ITSS 2015

Security Training and AwarenessBrad Reed, IT Security AnalystOIT – Information Security Office

Securing the University – ITSS 2015

ITSS 2015

Our MissionSecurity and Awareness Activities at Ohio University

ITSS 2015

Training Guidelines

The training and awareness model will be a centralized model per NIST SP800-50 definition (All responsibility resides with a central authority).o The authority will fall under the direction of the OIT Security

department with the bulk of the responsibilities centered on the security analyst(s).

ITSS 2015

Audience and Scope

The audience will consist of all levels and type of users within the Ohio University network. This should encompass and include any entity (local or third-party) having access or interaction with Ohio University OIT systems and data. This scope allows for various trainings and awareness activities to ensure the security of the Ohio University data and digital infrastructure.

ITSS 2015

Central Authority Training Model

Central AuthorityOIT Security Office

Policy Strategy Implementation

All Funding Conducts Needs Assessments Design and Deliver Curriculum

Faculty Staff Administration Students

Vendors with Access Other Identified Users

ITSS 2015

Training Categories

As defined in NIST SP800-50 Section 2 and SP800-16, the IT Security Learning Continuum provides a multi-level approach to the types of educational activities offered by this program. All activities should be classified and documented into the following categories:o Awarenesso Trainingo Educationo Professional Development

ITSS 2015

Awareness

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

ITSS 2015

Training

Training strives to produce relevant and needed security skills and competencies.

ITSS 2015

Education

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.

ITSS 2015

Professional Development

Professional development is intended to ensure that users, from beginner to the career security professional, possess a required level of knowledge and competence necessary for their roles. Professional development validates skills through certification. Such development and successful certification can be termed “professionalization.” The preparatory work to testing for such a certification normally includes study of a prescribed body of knowledge or technical curriculum, and may be supplemented by on-the-job experience.

ITSS 2015

Proactive vs. Reactive

• Security and Awareness is meant to be a proactive security function• Bring Awareness to potential threat agents• Inform and train users of new security functions and procedures

• A means to move information and communicate with users• Deliver new security issues to the community• Open a two way street for security concerns and communication

ITSS 2015

Awareness and Training Cycle

ITSS 2015

Cycle

Perform Needs Assessment

Identify weaknesses and current trends

Develop training strategy and

delivery method

Compile curriculum

Deliver Training to users and

identified groups

Collect and evaluate

assessment artifacts

ITSS 2015

What Do We Offer for YOU

ITSS 2015

Security Office Offerings

• Securing the Human awareness modules• Securing the University training or awareness modules• Face-to-Face Awareness or training Sessions• Content specialist at events or department meetings

ITSS 2015

Securing the HumanSANS

ITSS 2015

SANS Provided Materials

• Currently located in OU Blackboard• Access is as easy as contacting the security department

ITSS 2015

http://blackboard.ohio.edu

ITSS 2015

Securing the Human - General

ITSS 2015

SANS Video

ITSS 2015

SANS Quiz

ITSS 2015

Benefits

• Completing the Securing the Human series:• Adds good-faith awareness training for compliance laws (HIPAA,

FERPA, PCI)• Awareness training is reviewed by Internal Audit process and

credit is received for all completed materials• Bring awareness to possible security threats to your data

ITSS 2015

Securing the UniversityComing Soon

ITSS 2015

Locally built

• Created in-house to respond to OU specific risks• Can be used a training tool to respond to new technology

securely• Can be catered to specific requests and directed to

requesting department.• Custom training can be mixed between Securing the

Human and Securing the University videos with administrative access given to requesting department for auditing purposes.

ITSS 2015

Sample

• https://ohio.qualtrics.com/jfe/preview/SV_8DrGQL0L9BLPuL3 • Video - https://www.youtube.com/watch?v=Di-jbFlyUDQ

ITSS 2015

Face-to-FaceBrown Bags, Department Workshops, and Staff Meetings

ITSS 2015

Face-to-Face Delivery

• Available to train departments• Brown bag sessions• Department meetings• Departmental retreats• Orientation

• Training credit is tracked for Internal Audits• Customizable• Interactive Q&A

ITSS 2015

ITSS (Information Technology Security Seminar)• Held on an annual basis• Focus is given for multiple crowds• Technical• General University• Public

• Awareness activities with light training

ITSS 2015

SANS Training

ITSS 2015

SANS Online Training

• In-Depth technical modules• More technical and catered to IT community and IT policy

managers• University receives discount on training modules• Between 12 and 24 purchased annually

• https://www.sans.org/ondemand/

ITSS 2015

• Brad Reed – IT Security Analyst• reedb1@ohio.edu• 740-593-9886

Thank You for your time!