1 / 20

Security Training

Security Training. How to detect good and effective training. Auditors and Security Professionals, Oh My. Auditors. Security. Provide a basic guideline of what should be present Provide an idea of what periodic training should look like

yvonne
Download Presentation

Security Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Training How to detect good and effective training

  2. Auditors and Security Professionals, Oh My Auditors Security Provide a basic guideline of what should be present Provide an idea of what periodic training should look like Provide some ideas that may or may not work in our environment Provide some creative ideas to improve effectiveness • Provide a review of what we are looking for when reviewing security training • Provide ideas for those cases when our opinion is requested • Ensure that the evaluation process is three dimensional

  3. First, What is good training? • Good training meets the requirements of Regulation. • Good training ideally meets the recommendations of Regulation. • Good training covers all areas of the security policy. • Good training is periodic.

  4. Regulations • HIPAA places the Security Training into the addressable category. (§164.308 (a)(5)(i)) • The Training is to be periodic • The Training is to cover the security policy • PCI requires training directly (12.6.1) • The Training is to be at least annual • The Training is to cover the security policy • The Training is to be diverse

  5. Regulations Continued • NERC-CIP requires security training (CIP – 004-5) • The frequency is based on the Impact level of the Systems. • The content is based on the Impact level of the Systems. • FISMA requires reports regarding training • The content is role-based • The training is required annually

  6. Good Training • Password Complexity • Incident Reporting • Observational Training • Reviewed and Updated • Email • Internet Use • Privacy • Social Engineering • Encryption • Data Handling • Locking Workstations Covers the Requirements

  7. But What Makes Training Effective? • Consistent • Involved • Verified • Evaluated • Maintained

  8. Consistent How can Management expect the staff to adhere to the policy when the enforcement of that policy is ad hoc? How can Management expect the Security Training to be useful, when the training is unreliable?

  9. Involved • Many times we treat security using the top two of the Learning Pyramid • Occasionally, we will include audiovisual tools. • Demonstration, and Discussion are key. • Computer training can open the door for the 75% retention range. • Students retain differently than Employees

  10. Verified • We get a receipt when we buy a donut. • We should be verifying attendance and retention. • Many CPE courses now contain tests at the end for this very reason.

  11. Evaluated • Getting feedback from the trainees is the best way to improve retention. • Tailored training to the culture of the environment is ideal

  12. Maintained Modern Ancient Complicated

  13. Which leads to the question … As long as the security training is effective, why do we care if it is good?

  14. Password or Passphrase • There is a power in the words we choose, Password inherently limits the minds of many. Passphrase opens the door to more complex, and more effective passwords. • Which is more effective? 30SeNpl or I_likew@lks in the rain! • Choose words that are more likely to modify the behavior.

  15. Location, Location, Location • The golden rule of Real Estate also applies to Office Layout.

  16. Appeal to a Sense of Normalcy • When we get out of our cars, we lock the doors. • When we leave our homes we lock the doors. • So when leaving our machines we should lock the screens. • Instead of telling them to do something, make the case for why it is logical, and normal.

  17. Stigmatize the Unusual • When something out of the ordinary happens, the default response is suspicion. This should be encouraged.

  18. Social Media Dangers

  19. Last, but not Least Unsolicited Email Links Unsolicited Attachments

  20. Questions? QA?

More Related