The Unusual Artwork of Rodney Graham Presentation by L. Forrest Winter.
1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of 1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance...
1
K P M G L L P
A D V I S O R Y
Information Security:Information Security:
Policy, Awareness and Policy, Awareness and Training, and ComplianceTraining, and Compliance
Graham J. Hill IT Advisory Services
November 21, 2007
Graham J. Hill IT Advisory Services
November 21, 2007
2
OverviewOverview
Information Security GovernanceInformation Security Governance - - Policy Policy and Procedure and their Relationship with and Procedure and their Relationship with Training and AwarenessTraining and Awareness
Security Awareness and TrainingSecurity Awareness and TrainingBusiness DriversBusiness DriversProgram FrameworkProgram Framework
ComplianceComplianceAudit and Assessment: Audit and Assessment:
Methodology Methodology Different typesDifferent types
3
ObjectivesObjectives
Gain an understanding of:Gain an understanding of:
Relationships between corporate policy and training Relationships between corporate policy and training and awarenessand awareness
The business driversThe business driversManage RiskManage Risk
Promote a culture of awarenessPromote a culture of awareness
Empower employeesEmpower employees
Protect the Company and its Assets!!!Protect the Company and its Assets!!!
Components of an effective awareness program Components of an effective awareness program
Assessing or auditing the programAssessing or auditing the program
4
The Corporate Information Security PolicyThe Corporate Information Security Policy
The “House Rules”The “House Rules”
Conveys Senior Management expectations to Conveys Senior Management expectations to employeesemployees
Helps to show Due Diligence in SecurityHelps to show Due Diligence in Security
Meant to address risk the company facesMeant to address risk the company faces
Address Malicious or non-malicious activityAddress Malicious or non-malicious activity
Sets a baseline for behaviorSets a baseline for behavior
Conveys enforcement criteriaConveys enforcement criteria
Sets the stage for development of procedures, Sets the stage for development of procedures, standards and guidelinesstandards and guidelines
5
Information Security Policy - DevelopmentInformation Security Policy - Development
Considerations in the development of Security Policy: Considerations in the development of Security Policy:
Business Risk ProfileBusiness Risk ProfileProtection of assets (tangible and non-tangible)Protection of assets (tangible and non-tangible)
Legal, Statutory, Regulatory, and ContractualLegal, Statutory, Regulatory, and Contractual SOX, HIPPA, GLBA, etc., etc., etc,SOX, HIPPA, GLBA, etc., etc., etc,
Business Requirements for Information Processing that support Business Requirements for Information Processing that support operationsoperations
Inter-connectivity profileInter-connectivity profileIT usage profileIT usage profile
Leveraging Industry Accepted Standards:Leveraging Industry Accepted Standards:ISO 17799 – International Standards OrganizationISO 17799 – International Standards OrganizationCoBIT – Control Objectives for ITCoBIT – Control Objectives for ITNIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16)NIST – National Institute of Standards for Technology - 800 Series (800-50, 800-16)
Security Trends in the industrySecurity Trends in the industryEmerging cyber-threatsEmerging cyber-threatsThe “human” factorThe “human” factor
6
The Relationship between Corporate Policy and Awareness & Training
The Relationship between Corporate Policy and Awareness & Training
Business drivers for implementing an awareness program: Business drivers for implementing an awareness program: Communicate policyCommunicate policy
Explain risks the organization facesExplain risks the organization faces
Communicate risk mitigation tactics for known threatsCommunicate risk mitigation tactics for known threats
Social engineering, Phishing/Pharming, Dumpster DivingSocial engineering, Phishing/Pharming, Dumpster Diving
Address typical security issues in the workplace:Address typical security issues in the workplace:
Physical securityPhysical security
Mobile Devices – PDA’s, Laptops, etc.Mobile Devices – PDA’s, Laptops, etc.
Acceptable usageAcceptable usage
Identity Theft!!!Identity Theft!!!
Hotlines, Call Trees, Key Internal ContactsHotlines, Call Trees, Key Internal Contacts
Outline employee responsibility and accountabilityOutline employee responsibility and accountability
Empower employees!!!Empower employees!!!
7
Information Security Awareness & TrainingAlways on the move…Information Security Awareness & TrainingAlways on the move…
Feedback Activities
Information Security Policy
Security Awareness Program
Employees
8
What is the difference between Awareness, Training, and Education?
What is the difference between Awareness, Training, and Education?
