developing a full-spectrum security training program (264059872)

8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)

http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 1/43

Developing a Full-SpectrumSecurity Training Program

Kevin Hayes, CISSP,

CISMInformation Security

Ocer

Geof at!an

Faculty Liaison

Wayne State University

Computing & Information Technology



"gen#a

• Background

• Our First Pilot

•

Program Implementation• Program Results

• Feedback from You



Wy We !idn"t #lready $a%eI& Security #'areness (ducation

• &aking te training re)uired e*ortpeople eiter 'ould not or could notperform+

• ,obody in autority 'anted to takeon bot te tecnical and politicalcallenges+

• We ad an old Blackboard course-but it 'as annoying to access .ne%er updated+



So 'at c!ange#/

• &reats are gro$ing- creating atecnology arms race tat"s dicultto keep up 'it+

• People a%e been as%ing &or training and guidance morefre)uently+

• We 'anted to ensure a co!esive program 'as de%eloped 0 not 1ustdeli%er static and stale content in a

2one si3e 4ts all5 approac+



Setting t!e Ta'le for6ange

• We get about 78 calls a day from%endors promising us te perfecttecnical solution tat 'ill sol%e all

our security 'oes- but9

• 9funding and sta* dicult to comeby+

• #cademic en%ironment makes it acallenge to put restricti%e controlsin place+

• But- 'it a ne' administration came



First Steps

• Large pus by Information Security Oceand :uality- 6ommunications . 6ompliance

• !rafted a Program 6arter+

• #udience 'ill be all managers- I& sta*- andindi%iduals 'it enterprise system ;Bannerin our case< access 0 about ()** people+

• 6arter appro%al by I& Risk=O%ersigt >roup+

• Started 'it a Pilot Implementation directedat internal I& sta* only+



+eginning te Pilot

• We 'ere ne' at tis and still e%aluating%arious goals+

• !ecided to purcase online %ideos+

• (%aluated S#,S S&$ and &eacPri%acy+

• Forced o'n department to take &eacPri%acy+

• &rickled content ;?@A per mont< o%er afe' monts+

• 6ontent loaded in #ccelerate $R 6S+



Wat !appene# in tePilot/

• ?C8 people 'atced te %ideos+

• Solicited and measured feedbackD – 2&ese %ideos are a 1oke at best+5

– 2&e content is passable- but te )ualityof te soft'are and presentation isdeplorable+ I 'ould not pay anyone for tisser%ice- but I migt so' it to my lesstecnically literate employees if it 'erefree and tere 'ere no better freealternati%es+5



&e Pilot so'ed#eciencies

• $alf people liked trickle- alf liked all atonce+

• 6ontent did not use WSE terminology

or policies+

• Issues 'it clarity and 'ording of )ui3)uestions+

• ideos ad poor productionD monotonenarration- use of clip art- lo' audio)uality+



Pilot conclusions

• 6ontent 'as good- deli%ery not so muc+

• People still 'anted to learn tings- kinda+

• Resistance for taking te trainingD – 2I already kno' tis5

– 2I don"t a%e time5

– 2&e system is frustrating to use5

–

2&ere"s no point to tis5• We kne' 'e ad to make signicant

canges+



# lig!t turns on

• Our primary 1ob is to teac tings+Wy are 'e limiting oursel%es/

• e$s Flas! People learn di*erently+

• Wy can"t 'e do di*erent tings to

a##ress t!e un#erlying reasons people 'on"t take te training/



# star is born

• We decided to o*er #iferent training metods+

• Ese same learning ob1ecti%es for all training+

• &aking any one training metod 'ill certify you+

• Learn to be GeHible %ia t!ree optionsD – Online ideos

– In@Person Seminar

– #d%anced Placement (Ham

• 6reated a ne$ pro1ect plan for implementation+



# fe' more goals

• !id not 'ant to e.clu#e anyemployees+

• Wanted content to cange fre)uentlyand be #ynamic+

• !oesn"t re)uire substantial resourcesto maintain+ – >etting program started took se%eral

people many monts to identify and ironout many 'rinkles+



Diferent training

same education+

• ,o matter o' you learn- content is tesameD

7+ ,eed for I& Security

?+ Properly Securing !ataA+ 6redential anagement

J+ Pising . (mail #ttacks

C+ !ealing 'it al'are

K+ Reporting I& Security Incidents

• >oal is to make people a$are of security+



/ption /neEpdated Online ideos

• Online %ideos are great for self@starters 'o'ant to knock out bits and pieces ere andtere+

