developing a full-spectrum security training program (264059872)
TRANSCRIPT
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 1/43
Developing a Full-SpectrumSecurity Training Program
Kevin Hayes, CISSP,
CISMInformation Security
Ocer
Geof at!an
Faculty Liaison
Wayne State University
Computing & Information Technology
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 2/43
"gen#a
• Background
• Our First Pilot
•
Program Implementation• Program Results
• Feedback from You
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 3/43
Wy We !idn"t #lready $a%eI& Security #'areness (ducation
• &aking te training re)uired e*ortpeople eiter 'ould not or could notperform+
• ,obody in autority 'anted to takeon bot te tecnical and politicalcallenges+
• We ad an old Blackboard course-but it 'as annoying to access .ne%er updated+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 4/43
So 'at c!ange#/
• &reats are gro$ing- creating atecnology arms race tat"s dicultto keep up 'it+
• People a%e been as%ing &or training and guidance morefre)uently+
• We 'anted to ensure a co!esive program 'as de%eloped 0 not 1ustdeli%er static and stale content in a
2one si3e 4ts all5 approac+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 5/43
Setting t!e Ta'le for6ange
• We get about 78 calls a day from%endors promising us te perfecttecnical solution tat 'ill sol%e all
our security 'oes- but9
• 9funding and sta* dicult to comeby+
• #cademic en%ironment makes it acallenge to put restricti%e controlsin place+
• But- 'it a ne' administration came
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 6/43
First Steps
• Large pus by Information Security Oceand :uality- 6ommunications . 6ompliance
• !rafted a Program 6arter+
• #udience 'ill be all managers- I& sta*- andindi%iduals 'it enterprise system ;Bannerin our case< access 0 about ()** people+
• 6arter appro%al by I& Risk=O%ersigt >roup+
• Started 'it a Pilot Implementation directedat internal I& sta* only+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 7/43
+eginning te Pilot
• We 'ere ne' at tis and still e%aluating%arious goals+
• !ecided to purcase online %ideos+
• (%aluated S#,S S&$ and &eacPri%acy+
• Forced o'n department to take &eacPri%acy+
• &rickled content ;?@A per mont< o%er afe' monts+
• 6ontent loaded in #ccelerate $R 6S+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 8/43
Wat !appene# in tePilot/
• ?C8 people 'atced te %ideos+
• Solicited and measured feedbackD – 2&ese %ideos are a 1oke at best+5
– 2&e content is passable- but te )ualityof te soft'are and presentation isdeplorable+ I 'ould not pay anyone for tisser%ice- but I migt so' it to my lesstecnically literate employees if it 'erefree and tere 'ere no better freealternati%es+5
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 9/43
&e Pilot so'ed#eciencies
• $alf people liked trickle- alf liked all atonce+
• 6ontent did not use WSE terminology
or policies+
• Issues 'it clarity and 'ording of )ui3)uestions+
• ideos ad poor productionD monotonenarration- use of clip art- lo' audio)uality+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 10/43
Pilot conclusions
• 6ontent 'as good- deli%ery not so muc+
• People still 'anted to learn tings- kinda+
• Resistance for taking te trainingD – 2I already kno' tis5
– 2I don"t a%e time5
– 2&e system is frustrating to use5
–
2&ere"s no point to tis5• We kne' 'e ad to make signicant
canges+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 11/43
# lig!t turns on
• Our primary 1ob is to teac tings+Wy are 'e limiting oursel%es/
• e$s Flas! People learn di*erently+
• Wy can"t 'e do di*erent tings to
a##ress t!e un#erlying reasons people 'on"t take te training/
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 12/43
# star is born
• We decided to o*er #iferent training metods+
• Ese same learning ob1ecti%es for all training+
• &aking any one training metod 'ill certify you+
• Learn to be GeHible %ia t!ree optionsD – Online ideos
– In@Person Seminar
– #d%anced Placement (Ham
