Designing an Effective User-Based Security Program

Transcription

1 Cyber Security Symposium 2013 Designing an Effective User-Based Security Program Kevin Mazzone, UC Davis Health System Sean Cordero, Cloudwatchmen October 10, 2013

2 Overview Presenters Kevin Mazzone & Sean Cordero Legacy Awareness & Training Model Challenges New Approach to Awareness & Training New Approach to Policy Summary - Questions and Answers 2

3 About the presenters Sean Cordero, CISSP, CISM, CISA, CRISC Founder Cloud Watchmen Provides InfoSec and compliance services 14+ years experience Consults with C-level management at public and private enterprises Regular speaker at security conferences Former CSO of EdFund and Charlotte Russe Kevin Mazzone, PMP, CEH M.S. Information Management & InfoSec from Syracuse University Security and compliance experience Intel, EdFund, UCDHS, MAXIMUS 15+ years of experience Former ISO CISSP pending 3

4 Legacy Awareness & Training Model Challenges

5 Legacy Awareness & Training Model Challenges 1. Security awareness Unmeasured- 100% complete!= effective 2. Security training Low touch- CBT and policy overload Lack of follow-up and accountability 3. Policy Policies overly complex (wordy) Inconsistent documentation 4. Punitive program

6 New Approach to Awareness & Training

7 Effective Awareness Programs Consists of Demonstrating the value of changed behaviors Targeted marketing & communications Why security is important and why I should care Consistent security visibility Security newsletter Real-life occurrences Examples of local & national events 7

8 Marketing & Communications Get out there and sell Staff visits (IT and non-it) Meetings, walk the halls, brown bags, etc. Posters, awareness campaigns, giveaways, positive reinforcement Standard look & feel, and place to go for official communications How you and your business units can support the security program 8

9 Security Newsletter Internally developed or outsourced Relate it to the (work second) Be positive and not do this or get fired 9

10 New Approaches to Security Training

11 Training Multiple levels of awareness, security, and compliance training 101: General content for all 201: Targeted for IT with the expanded roles and responsibilities of IT 301: OWASP Top 10 for Application Developers 11

12 Rules for Training Content Rule #1 Focus on the audience. Rule #2 Keep it interesting. Rule #3 Don t reinvent. 12

13 Training Delivery Web training Pro: Inexpensive, good for upkeep Con: No relationship building, faceless arm of IT, poor retention rate Classroom training Pro: Great retention rate, builds relationships Con: More expensive than WebCT 13

14 Recommended Training Delivery Hybrid approach Classroom training upon initial hire Web training refresh Pros: Establishes relationships, gives us a face, produces higher retention Cons: Higher costs than pure WebCT Demonstrated success 14

15 New Approach to Policy 15

16 Policy Objective Provide a simple path Awareness & Training Security plan Security policies, standards, and guidelines White papers and procedures Details of how IT will support the security program 16

17 Security Plan Introduction, scope, and objectives Roles & responsibilities in support of security Execution and delivery Sub-sections for: line of business, support groups, etc. Administration of the security program Sub-sections for awareness, training, and governance 17

18 Policy Overlap HR Policies General Policies Security Policies Legal Policies IT Policies 18

19 Policy Set Hierarchy White Papers Corporate Policy HR Security Legal Biz Unit Security Documentation Standards Procedures Guidelines IT Documentation Procedures Work Instructions Security Policy high-level requirement Standard detailed requirement IT White paper how IT supports the security requirement Example: AntiVirus 19

20 Guidelines for Policy Documents Use the K.I.S.S. principle Use general terms and avoid IT jargons Keep documents to a page and 1½ pages Separate out commonalities glossary, applicability, disciplinary action, etc. Organize like the training 101, 201, and

21 Summary 21

22 Summary Awareness - Sales & marketing Training Multiple levels focused on the users; hybrid approach Policy - K.I.S.S. and don t overload with nonessential information Tie to plan Relate the awareness, training, and policy documents to the users 22

23 Questions and Answers Thank you for attending! 23