Characteristics of Awareness – This is the “What”Characteristics of Awareness – This is the “What”““For your information”For your information”Meant for recipient to “recognize and retain”Meant for recipient to “recognize and retain”Delivered via sessions, webinars or CBTs, emails, incentives, Delivered via sessions, webinars or CBTs, emails, incentives, visible marketing materialsvisible marketing materialsShort term retentionShort term retention
Characteristics of Training – This is the “How”Characteristics of Training – This is the “How”Knowledge and skillKnowledge and skillDelivered via practical instructionDelivered via practical instructionMeant for intermediate retention – training on a specific roleMeant for intermediate retention – training on a specific role
Characteristics of Education – This is the “Why”Characteristics of Education – This is the “Why”Insight and understandingInsight and understandingDelivered via theoretical instruction – study, researchDelivered via theoretical instruction – study, researchLong term retentionLong term retention
9
Just some figures….Just some figures….
Currently, 8 ofCurrently, 8 of SANS “Top 20” list end-user Awareness and Training part SANS “Top 20” list end-user Awareness and Training part of the solutionof the solution
A laptop belonging to Fidelity Investments, one of the largest mutual A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recentlyfund companies in the world, was stolen recently
Result: The laptop contained financial information on almost 200,000 Result: The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees….. current and former Hewlett Packard employees…..
The Department of Veterans Affairs (VA) recently learned that an The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was employee, a data analyst took home data from the VA, which he was not authorized to do. not authorized to do.
Result: This resulted in over 26 MILLION veterans having their Result: This resulted in over 26 MILLION veterans having their personal information stolen, including social security numbers and personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized.disability ratings when the employee’s home was burglarized.
This included one of our Seattle-based Senior ManagersThis included one of our Seattle-based Senior Managers
10
Auditing and Assessing MethodologyAuditing and Assessing Methodology
To test the “design” of the program:To test the “design” of the program:
Analyze the ProgramAnalyze the Program
Its history and backgroundIts history and background
Ideological foundation – does it reflect the policy, industry Ideological foundation – does it reflect the policy, industry standards, regulatory concerns? standards, regulatory concerns?
Its framework – is it following a specific standard or ad hoc?Its framework – is it following a specific standard or ad hoc?
ContentContent
The method of accountability – do training recipients sign off?The method of accountability – do training recipients sign off?
Method(s) of deliveryMethod(s) of delivery
Incorporates Awareness AND Training Incorporates Awareness AND Training
Awareness, role-based, performance basedAwareness, role-based, performance based
Is the program curriculum reviewed periodically for relevance?Is the program curriculum reviewed periodically for relevance?
11
Auditing and Assessing MethodologyAuditing and Assessing Methodology
To test the “effectiveness” of the program:To test the “effectiveness” of the program:
Sample a set of recipients and test their knowledgeSample a set of recipients and test their knowledge
Did they sign-off?Did they sign-off?
Test the curriculum that is taughtTest the curriculum that is taughtAre awareness recipients able to identify threats?Are awareness recipients able to identify threats?
Are they able to stop the threat prior to realization?Are they able to stop the threat prior to realization?
Do they report the attempt?Do they report the attempt?
12
Third-Party AssessmentsThird-Party Assessments
Provide an independent view of the current state of the Provide an independent view of the current state of the Security ProgramSecurity Program
Provides a “snapshot in time”, health checkProvides a “snapshot in time”, health check
Typically leverages accepted Industry Standards (i.e. Typically leverages accepted Industry Standards (i.e. ISO 27001 and ISO 17799/27002)ISO 27001 and ISO 17799/27002)
Prioritizes risk areas, provides direction, and provides Prioritizes risk areas, provides direction, and provides business casebusiness case
13
Standards-Based AuditsStandards-Based Audits
Payment Card Industry (PCI) Compliance AssessmentPayment Card Industry (PCI) Compliance Assessment
ISO17799/27001 CertificationISO17799/27001 Certification
AICPAAICPA
SystrustSystrust
WebtrustWebtrust
NIST NIST
14
Other Audits and AssessmentsOther Audits and Assessments
Vendor and Partner Security AssessmentsVendor and Partner Security Assessments
Security in Mergers and AcquisitionsSecurity in Mergers and Acquisitions
Planning an IT MergerPlanning an IT Merger
Security?Security?
Regulatory Compliance?Regulatory Compliance?
15
On the HorizonOn the Horizon
Regulation “Du Joir”Regulation “Du Joir”
Increased legislation for businessesIncreased legislation for businesses
Changes in frameworks and standardsChanges in frameworks and standards
Use of automated “performance measurement” toolsUse of automated “performance measurement” tools
Integrating security other standards such as ITILIntegrating security other standards such as ITIL
17
Thank youThank you
Graham Hill ,CISSP, CISM, ITILGraham Hill ,CISSP, CISM, ITIL
Manager, IT Advisory – Information Protection ServicesManager, IT Advisory – Information Protection Services
KPMG LLP - Seattle, WA. KPMG LLP - Seattle, WA.
206-913-4069206-913-4069