IT Best Practices for Community Colleges Part 4:
Awareness Training
Donald Hester
April 20, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 254482
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
IT Best Practices for Community Colleges Part 4:
Awareness Training
Donald Hester
What is Security Awareness?
 Awareness is not training
 The purpose of awareness presentations
is simply to focus attention on security
 Awareness presentations are intended to
allow individuals to recognize IT security
concerns and respond accordingly
 Security awareness efforts are designed
to change behavior or reinforce good
security practices
7
How does Training differ from
Awareness
 In awareness activities, the learner is the
recipient of information
 the learner in a training environment has
a more active role
 Awareness relies on reaching broad
audiences with attractive packaging
techniques
 Training is more formal, having a goal of
building knowledge and skills
8
9
Cycle of Security Training
Awareness Program




Establish a policy
Assign responsibility (CIO, Director)
Needs assessment
Develop Awareness and Training
Materials
 Implementation of the program
 Update and monitor program
Program
11
Needs Assessment
 What awareness, training and/or
education are needed?
 What is currently being done to meet
these needs?
 How well is it working?
 Which needs are most critical?
 NIST SP 800-50 has a Sample Needs
Assessment and Questionnarie
12
Needs Assessment
13
Establish Priorities
 Availability of Material/Resources
• In house or outsourced
 Role and Organizational Impact
• How ill this help people do their job
• How will this help us reach our overall goals
 State of Current Compliance
• How informed are staff and students about
security and privacy practices
 Critical Project Dependencies
• Funding
14
Materials
 “What behavior do we want to reinforce?”
(awareness)
 “What skill or skills do we want the
audience to learn and apply?” (training)
 Watch out for the “we’re here because
we have to be here” attitude
 An awareness and training program can
be effective, if the material is interesting
and current
15
Practice
 One way to get users involved and
invested in the training is to make the
training cover topics they are interested
in
 For example a class on “FaceBook” or
“MySpace”
 Users are interested in what they are
interested in, use it to your advantage
16
Possible Topics
•Password usage and
management
•Unknown e-mail
attachments
•Policy
•Personal use and gain
issues
•System and application
patching
•Personal systems at
work
17
•Web usage
•Data backup and
storage
•Social engineering
•Inventory and property
transfer
•Portable device issues
•Laptop security
•Physical security
•Software licensing
•Use acknowledgements
Campaign










18
Use marketing skills
Get students involved
Assignment for class
Branding
Use Social Media
Use Posters
Use Email reminders
Leverage Safety Awareness
Mascots
Alerts
Use multiple vectors









19
Website notices
RSS Feeds
Posters
Emails
Announcements
Logon banners
Seminars and classes
Games and contests
Awards
Use real life examples
of incidents
Use incidents as an
opportunity to teach
“what not to do”
The news has stories
everyday you can use
The best stories are
often those “closest to
home”
Initial User Training





20
Upon hire and annually thereafter
Must complete before access is granted
Serves as notification (legal)
What do they need to know to do their job
A basic IT security course – often online
Reminders
http://blogs.technet.com/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx
Some people question
the usefulness of these
warnings
However it serves at the
least as a subconscious
reminder
Legal questions arise
21
Sample Posters
(Government)
22
Buy Posters
23
Short and to the point
24
NIST Posters
25
26
Maintenance of the Program
 Continuous
improvement
should always be
the theme for
security awareness
and training
initiatives, as this is
one area where
“you can never do
enough.”
27
Input for Updates
28
Maintain the Program
 Frequency that each target audience
should be exposed to material
 Documentation, feedback, and evidence
of learning for each aspect of the
program
 Evaluation and update of material for
each aspect of the program
 Is this working???
29
Goal of Training
 Training is separate from awareness but
there overlapping areas
 The goal of training is to produce
relevant and needed skills and
competencies
 It is crucial that the needs assessment
identify those individuals with significant
IT security responsibilities, assess their
functions, and identify their training
needs
30
Training
 Training plan should identify an
audience, or several audiences, that
should receive training tailored to
address their IT security responsibilities
 Each user may need specific training for
their job
• Network admins may need Windows or
•
31
Cisco security training
Admissions may need special training for
handling student records
Example of Training
 This course falls under training
 Focus on job roll skills and competencies
• Specifically tailored for managers and
•
decision makers
Designed to help them (You) with their job
function
 Online delivery (CCCConfer)
 Live instructor and recorded archive
32
KPI (Key Performance Indicators)
 Sufficient funding to implement the agreed-upon strategy
 Appropriate organizational placement to enable those with key
responsibilities to effectively implement the strategy
 Support for broad distribution (e.g., web, e-mail, TV) and posting
of security awareness items
 Executive/senior level messages to staff regarding security
 Use of metrics (e.g., to indicate a decline in security incidents or
violations)
 Managers do not use their status in the organization to avoid
security controls that are consistently adhered to by the rank and
file
 Level of attendance at mandatory security forums/briefings
 Recognition of security contributions (e.g., awards, contests)
 Motivation demonstrated by those playing key roles in
managing/coordinating the security program
33
Resources
 Consider Partnerships
• Other community colleges have the same needs – work together
 Books
• Managing an Information Security and Privacy Awareness and
Training Program ISBN 978-1439815458
 Standards and Guidance
• NIST SP 800-50 Building an IT Security Awareness and Training
Program
 Posters
• Monthly subscriptions
•
http://www.securityawareness.com/postersub.htm
New York
http://www.cscic.state.ny.us/cscorner/events/2008/index.cfm
 Social Media Example
• http://www.facebook.com/group.php?gid=245570977486
34
Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/10SpIT4
IT Best Practices for Community Colleges Part 4:
Awareness Training
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/