security training and awareness brad reed, it security analyst oit – information security office...
TRANSCRIPT
ITSS 2015
Security Training and AwarenessBrad Reed, IT Security AnalystOIT – Information Security Office
Securing the University – ITSS 2015
ITSS 2015
Our MissionSecurity and Awareness Activities at Ohio University
ITSS 2015
Training Guidelines
The training and awareness model will be a centralized model per NIST SP800-50 definition (All responsibility resides with a central authority).o The authority will fall under the direction of the OIT Security
department with the bulk of the responsibilities centered on the security analyst(s).
ITSS 2015
Audience and Scope
The audience will consist of all levels and type of users within the Ohio University network. This should encompass and include any entity (local or third-party) having access or interaction with Ohio University OIT systems and data. This scope allows for various trainings and awareness activities to ensure the security of the Ohio University data and digital infrastructure.
ITSS 2015
Central Authority Training Model
Central AuthorityOIT Security Office
Policy Strategy Implementation
All Funding Conducts Needs Assessments Design and Deliver Curriculum
Faculty Staff Administration Students
Vendors with Access Other Identified Users
ITSS 2015
Training Categories
As defined in NIST SP800-50 Section 2 and SP800-16, the IT Security Learning Continuum provides a multi-level approach to the types of educational activities offered by this program. All activities should be classified and documented into the following categories:o Awarenesso Trainingo Educationo Professional Development
ITSS 2015
Awareness
Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.
ITSS 2015
Training
Training strives to produce relevant and needed security skills and competencies.
ITSS 2015
Education
Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.
ITSS 2015
Professional Development
Professional development is intended to ensure that users, from beginner to the career security professional, possess a required level of knowledge and competence necessary for their roles. Professional development validates skills through certification. Such development and successful certification can be termed “professionalization.” The preparatory work to testing for such a certification normally includes study of a prescribed body of knowledge or technical curriculum, and may be supplemented by on-the-job experience.
ITSS 2015
Proactive vs. Reactive
• Security and Awareness is meant to be a proactive security function• Bring Awareness to potential threat agents• Inform and train users of new security functions and procedures
• A means to move information and communicate with users• Deliver new security issues to the community• Open a two way street for security concerns and communication
ITSS 2015
Awareness and Training Cycle
ITSS 2015
Cycle
Perform Needs Assessment
Identify weaknesses and current trends
Develop training strategy and
delivery method
Compile curriculum
Deliver Training to users and
identified groups
Collect and evaluate
assessment artifacts
ITSS 2015
What Do We Offer for YOU
ITSS 2015
Security Office Offerings
• Securing the Human awareness modules• Securing the University training or awareness modules• Face-to-Face Awareness or training Sessions• Content specialist at events or department meetings
ITSS 2015
Securing the HumanSANS
ITSS 2015
SANS Provided Materials
• Currently located in OU Blackboard• Access is as easy as contacting the security department
ITSS 2015
http://blackboard.ohio.edu
ITSS 2015
Securing the Human - General
ITSS 2015
SANS Video
ITSS 2015
SANS Quiz
ITSS 2015
Benefits
• Completing the Securing the Human series:• Adds good-faith awareness training for compliance laws (HIPAA,
FERPA, PCI)• Awareness training is reviewed by Internal Audit process and
credit is received for all completed materials• Bring awareness to possible security threats to your data
ITSS 2015
Securing the UniversityComing Soon
ITSS 2015
Locally built
• Created in-house to respond to OU specific risks• Can be used a training tool to respond to new technology
securely• Can be catered to specific requests and directed to
requesting department.• Custom training can be mixed between Securing the
Human and Securing the University videos with administrative access given to requesting department for auditing purposes.
ITSS 2015
Sample
• https://ohio.qualtrics.com/jfe/preview/SV_8DrGQL0L9BLPuL3 • Video - https://www.youtube.com/watch?v=Di-jbFlyUDQ
ITSS 2015
Face-to-FaceBrown Bags, Department Workshops, and Staff Meetings
ITSS 2015
Face-to-Face Delivery
• Available to train departments• Brown bag sessions• Department meetings• Departmental retreats• Orientation
• Training credit is tracked for Internal Audits• Customizable• Interactive Q&A
ITSS 2015
ITSS (Information Technology Security Seminar)• Held on an annual basis• Focus is given for multiple crowds• Technical• General University• Public
• Awareness activities with light training
ITSS 2015
SANS Training
ITSS 2015
SANS Online Training
• In-Depth technical modules• More technical and catered to IT community and IT policy
managers• University receives discount on training modules• Between 12 and 24 purchased annually
• https://www.sans.org/ondemand/
ITSS 2015
• Brad Reed – IT Security Analyst• [email protected]• 740-593-9886
Thank You for your time!