EIS Security Awareness, Training

1
EIS Security Awareness, Training Education
(SATE) Program

• Overview Presentation
• By Tiki Maxwell SATE Manager
• April 13, 2006

2
Different ways to attack Computer security
3
Why Security Awareness at UCSF?

• Key reasons for security awareness at UCSF
• UCSF must ensure that each person involved
  understands his or her roles and
  responsibilities.
• The People Vulnerability (e.g., social
  engineering) - If they are not handling and
  protecting information in a secure manner, even
  the best technologies (firewalls, antivirus,
  intrusion detection systems, etc) are useless
  measures. The 90/10 rule applies here
  information security is 10 technology and 90
  people.
• Federal and State Laws, as well as UC Policy
• (HIPAA, IS-3, OMB Circular A-130, SB 1386, 650-16)

4
Objectives of Security Awareness, Training
Education Program

• The objective of the Information Security
  Training, Awareness, and
• Education program is to change the actual
  behavior of people by
• raising awareness and providing appropriate
  training so that each member
• of the UCSF community can protect UCSFs
  confidential electronic
• Information and
• better understand the risks when using and
  storing electronic information
• better understand how to reduce the risks to the
  confidentiality, integrity, and availability of
  confidential electronic information
• better understand their roles and
  responsibilities for the protection of
  information and systems.

5
Challenges of any Security Awareness Program

• Changing behavior of people behavior is about
  responsiveness applying preventive and detective
  security measures and responding appropriately in
  the case of a (potential) threat or vulnerability.

6
Target Audience

• General Employees (users)
• Management/Supervisors
• Technologist
• Prime targets for the awareness program are the
  people who use our IT systems, handle university
  or personal information or control IT assets.  In
  practice this means practically everyone within
  the organization plus contractors, consultants
  etc. working on our premises.

7
What/How will information be communicated to
target audiences?

• (the content development will be taken from
  industry best practices and
• standards - NIST 800-16)
• Security awareness delivered via campaigns -
  Campaigns are pre-defined organized number of
  actions aimed at improving the security awareness
  of a specific target audience and/or about a
  specific security target.
• Most security awareness campaigns topics will be
  prioritized and audience focused. The priority
  for any campaign will be set to either high (H),
  medium (M), or low (L) and is fully dependant on
  identified risk, EIS Incident report, Help desk
  trouble ticket statistic, etc.
• The main focus will be on the high and medium
  priority topics.  The low
• priority campaigns will provide the highlights of
  the specific topic. 

8
Knowledge Level Framework (Based on NIST 800-16)

• Knowledge level framework Based on NIST 800-16

9
Security Awareness Campaign Matrix

• The topics the security awareness program covers
  will depend on the security
• awareness needs.
• The security awareness campaigns will cover some
  general information security (awareness)
  principles, which include the following
• Security policy
• The security organization - it is important that
  staff know and understand the way security is
  organized within the organization and to have
  knowledge of the key security functions and
  departments.
• Responsibilities - Security responsibilities is a
  key message that will be communicated to security
  awareness target audiences. The security
  awareness programs will emphasis that security
  applies to everyone and is everyone's
  responsibility.
• Security risks - All staff members need to know
  and understand the risks (relevant to their
  function) that endanger the information assets of
  the organization.

10
Delivery Security Awareness Methods and Media

• There are of course, many methods to use in an
  awareness campaign. Some
• details for the four methods that will be used
  and the corresponding media to be
• considers are

11
Security Awareness Campaign Matrix
12
Program Measurements and Evaluation

• The following measurements will be used to
  measure the success of the awareness program
• Short questions surveys
• Face to face interviews
• The measurements results will be used as
  indicators of new or reappearing awareness gaps.
  These gaps will be addressed in new campaigns.
  Measuring will be done to continuously help
  answer the following questions
• Do employees understand and remember the
  information?
• Do they apply the learned rules properly?
• Do they comply with the security policies?
• The results and conclusions of the measurements
  will be properly evaluated and taken into account
  for future security awareness campaigns.  The
  results of the awareness campaigns will be
  evaluated against the objectives and will be
  reported to the Information Security Officer and
  Information Security Committee quarterly and/or
  as requested.

13
Success Factors

• Formal Security awareness policy
• Executive Management Support a number of
  surveys (e.g., from Ernst Young and
  Information Security forum) indicate that it
  might prove to be the most important success
  factor of all- Survey available upon request)
• Behavior accountability
• Continuous process security awareness
  activities must not be a one-time effort they
  must be a continuous process security awareness
  must be reinforced on a regular basis

14
How members of the ISC can help?

• Communicate to staff the importance of security
  awareness
• Communicate your support of security awareness to
  staff and peers
• Allow staff time to participate in security
  awareness activities and training
• Pass information on that you receive to staff

15
Security Awareness Planned Activities for FY 06/07

• Start up campaign
• Kick-off announcement and a publicity campaign
  with promotional items, posters. e-mail
  announcements and invitations
• Presentation to supervisors and management these
  special presentations will be conducted to ensure
  their cooperation. These presentations typically
  will include the information presented to
  executive management (ISC), with added
  information about what is required of them and
  their employees. This will require a message
  from the Information Security Officer or AVC to
  all management notifying them of the program and
  requesting their support of the program
• General awareness presentations to all people
• Continuous or recurrent awareness
  campaigns/activities some campaigns/activities
  that will be apart of this years security
  awareness program include
• Awareness campaigns (training) for new employees
• Yearly refreshers for all personnel and
  management (e.g., HIPAA)
• An intranet website that centralizes all security
  awareness information
• Exit interviews for departing employees with
  nondisclosure agreements, if necessary
  (Planned)
• Security leaflets or brochures for visitors
• Awareness sessions for third parties with access
  to the premises or systems (e.g., consultants.
  Contractors, Business associates, etc.)
• Use of enforcing methods (e.g., mandatory signing
  of confidentiality agreements for staff members
  possibly third parties)
• Specific awareness campaigns these campaigns
  are not apart of the recurrent or continuous
  campaigns. These campaigns will target a
  security topic that requires special attention.
  For example A follow-up of a security incident
  might point out that there was an increase in the
  number of stolen laptops as such, it may be
  necessary to have a specific campaign focusing on
  the issue. If the campaign proves to be
  successful, it might not be necessary to repeat
  it in the next security awareness campaign.
  Other examples are
• Poster campaigns to increase awareness about the
  importance of securing mobile devices or keeping
  user passwords and IDs secret
• A flash card to promote the incident hotline
• An email campaign to promote visiting the
  security intranet web site

16
Questions

• Thank you!
• For additional security awareness information
• Contact SATE Manager
• Tiki Maxwell at 514-1363 or tmaxwell_at_its.ucsf.edu