digital self defense iia isaca it audit seminar

Rochester IIA & ISACA IT Audit SeminarDecember 10, 2015Ben Woelk, CISSP

ISO Program ManagerRochester Institute of Technology

Copyright © 2015 Rochester Institute of Technology

Presentation Overview• Background• Communications Plan Basics• RIT Implementation• Success?• Discussion


BACKGROUND


My Background• Corporate• Higher Education

– ISO Office– Adjunct

• Techcomm• Computing Security


Rochester Institute of Technology

• RIT Environment– 18,500 students– 3,500 faculty and

staff– International

Locations– ~40,000+ systems on

the network at any given time

– Very skilled IT security students


RIT Information Security • RIT ISO

– 3 full time• Information Security

Officer• Program Manager• Sr. Forensics Investigator

– 1-4 student employees• Mix of coop and part-time

• Risk Management, not Information Technology


COMMUNICATIONS PLAN BASICS


Communications Plan• Benefits

– Systematic approach– Repeatable– Set and achieve goals– Be proactive– Be strategy driven, not event driven– Strategic plan drives marketing/communications

plan


TechComm 101• “We explain things” (R. J. Lippincott,

Intercom)• Characteristics

– Interactive and adaptable– Reader centered

• Personas– Contextualized– Concise– Visual– Cross cultural


RIT IMPLEMENTATION


Digital Self Defense Goals• Inform the entire population about threats.• Educate new members of the RIT community

on Information Security topics.• Maintain current information outputs and

engagement on Information Security topics.• Create new avenues for communication to

expand awareness of Information Security office.

• Inform community of new Infosec initiatives


Challenges• Multiple audiences• Messaging overload• 30% annual turnover• What, me worry?• Dry/technical subject


Security Awareness Plan• Components

– Audience analysis– Key messages– Communications channels– Calendar of promotions– Develop relationships


Target Audiences


Strategies• Consistent outreach• Creative/fun deliverables • New communication channels• “What’s in it for me?” fulfillment

– Emphasizing home use– Easy-to-implement best practices– Consequences of non-compliance– Interactive elements


Key Message• Short and Simple


Calendar of Promotions


Monthly TopicsMonth Topic

June, July, August Pre-Semester, Start of Semester

September New Students, New Semester, New Threats

October Cyber Security Awareness Month

November No Click November

December Scams and Hoaxes

January Data Privacy Month

February Ph(F)ebruary Phish

March Mobile Device Madness

April Spring Cleaning

May Graduating to Good Passwords


Pre-Semester/Start of Semester


Communications Channels• What’s the best vehicle?


Develop Relationships


RIT Infosec Website


RIT Social Media


Posters


Go Phish

https://www.pinterest.com/ritinfosec/playing-cards-by-rit-information-security/


Alerts and Advisories• Message Center

Portal/email• Ad hoc• ~20 per academic

year


Move-in


New Student Orientation


Lightning Talks• Six minute presentations• Slides move every 18 seconds• Topics

– Online reputation management– Illegal file sharing– Safe use of social media– Securing mobile devices


DSD Lightning Talk

• https://www.youtube.com/watch?v=-Yo8TV-ZLbE


New vehicles this fall• Bus posters• Employee Benefits Fair• RIT Information Security

Field Guide to Identifying Phishing and Scams


DSD 101 classes• Tips, Tricks, and Best Practices for staying

safe online– Monthly– Departmental presentations


RIT Digital Self Defense Team• Launched 11/11/15

– Using internal survey tool to collect metrics and recruit team members

– 535 survey participants; 206 joined DSD Team


In Development• Phishing exercises


SUCCESS?


Evaluation Tools• Internal survey tool

– Fall baseline (open now)– Spring progress


Social Media Evaluation


External Evaluations• Use with care• Kred (2013)

– Influence (trust)– Outreach (propensity to share)

• Klout (2009)– Perceived social influence


Evaluate and Make Mid-Course Corrections

• You will make mistakes• Don’t be afraid to make a change• Did it make a difference?

• Ways to evaluate– Surveys– Analytics

From austinevan

http://www.flickr.com/photos/austinevan/


Key Success Factors• What’s in it for them?• Relevant at home as well as at work• Reach them where they are


Resources• EDUCAUSE

– Cybersecurity Awareness Resource Library– Security Awareness Quick Start and Advanced

Guides• W. K. Kellogg Foundation

Template for Strategic Communications Plan• Richard Johnson-Sheehan Technical

Communication Today• Society for Technical Communication

http://bit.ly/1Qgchun




Contact MeBen [email protected]; [email protected] [email protected]/in/benwoelk/

mailto:[email protected]

mailto:[email protected]

http://www.linkedin.com/in/benwoelk/


DISCUSSION