• 6reated a ne$ pro1ect plan for implementation+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 13/43
# fe' more goals
• !id not 'ant to e.clu#e anyemployees+
• Wanted content to cange fre)uentlyand be #ynamic+
• !oesn"t re)uire substantial resourcesto maintain+ – >etting program started took se%eral
people many monts to identify and ironout many 'rinkles+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 14/43
Diferent training
same education+
• ,o matter o' you learn- content is tesameD
7+ ,eed for I& Security
?+ Properly Securing !ataA+ 6redential anagement
J+ Pising . (mail #ttacks
C+ !ealing 'it al'are
K+ Reporting I& Security Incidents
• >oal is to make people a$are of security+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 15/43
/ption /neEpdated Online ideos
• Online %ideos are great for self@starters 'o'ant to knock out bits and pieces ere andtere+
•
Purcased selection of training %ideos fromInspired eLearning
• #ddressed production )uality+
• A modules for sta*- J for managers+
• Installed in #ccelerate $R LS
– Blackboard ad issues 'it 7888 registrationand large gradebooks+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 16/43
/ption /neEpdated Online ideos
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 17/43
/ption T$o6reated In@Person Seminar
• 6reated M8 minute presentation+
• $eld across campus se%eral times amont+ – $a%e # and P sessions on a Friday+
– Sessions eld in di*erent campus buildings+
• #llo's for more interacti%ity and
2traditional learning5+• Sign up using eHisting training
registration system+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 18/43
/ption T$oSign@up facility
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 19/43
/ption T!ree6reated &est@Out Option
• For tose tat already kno' security;or at least claim to<+
• 6reated online ?J :uestion 2#d%anced
Placement (Ham5 in Qualtrics based onlearning ob1ecti%es and program content+
• Only one try permitted per 7? monts+
•
,o easy )uestions+• $ig Passing percentage re)uired ;NC<+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 20/43
/ption T!ree6reated &est@Out Option
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 21/43
eeping te training simple
• 2$a%e an ans'er for e%ery yes, but 5
• 6reated portal landing pageD – ttpsD==computing+'ayne+edu=securitya'ar
eness• &ry for minimal@click solutions 'ere
possible+
•
6reated Program F#: and no'ledgeBase 'it tips and actiona'le a#viceon security topics+
• ade easy 0uic% re&erence seet+
6 it d d
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 22/43
6omes 'it a andy and@out
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 23/43
Trac%ing Program6ompletion
• Our 'eb de%elopers created a 'ebapplication to consolidate completion dataD – 1ee%ly CS2 Import for Online ideos
–
"tten#ance S!eet for In@Person Seminars – 3ualtrics HTTP P/ST Call for #P &est
• Permit managers to see progress of teiremployees and department as a 'ole+
• #'esome spread seet de%eloped during'eb application de%elopment+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 24/43
Trac%ing Program6ompletion
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 25/43
Testing te ne' approac
• Perform beta testing and solicit feedbackfor all tree metods of trainingD
– >a%e demo of seminar to 6.I& sta*+
–#P &est to select Pro%ost sta*+ ;#P"s and!eans 6ouncil<
– Online %ideos to $R sta*+
• ery positi%e feedback on all approaces+
• Feedback used to 4ne@tune eac o*ering+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 26/43
aking it re$ar#ing
• &raining sould not be one@'ay e*ort+
• >i%e someting tangible back to tose'o 2toiled5+
• 6erti4cate on fancy paper and is QP(>@signed by 6IO- ISO- . Faculty Liaison+
• 6ongratulations letter pysically signed
by ISO+• People a%e been re)uesting and
proudly displaying teir certi4cates+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 27/43
Fancy certi4cate
paperD 4* centseac!5
(mployees
%oluntarilyso'casing teircerti4catesDP6IC787SS5
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 28/43
aking te Pus!