•

Purcased selection of training %ideos fromInspired eLearning

• #ddressed production )uality+

• A modules for sta*- J for managers+

• Installed in #ccelerate $R LS

– Blackboard ad issues 'it 7888 registrationand large gradebooks+



/ption /neEpdated Online ideos



/ption T$o6reated In@Person Seminar

• 6reated M8 minute presentation+

• $eld across campus se%eral times amont+ – $a%e # and P sessions on a Friday+

– Sessions eld in di*erent campus buildings+

• #llo's for more interacti%ity and

2traditional learning5+• Sign up using eHisting training

registration system+



/ption T$oSign@up facility



/ption T!ree6reated &est@Out Option

• For tose tat already kno' security;or at least claim to<+

• 6reated online ?J :uestion 2#d%anced

Placement (Ham5 in Qualtrics based onlearning ob1ecti%es and program content+

• Only one try permitted per 7? monts+

•

,o easy )uestions+• $ig Passing percentage re)uired ;NC<+



/ption T!ree6reated &est@Out Option



eeping te training simple

• 2$a%e an ans'er for e%ery yes, but 5

• 6reated portal landing pageD – ttpsD==computing+'ayne+edu=securitya'ar

eness• &ry for minimal@click solutions 'ere

possible+

•

6reated Program F#: and no'ledgeBase 'it tips and actiona'le a#viceon security topics+

• ade easy 0uic% re&erence seet+

6 it d d

https://computing.wayne.edu/securityawareness






6omes 'it a andy and@out



Trac%ing Program6ompletion

• Our 'eb de%elopers created a 'ebapplication to consolidate completion dataD – 1ee%ly CS2 Import for Online ideos

–

"tten#ance S!eet for In@Person Seminars – 3ualtrics HTTP P/ST Call for #P &est

• Permit managers to see progress of teiremployees and department as a 'ole+

• #'esome spread seet de%eloped during'eb application de%elopment+



Trac%ing Program6ompletion



Testing te ne' approac

• Perform beta testing and solicit feedbackfor all tree metods of trainingD

– >a%e demo of seminar to 6.I& sta*+

–#P &est to select Pro%ost sta*+ ;#P"s and!eans 6ouncil<

– Online %ideos to $R sta*+

• ery positi%e feedback on all approaces+

• Feedback used to 4ne@tune eac o*ering+



aking it re$ar#ing

• &raining sould not be one@'ay e*ort+

• >i%e someting tangible back to tose'o 2toiled5+

• 6erti4cate on fancy paper and is QP(>@signed by 6IO- ISO- . Faculty Liaison+

• 6ongratulations letter pysically signed

by ISO+• People a%e been re)uesting and

proudly displaying teir certi4cates+



Fancy certi4cate

paperD 4* centseac!5

(mployees

%oluntarilyso'casing teircerti4catesDP6IC787SS5



aking te Pus!

