Breakout Session 2: Awareness and Training

1
Breakout Session 2Awareness and Training
2
B2 Awareness and Education

• Identification of constituencies
• Identification of challenge
• Inventory of existing programs and products
• Identification of gaps
• Identification of gap-fillers
• Recommendations

3
Methodology

• Enumerate and discuss constituencies
• Association, contribution, state of affairs,
  challenges
• For each constituency
• Awareness vs Training
• Identify needs
• Problem areas, repeat issues
• Identify and discuss solutions
• Existing programs
• Programs ideas

4
Constituencies

• Researchers
• Scientists
• Research Faculty
• Research Assistants
• Graduate students
• Undergraduates
• Institutional Review Boards/Human Subjects
  Committees
• Visitors / affiliates
• Faculty
• Librarians
• Students (resident versus non-resident)
• Undergraduate
• Graduate
• Teaching Assistants

5
Constituencies (cont)

• Administrators
• Senior executives, CIO -- decision makers
• Policy/compliance officers
• Staff, employees, email users, basic users
• Power users (tinkers, meddlers)
• Data custodians
• Auditors
• Archivists
• Human resources
• Student affairs
• Technicians
• Security Professionals
• System administrators
• Database administrators
• Network administrators
• Web administrators
• Helpdesk/support staff
• Programmers (Coding)

6
Constituencies (cont)

• Guests/Visitors/Transients
• Collaborators
• Onsite
• Visiting
• Members of existing community
• Remote push/pull
• Local
• Regional
• National
• International
• Private service partners
• Contractors
• Vendors
• Consultants
• Law enforcement
• Internal
• External
• University services
• Outreach

7
Opportunities for Training

• EDUCAUSE/Internet2 TF Security Education/Awareness
  Working Group
• CIOs / some IT Professionals
• National CyberSecurity Alliance
• General Student Body
• CEIAE (60) variety of programs (e.g., NIATEC _at_
  Idaho State)
• Curriculum development
• Self-paced training for IT Professionals
• Self-paced training for Researchers?
• CISSE
• Faculty Bootcamp
• SANS (SANS EDU)
• Technicians
• Certifications
• Usenix
• Graduate Students
• Computer Science Faculty

8
Opportunities for Training (cont)

• IEEE
• Graduate Students
• Engineering Faculty
• ACM / SIGSAC online digital reference, journal
• Computer Science Faculty
• Students
• Vendor
• Certifications for IT staff
• Free training for faculty
• Open Courseware Initiative (give and take)
• Source for Curriculum
• Government online training (NIH, NSF, NOAA, etc.)
• NSF Annual Security Awareness Training
• Administrative staff
• NSTISSC
• Curriculum Standards
• Etc (ISACA, ISSA, ACSE, )

9
Challenges

• Reaching users, particularly researchers and
  scientists.
• Independent, focused on their sciences
• Increasingly untethered science
• Fear barriers to goals
• Conflicting / varying requirements between
  external funding bodies and local facilities and
  classified research sponsors
• Lack of understanding / perception of broad
  impact of security events / benefits of security
• On the one hand they are paranoid about integrity
  of research but on the other they decry the
  inconvenience of security measures
• Incorporating security awareness into the culture
• Limited access to trained IT support

10
Fundamental Recommendations

• Ensure that applicable aspects of security are
  considered at the institutional level IRBs, job
  descriptions, orientation sessions, compliance
  training, etc.
• Find and engage external organizations (higher
  education Presidential associations, professional
  organizations, academies, accreditation boards,
  NSF) that have the respect of and influence over
  these constituencies.
• Promote and leverage existing opportunities.
• Encourage NSF to be more aggressive in providing
  security awareness assistance (e.g., Guidelines
  for IT Security of NSFs Large Facilities).
• Encourage institutions to include technology
  support (IT Security) in grant proposals,
  especially graduate students (future researchers).