pace-it, security+2.6: security related awareness and training

Security related awareness and training.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certification PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– The security policy.

– Security awareness.

PACE-IT

The security policy.Security related awareness and training.

The security policy.

A security policy is actually composed of many sub-documents that cover the expected behavior of personnel from a security perspective.

It is created by personnel tasked with securing company assets, but it also has the backing of management. Without management’s backing, it’s difficult to enforce a security policy. All personnel should be required to be trained on the security policy and then acknowledge such training with a signature.The individual sub-policies contained within the security policy will not only detail the expected behavior, but will also outline the disciplinary actions that can or will be taken if the policy is violated. Disciplinary actions can range from a simple reprimand to termination or prosecution.



– Role-based security training.» When training on individual security policies, it is

important to craft the training to fit the intended user.• General user: needs to know the what of the policy.• Technical user: need to know the how and what of

the policy.• Management: needs to know the why of the policy.

– Security policy training is vital.» Helps to ensure compliance with regulations (e.g., PCI-

DSS or HIPPA).» Helps to ensure security best practices are followed

(protecting the organization from threats).» Helps to ensure that internal standards are adhered to.

– Ongoing security policy training.» The threat environment is not static, and neither

should the security policy.• The security policy should be changed to adjust for

new threats and trends as needed (e.g., zero-day exploits).



– Training types and environment.» Different types of training can and should be employed

to help ensure consistent awareness and compliance with the security policy. These can also be used as refresher courses.

• Printed documentation: can be used as part of the initial training after hiring; is easily tracked with a signed copy on file.

• Computer based training (CBT): the use of IT media to provide the training; this allows for an interactive experience and is easily tracked.

• Seminars: half day or full day security policy seminars can be used to impart knowledge to large groups at one time.

• Working lunches: similar to the seminar, but usually will only cover a single topic.

• Informal training: security personnel should always be striving to help users and management understand the importance of the security policy.

» All training should be documented and tracked (with the exception of informal training).

• The documentation and tracking can be measured.


Security awareness.Security related awareness and training.

Security awareness.

Most users take a fairly casual approach to IT security, even when they don’t think that they do.

Social networks are actually a security risk. It is all too easy for a user to share information on a social network that shouldn’t be out in the wild (it can even happen unintentionally).P2P (peer-to-peer) type networks are also a security risk. Just like social networks, a user may make information that should be kept in-house available on the network. P2P networks are also vulnerable to security exploits and have been used as threat vectors in the past to introduce malware into other networks.


Security awareness.

– Information classification.» All data and files should be classified (also called data

labeling) as to their level of sensitivity.• In most cases, organizations are responsible for

establishing the level of classification (e.g., top secret, secret, public, or private).

» After data and files have received their classification, users should be assigned to levels of access (i.e., their clearance level).

– Personally identifiable information (PII).

» PII is any information that can be used to uniquely identify an individual (e.g., a social security number).

• PII should always receive the highest level of classification and restrictions.

• PII should never leave the control of the organization.


Security awareness.

– Data handling and disposal.» Policies should outline how data can be stored and the

appropriate methods for disposal (both electronically and physically).

• If data is allowed to be placed on removable media (e.g., a USB flash drive) it should be encrypted.

• Hard drives may be sanitized or physically destroyed.

– User habits.» It is up to security personnel to instill strong security

habits into other personnel. Items to focus on include:• Strong passwords and password management.• Proper data handling techniques.• Clean desk techniques.• Physical security.• Personally owned devices.


What was covered.Security related awareness and training.

A security policy is actually composed of multiple sub-documents that cover security topics. They are created by security personnel with support from management. They detail the expected behavior and the consequences for violating the policy. Training on security should be role-based. Training is vital to maintaining a secure environment. It should be ongoing and can take different forms.

Topic


Summary

Most users actually take a casual approach to security. It is up to security personnel to make them aware of the risks. All data and files should receive a classification level and then users should be assigned to levels of access. PII is anything that can uniquely identify an individual and should never leave the control of the organization. Policies should be put in place that detail how to properly handle and dispose of data and hardware. It is up to security personnel to instill good security habits in other personnel.

Security awareness.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.