active role

bull Awareness relies on reaching broad audiences with a single message (or several messages) training is more formal with a goal of building knowledge and skills to facilitate job performance

5

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 4: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

What Do We Mean By

bull Awareness is Not Training Training is Not Awareness ndash The purpose of awareness presentations is

simply to focus attention on security allow individuals to recognize IT security concerns and respond accordingly change attitudes and behavior

ndash Training strives to produce relevant and needed security skills and competencies

4

What Do We Mean By

bull In awareness activities the learner receives information in training the learner has a more active role

bull Awareness relies on reaching broad audiences with a single message (or several messages) training is more formal with a goal of building knowledge and skills to facilitate job performance

5

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 5: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

What Do We Mean By

bull In awareness activities the learner receives information in training the learner has a more active role

bull Awareness relies on reaching broad audiences with a single message (or several messages) training is more formal with a goal of building knowledge and skills to facilitate job performance

5

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 6: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Designing Your Awareness amp Training Program

bull Determine Organizationrsquos Needs ndash Needs Assessment ndash Incorporating Results of Program Reviews

bull Build a Strategy bull Develop an Awareness and Training Plan

ndash Identify Audiences Scope Needs Establish Priorities Set the Bar Get MgmtOrg Buy-in

6

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 7: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Designing Your Awareness amp Training Program

bull Strategy Depends on Agencyrsquos Structure and Management Model

bull Some Common Models or Approaches ndash Centralized Program Management Model ndash Partially Decentralized Program Management

Model ndash Fully Decentralized Program Management

Model 7

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 8: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Centralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy bullImplementation

Organizational Unit

Organizational Unit

Organizational Unit

All Funding Needs Assessment Training Plans

8

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 9: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Partially Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy bullStrategy Needs Assessment

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

Organizational Unit

bullBudget bullTraining Plans bullImplementation

9

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 10: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Fully Decentralized Program Management Model

Central Authority

CIO amp ISSO bullPolicy

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

Organizational Unit

bullNeeds Assessment bullBudget

bullTraining Plans bullImplementation

10

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 11: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Designing Your Awareness amp Training Program

bull Model or Approach is Dependent on ndash Organization Size ndash Defined Roles and Responsibilities ndash Budget Allocations and Authority

11

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 12: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Developing Your Awareness amp Training Material

bull Policy and Guidance Issues ndash Your Program is Dependent on Policy ndash Computer Security Act ndash OMB Circular A-130 Appendix III ndash FISMA ndash Department amp Agency Policy ndash NIST Guidelines - httpcsrcnistgov

12

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 13: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Developing Your Awareness amp Training Material

bull Developing Awareness Material Samples ndash Password UsageCreationChanges ndash Protection From Viruses - Scanning and Updating ndash PDA Security Issues ndash Laptop Security While on Travel ndash Personal Use and Gain Issues ndash Software Patches amp Security Settings on Client

Systems ndash Software License Restriction Issues ndash Social Engineering

13

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 14: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Developing Your Awareness amp Training Material

bull Developing Awareness Material Sources ndash E-mail Advisories ndash On-line IT Security Daily News Websites

ndash Periodicals ndash httpcsrcnistgovATE ndash httpcsrcnistgovfissea

bull Previous Conference Presentations bull Future Repository of Awareness and Training

Material 14

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 15: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Developing Your Awareness amp Training Material

bull Developing Training Material Sources ndash In-house ndash ContractorsVendors ndash Mix of In -house and Contractor Support ndash httpcsrcnistgovATE ndash NIST Special Publication 800-16 ndash DoDDISA

15

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 16: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Implementing Your Awareness amp Training Material

bull Messages on Trinkets eg Key Fobs Post-it Notes Notepads First Aid Kits Clean-up Kits Diskettes With a Message Frisbees ldquoGotchardquo Cards

bull Posters bull Access (to My PC) Lists bull ldquoDo and Donrsquotrdquo Lists bull Screensavers Warning BannersMessages