• Pro%ost"s oce critical to getting o* teground 0 especially after te Pilot pase+

• Pro%ost kept in te loop during all beta

testing pases+• Pro%ost insisted teir oce- as 'ell as all

te deans and senior sta*- be trained

rst5

• (mail message from our president sent tote identi4ed population of ?C88 people+



Mi#9ig!t 6anges

• (Hecuti%e management needed sorterseminar+

– Really dicult to cut presentation by one@tird+

–

Less background information and content re%ie'+ – !irectly focus on key points+

• Break up regular seminar to include breaks+

• Wording canges in #P eHam+

• Reduce #P eHam passing grade from M8 toNC



Final . 6urrent Product

• 6ompreensi%e- multi@modal trainingoptions+

• ,ot time intensi%e less tan t'o ours+

•

Simple to access+• Support from eHecuti%e management+

• Le%erage good reputation of I& and ISO+

• ,ot a lot of ongoing InfoSec time in%estmentD – J@K ours per mont for Seminars

– A8 inutes per 'eek for certi4cates+



"naly:ing Program Results

• 6ontinue to measure and e%aluate alltraining options+

• #ll topics 'y &ar rated as 2ery Eseful5by attendees- scoring at least K+J outof +

• >i%ing personal anecdotes and stories

te most e*ecti%e in gettinginformation across+



Security &raining is valua'le

• >*? of respondents rated teamount of content deli%ered as 2QustRigt5+

• "ll respon#ents felt tis trainingmet teir eHpectations- 'it @*? oftem a%ing teir eHpectation

eHceeded+• Respondents are rating te training

as valua'le, applica'le, and

recommen# it to teir co'orkers+



Security &raining is accepte#

7 ? A J C8

C

78

7C

?8

?CA8

AC

J8

JC

C8

#pplicable aluable Recommended

Worst Best



Security &raining is $or%ing

• Spear!ea#e# by Pro%ost- all !eans .Senior Sta*+

• O%er CA8 indi%iduals a%e been

certi4ed+

• #ll tree training options are pro%ingsuccessful+ ?JA JK

7JC ?

7JC?

#P &est

ideosSeminar



Security &raining is $or%ing

• Ocial Program Rollout arc 7st

• Steady 6erti4cation Progress about C8per 'eek after initial surge+

• anagers mandating training for teirsta*+

8

C8

788

7C8

?88

?C8

A88

AC8

J88

6erti4cations o%er &ime



Fee#'ac% on Security &raining

“I thought the training program was wellconceive! an! informative" It was

appropriate for WSU employees at a wi!e

range of positions within the university" Thespea#ers ha! soli! e$pertise an! e$periencewith the topic an! ma!e the presentations

interesting an! engaging"%

“our e$amples of inci!ents were goo! an!relevant to me"%



Fee#'ac% on Security &raining

“I thought it was an e$cellent trainingsession' (eo) an! *evin are

#nowle!geable, articulate, an! they

ma!e the session entertaining"%

“The training was very informative an! I

thin# that all sta) shoul! atten! one ofthe sessions if possible" Than#s+%

F #' % S i & i i



Fee#'ac% on Security &rainingfrom a faculty member +-

“The committee was one of the .rst toreceive an e$ceptional presentation on

internet security" I have sat on the /SST

committee for about seven years an! tothe best of my recollection have never

before seen a presenter receive a roun!

of applause" I encourage you an! yourchairs to invite them to present at their!epartmental meetings"%



Security &raining is ongoing

• 6ontent continually up#ate# based onparticipant feedback and ne' treats+ – Epdated information in training materials

–

,e' no'ledge Base articles and actionabletips

• Send courtesy emails to certi4edemployees e%ery fe' monts 'it

applicable content+• We come to users and old dedicated

seminars for sta* around teir scedule+



Future >oals

• Security #'areness certi4cation 'ill benee#e# for enterprise system access+ – Waiting for 26ritical ass5 of certi4cations+

–andated by Eni%ersity I& >o%ernance6ouncil+

– Identity anagement 'ill be used to enforce+

• 6erti4cation currently lasts t'o years-

e%entually mo%e do'n to one+

• ake part of $R onboarding process+



Aour Fee#'ac%

B Discussion



Developing a Full-Spectrum

Security Training Program

Kevin Hayes, CISSP,

CISMInformation SecurityOcer

Geof at!an

Faculty Liaison

Wayne State University

Computing & Information Technology

developing a full-spectrum security training program (264059872)

Documents