1

K P M G L L P

A D V I S O R Y

Information Security:Information Security:

Policy, Awareness and Policy, Awareness and Training, and ComplianceTraining, and Compliance

Graham J. Hill IT Advisory Services

November 21, 2007

Graham J. Hill IT Advisory Services

November 21, 2007

2

OverviewOverview

Information Security GovernanceInformation Security Governance - - Policy Policy and Procedure and their Relationship with and Procedure and their Relationship with Training and AwarenessTraining and Awareness

Security Awareness and TrainingSecurity Awareness and TrainingBusiness DriversBusiness DriversProgram FrameworkProgram Framework

ComplianceComplianceAudit and Assessment: Audit and Assessment:

Methodology Methodology Different typesDifferent types

3

ObjectivesObjectives

Gain an understanding of:Gain an understanding of:

Relationships between corporate policy and training Relationships between corporate policy and training and awarenessand awareness

The business driversThe business driversManage RiskManage Risk

Promote a culture of awarenessPromote a culture of awareness

Empower employeesEmpower employees

Protect the Company and its Assets!!!Protect the Company and its Assets!!!

Components of an effective awareness program Components of an effective awareness program

Assessing or auditing the programAssessing or auditing the program

4

The Corporate Information Security PolicyThe Corporate Information Security Policy

The “House Rules”The “House Rules”

Conveys Senior Management expectations to Conveys Senior Management expectations to employeesemployees

Helps to show Due Diligence in SecurityHelps to show Due Diligence in Security

Meant to address risk the company facesMeant to address risk the company faces

Address Malicious or non-malicious activityAddress Malicious or non-malicious activity

Sets a baseline for behaviorSets a baseline for behavior

Conveys enforcement criteriaConveys enforcement criteria

Sets the stage for development of procedures, Sets the stage for development of procedures, standards and guidelinesstandards and guidelines

5

Information Security Policy - DevelopmentInformation Security Policy - Development

Considerations in the development of Security Policy: Considerations in the development of Security Policy:

Business Risk ProfileBusiness Risk ProfileProtection of assets (tangible and non-tangible)Protection of assets (tangible and non-tangible)

Legal, Statutory, Regulatory, and ContractualLegal, Statutory, Regulatory, and Contractual SOX, HIPPA, GLBA, etc., etc., etc,SOX, HIPPA, GLBA, etc., etc., etc,

Business Requirements for Information Processing that support Business Requirements for Information Processing that support operationsoperations

Inter-connectivity profileInter-connectivity profileIT usage profileIT usage profile

Leveraging Industry Accepted Standards:Leveraging Industry Accepted Standards:ISO 17799 – International Standards OrganizationISO 17799 – International Standards OrganizationCoBIT – Control Objectives for ITCoBIT – Control Objectives for ITNIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16)NIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16)

Security Trends in the industrySecurity Trends in the industryEmerging cyber-threatsEmerging cyber-threatsThe “human” factorThe “human” factor

6

The Relationship between Corporate Policy and Awareness & Training

The Relationship between Corporate Policy and Awareness & Training

Business drivers for implementing an awareness program: Business drivers for implementing an awareness program: Communicate policyCommunicate policy

Explain risks the organization facesExplain risks the organization faces

Communicate risk mitigation tactics for known threatsCommunicate risk mitigation tactics for known threats

Social engineering, Phishing/Pharming, Dumpster DivingSocial engineering, Phishing/Pharming, Dumpster Diving

Address typical security issues in the workplace:Address typical security issues in the workplace:

Physical securityPhysical security

Mobile Devices – PDA’s, Laptops, etc.Mobile Devices – PDA’s, Laptops, etc.

Acceptable usageAcceptable usage

Identity Theft!!!Identity Theft!!!

Hotlines, Call Trees, Key Internal ContactsHotlines, Call Trees, Key Internal Contacts

Outline employee responsibility and accountabilityOutline employee responsibility and accountability

Empower employees!!!Empower employees!!!

7

Information Security Awareness & TrainingAlways on the move…Information Security Awareness & TrainingAlways on the move…

Feedback Activities

Information Security Policy

Security Awareness Program

Employees

8

What is the difference between Awareness, Training, and Education?

What is the difference between Awareness, Training, and Education?

Characteristics of Awareness – This is the “What”Characteristics of Awareness – This is the “What”““For your information”For your information”Meant for recipient to “recognize and retain”Meant for recipient to “recognize and retain”Delivered via sessions, webinars or CBTs, emails, incentives, Delivered via sessions, webinars or CBTs, emails, incentives, visible marketing materialsvisible marketing materialsShort term retentionShort term retention

Characteristics of Training – This is the “How”Characteristics of Training – This is the “How”Knowledge and skillKnowledge and skillDelivered via practical instructionDelivered via practical instructionMeant for intermediate retention – training on a specific roleMeant for intermediate retention – training on a specific role

Characteristics of Education – This is the “Why”Characteristics of Education – This is the “Why”Insight and understandingInsight and understandingDelivered via theoretical instruction – study, researchDelivered via theoretical instruction – study, researchLong term retentionLong term retention

9

Just some figures….Just some figures….

