Security Training & Awareness (02)

Thomas Levy

Agenda

1. Aims: Reducing Cyber Risk 2. Information Risk Management3. Secure Configuration4. Network Security5. Managing User Access 6. Education & Awareness7. Incident Management8. Malware Prevention9. Monitoring10. Removable Media11. Mobile Working 12. Summary

Aims: Reducing Cyber Risk

• Identify• Monitor • Maintain

Information Risk Management

• Adopt a framework • Determine baseline level of risk for organisation • Regularly discuss risk at board meetings • Treat risk as a lifecycle

Secure Configuration

• Implement hardware / software asset register • Baseline security builds for all network components • Daily updates / patches • Regularly scan for vulnerabilities

Network Security

• Protect• Monitor• Test

Managing User Access

• Limit admin accounts • Monitor & audit users• Establish account management process

Education & Awareness

• User security policy• Staff security induction • Refresher training on security threats • Formal assessment of staff knowledge

Incident Management

• Incident response • Disaster recovery • Senior manager approval

Malware Prevention

• Anti virus throughout organisation • Regular malware scans • Regularly update anti virus

Monitoring

• Systems • Network traffic

Removable Media

• Policies• Scanning • Encryption • Corporate v Personal

Mobile Working

• Policy• Awareness • Security Baselines

Information Assurance Cuboid

Summary

Choose a security framework Create policies Monitor