16

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 17: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Implementing Your Awareness amp Training Material

bull Newsletters bull Desk-to-desk Alerts bull Organization-wide E-mail Messages bull Videotapes bull Web-based Sessions bull Organizationrsquos IT Security Homepage

bull Computer Security Day 17

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 18: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Implementing Your Awareness amp Training Material

bull Computer-based Sessions bull Teleconferencing Sessions bull In-person Instructor-led Sessions bull ldquoBrown Bagrdquo Seminars bull Rewards Programs - Plaques Mugs Letters

of Appreciation All-hands Meetings (Public Humiliation) -)

18

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 19: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Maintaining Your Awareness amp Training Program

bull Monitoring Success - Use of Evaluation and Feedback ndash Evaluation Forms (Classroom) ndash Web- and Computer-based Evaluations ndash Pre- and Post-testing ndash Feedback From Management and Users

19

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 20: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Maintaining Your Awareness amp Training Program

bull Managing Change ndash Technological ndash Architectural ndash Organizational

bull Raising the Bar

20

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 21: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Common Themes in Successful Programs

bull Budget = Successful Program bull Defined Roles = Successful Program bull Web-based Material is Very Popular bull Keep Material Interesting and Current bull Movement Toward Professionalization bull Training Plans = Your Program Strategy bull Mix of Awareness and Role-based Training

21

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22

Page 22: Building an IT Security Awareness & Training Program · Building an IT Security Awareness & Training Program Mark Wilson, CISSP Computer Security Division, ITL National Institute

Questions

Mark Wilson CISSP NIST

markwilsonnistgov

(301) 975-3870 (voice) (301) 948-1233 (fax) httpcsrcnistgov

httpcsrcnistgovATE

httpcsrcnistgovfissea

22


Fostering Security Awareness

Security Awareness Communication Calendar - SANS · Information Security Awareness Communication ... Security Education and Awareness ... Brand Awareness • Culture change New Hire

Security Awareness security.nsu

Security awareness

Security Awareness 2009

Security awareness training

HMIS Security Awareness

ITL Focuses on Metrics to Reduce Security Vulnerabilities

HIPAA Security Awareness

SECURITY AWARENESS. The Importance of Security Awareness Training Security Awareness Training provides the knowledge to protect information systems and

Security Awareness Campaign Overview. Security Awareness Campaign Goal: Raise security awareness across campus Target audiences: Students Faculty/Staff

Cyber Security Awareness

Michigan Security Awareness Training - CAK Home · Michigan Security Awareness Training Author: Michigan State Police Subject: Michigan Security Awareness Training Keywords: Michigan

Heightened Security Awareness

Email Security Awareness

SGTM 6: Personal Security Awareness Slide 1 SGTM 6: Personal Security Awareness

Security Awareness, Training and Education Catalog · SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG 2 Security Awareness Education Every Trustwave Security Awareness Education

Security Awareness Training · Card Industry Data Security Standard (PCI DSS 12.6), require a security awareness training program in order to achieve compliance. Security Awareness

Cyber Security Awareness training - Curricular Affairsca.med.sc.edu/handbooks/CyberSecurity.pdf · Cyber Security Awareness Training Cyber Security Awareness Training FY 2007FY 2007

Information Security - Awareness

Security Awareness Guide

Security Awareness and CYBER - PerformCare · 2019-08-20 · Security Awareness and CYBER - Providers - PerformCare Author: PerformCare Subject: training, security awareness, CYBER

User Security Awareness

Beyond Security Awareness!

Security & Fraud Awareness

FDA Security Awareness Web Site - NIST · 2018-09-27 · FDA Security Awareness Web Site . The Security Awareness Web Site provides ongoing security awareness including useful security

Information Security Awareness

Security Awareness

Security Awareness, Training, and Education Plan · • Basic Security Awareness Training (AT-2): Basic security awareness training ... • Security Training Records (AT-4): Each

Completing Security Awareness Training · 2020-05-13 · Security Awareness Training. 3. Completing Security Awareness Training Security Awareness Training will be completed in conjunction

Email Security Awareness - csirt.bppt.go.id · Email Security Awareness? TujuanEmail Security Awareness iniadalahuntukmeningkatkankepedulian terhadapkerahasiaandata email, data credentials

Security - Situational awareness

Security awareness 24 May 2015 Security awareness

IT Security Awareness