Currently, 8 ofCurrently, 8 of SANS “Top 20” list end-user Awareness and Training part SANS “Top 20” list end-user Awareness and Training part of the solutionof the solution

A laptop belonging to Fidelity Investments, one of the largest mutual A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recentlyfund companies in the world, was stolen recently

Result: The laptop contained financial information on almost 200,000 Result: The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees….. current and former Hewlett Packard employees…..

The Department of Veterans Affairs (VA) recently learned that an The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was employee, a data analyst took home data from the VA, which he was not authorized to do. not authorized to do.

Result: This resulted in over 26 MILLION veterans having their Result: This resulted in over 26 MILLION veterans having their personal information stolen, including social security numbers and personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized.disability ratings when the employee’s home was burglarized.

This included one of our Seattle-based Senior ManagersThis included one of our Seattle-based Senior Managers

10

Auditing and Assessing MethodologyAuditing and Assessing Methodology

To test the “design” of the program:To test the “design” of the program:

Analyze the ProgramAnalyze the Program

Its history and backgroundIts history and background

Ideological foundation – does it reflect the policy, industry Ideological foundation – does it reflect the policy, industry standards, regulatory concerns? standards, regulatory concerns?

Its framework – is it following a specific standard or ad hoc?Its framework – is it following a specific standard or ad hoc?

ContentContent

The method of accountability – do training recipients sign off?The method of accountability – do training recipients sign off?

Method(s) of deliveryMethod(s) of delivery

Incorporates Awareness AND Training Incorporates Awareness AND Training

Awareness, role-based, performance basedAwareness, role-based, performance based

Is the program curriculum reviewed periodically for relevance?Is the program curriculum reviewed periodically for relevance?

11

Auditing and Assessing MethodologyAuditing and Assessing Methodology

To test the “effectiveness” of the program:To test the “effectiveness” of the program:

Sample a set of recipients and test their knowledgeSample a set of recipients and test their knowledge

Did they sign-off?Did they sign-off?

Test the curriculum that is taughtTest the curriculum that is taughtAre awareness recipients able to identify threats?Are awareness recipients able to identify threats?

Are they able to stop the threat prior to realization?Are they able to stop the threat prior to realization?

Do they report the attempt?Do they report the attempt?

12

Third-Party AssessmentsThird-Party Assessments

Provide an independent view of the current state of the Provide an independent view of the current state of the Security ProgramSecurity Program

Provides a “snapshot in time”, health checkProvides a “snapshot in time”, health check

Typically leverages accepted Industry Standards (i.e. Typically leverages accepted Industry Standards (i.e. ISO 27001 and ISO 17799/27002)ISO 27001 and ISO 17799/27002)

Prioritizes risk areas, provides direction, and provides Prioritizes risk areas, provides direction, and provides business casebusiness case

13

Standards-Based AuditsStandards-Based Audits

Payment Card Industry (PCI) Compliance AssessmentPayment Card Industry (PCI) Compliance Assessment

ISO17799/27001 CertificationISO17799/27001 Certification

AICPAAICPA

SystrustSystrust

WebtrustWebtrust

NIST NIST

14

Other Audits and AssessmentsOther Audits and Assessments

Vendor and Partner Security AssessmentsVendor and Partner Security Assessments

Security in Mergers and AcquisitionsSecurity in Mergers and Acquisitions

Planning an IT MergerPlanning an IT Merger

Security?Security?

Regulatory Compliance?Regulatory Compliance?

15

On the HorizonOn the Horizon

Regulation “Du Joir”Regulation “Du Joir”

Increased legislation for businessesIncreased legislation for businesses

Changes in frameworks and standardsChanges in frameworks and standards

Use of automated “performance measurement” toolsUse of automated “performance measurement” tools

Integrating security other standards such as ITILIntegrating security other standards such as ITIL

16

Questions and Comments???Questions and Comments???

17

Thank youThank you

Graham Hill ,CISSP, CISM, ITILGraham Hill ,CISSP, CISM, ITIL

Manager, IT Advisory – Information Protection ServicesManager, IT Advisory – Information Protection Services

KPMG LLP - Seattle, WA. KPMG LLP - Seattle, WA.

ghill@kpmg.com

206-913-4069206-913-4069

18

ReferencesReferences

ISO 17799/27001ISO 17799/27001

NIST 800 SeriesNIST 800 Series

CoBIT v4.0CoBIT v4.0

“A DESIGN THEORY FOR INFORMATION SECURITYAWARENESS”, Petri Puhakainen