• Pro%ost"s oce critical to getting o* teground 0 especially after te Pilot pase+
• Pro%ost kept in te loop during all beta
testing pases+• Pro%ost insisted teir oce- as 'ell as all
te deans and senior sta*- be trained
rst5
• (mail message from our president sent tote identi4ed population of ?C88 people+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 29/43
Mi#9ig!t 6anges
• (Hecuti%e management needed sorterseminar+
– Really dicult to cut presentation by one@tird+
–
Less background information and content re%ie'+ – !irectly focus on key points+
• Break up regular seminar to include breaks+
• Wording canges in #P eHam+
• Reduce #P eHam passing grade from M8 toNC
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 30/43
Final . 6urrent Product
• 6ompreensi%e- multi@modal trainingoptions+
• ,ot time intensi%e less tan t'o ours+
•
Simple to access+• Support from eHecuti%e management+
• Le%erage good reputation of I& and ISO+
• ,ot a lot of ongoing InfoSec time in%estmentD – J@K ours per mont for Seminars
– A8 inutes per 'eek for certi4cates+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 31/43
"naly:ing Program Results
• 6ontinue to measure and e%aluate alltraining options+
• #ll topics 'y &ar rated as 2ery Eseful5by attendees- scoring at least K+J outof +
• >i%ing personal anecdotes and stories
te most e*ecti%e in gettinginformation across+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 32/43
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 33/43
Security &raining is valua'le
• >*? of respondents rated teamount of content deli%ered as 2QustRigt5+
• "ll respon#ents felt tis trainingmet teir eHpectations- 'it @*? oftem a%ing teir eHpectation
eHceeded+• Respondents are rating te training
as valua'le, applica'le, and
recommen# it to teir co'orkers+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 34/43
Security &raining is accepte#
7 ? A J C8
C
78
7C
?8
?CA8
AC
J8
JC
C8
#pplicable aluable Recommended
Worst Best
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 35/43
Security &raining is $or%ing
• Spear!ea#e# by Pro%ost- all !eans .Senior Sta*+
• O%er CA8 indi%iduals a%e been
certi4ed+
• #ll tree training options are pro%ingsuccessful+ ?JA JK
7JC ?
7JC?
#P &est
ideosSeminar
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 36/43
Security &raining is $or%ing
• Ocial Program Rollout arc 7st
• Steady 6erti4cation Progress about C8per 'eek after initial surge+
• anagers mandating training for teirsta*+
8
C8
788
7C8
?88
?C8
A88
AC8
J88
6erti4cations o%er &ime
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 37/43
Fee#'ac% on Security &raining
“I thought the training program was wellconceive! an! informative" It was
appropriate for WSU employees at a wi!e
range of positions within the university" Thespea#ers ha! soli! e$pertise an! e$periencewith the topic an! ma!e the presentations
interesting an! engaging"%
“our e$amples of inci!ents were goo! an!relevant to me"%
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 38/43
Fee#'ac% on Security &raining
“I thought it was an e$cellent trainingsession' (eo) an! *evin are
#nowle!geable, articulate, an! they
ma!e the session entertaining"%
“The training was very informative an! I
thin# that all sta) shoul! atten! one ofthe sessions if possible" Than#s+%
F #' % S i & i i
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 39/43
Fee#'ac% on Security &rainingfrom a faculty member +-
“The committee was one of the .rst toreceive an e$ceptional presentation on
internet security" I have sat on the /SST
committee for about seven years an! tothe best of my recollection have never
before seen a presenter receive a roun!
of applause" I encourage you an! yourchairs to invite them to present at their!epartmental meetings"%
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 40/43
Security &raining is ongoing
• 6ontent continually up#ate# based onparticipant feedback and ne' treats+ – Epdated information in training materials
–
,e' no'ledge Base articles and actionabletips
• Send courtesy emails to certi4edemployees e%ery fe' monts 'it
applicable content+• We come to users and old dedicated
seminars for sta* around teir scedule+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 41/43
Future >oals
• Security #'areness certi4cation 'ill benee#e# for enterprise system access+ – Waiting for 26ritical ass5 of certi4cations+
–andated by Eni%ersity I& >o%ernance6ouncil+
– Identity anagement 'ill be used to enforce+
• 6erti4cation currently lasts t'o years-
e%entually mo%e do'n to one+
• ake part of $R onboarding process+
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 42/43
Aour Fee#'ac%
B Discussion
8/9/2019 Developing a Full-Spectrum Security Training Program (264059872)
http://slidepdf.com/reader/full/developing-a-full-spectrum-security-training-program-264059872 43/43
Developing a Full-Spectrum
Security Training Program
Kevin Hayes, CISSP,
CISMInformation SecurityOcer
Geof at!an
Faculty Liaison
Wayne State University
Computing & Information Technology