Why Privacy & Security Awareness Training?

1. Why Privacy & Security Awareness Training?

2. Why is privacy & security awareness training required? 342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007

3. Changing Threat Landscape • 1997 • Amateur hackers • Web site defacement • Viruses • Infrequent attacks • 2007 • Organized crime • SQL Injections • Identity theft • Constant threat + • Amateur hackers • Web site defacement • Viruses 342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007

4. Why is privacy & security awareness training required? • Threats to data, systems, and networks are increasing. • Attacks are more sophisticated. • Technology can’t do the job alone. • NASCIO and other leading organizations have said this is a high priority.

5. Why is privacy & security awareness training required? • DAS/OIT’s ISO 27001 Security Gap Analysis identified security education and awareness as one of the top areas of concern. • Ohio public servants have a responsibility to safeguard data and other IT resources. • Ohio and DAS/OIT policies require it.

6. Why is privacy & security awareness training required? • Ohio IT Policy; ITP-B.8; Security Education and Awareness (January 26, 2007) Requires state agencies to conduct ongoing information technology security awareness programs for employees and other agents of the state In order for an agency's information technology security to be most effective, personnel should be effectively and routinely informed of deployed information technology security measures so that they understand how the measures align with the agency's business objectives and why they exist. Effective information technology security includes security awareness and established individual responsibility. (emphasis added)

7. What are my responsibilities? • Be privacy & security minded. • Privacy & security considerations are necessities, not burdens. • Consider the impact your actions could have on the security of data and other IT resources.

8. What are my responsibilities? • Be willing to learn. • Understand the privacy and security requirements of the networks, systems, devices, and data that are part of your job. • Know what data you have. • Know with whom you are communicating. • Question Question Question • “Do we need this data for a business function?” • “Should I have access to this data?” • “Should I share this data with others?”

9. What are my responsibilities? • Be proactive. • Adopt good privacy and security practices at work and at home. • Report unusual events.

10. What are my responsibilities? • Seek help and advice. • Become familiar with the policies, procedures, and standards that apply to your work environment. • When in doubt, ask!

11. Federal & state law Ohio statewide policy Agency Policies Agency Procedures Agency Work Rules Procedures or standards specific to a program or work unit Your team lead, supervisor, or manager Security Officer or Data Privacy Point of Contact Chief Legal Counsel DAS/OIT Risk Management Services Chief Privacy Officer How do I know what to do?

12. State of Ohio Data Privacy & Security Information Center http://www.privacy.ohio.gov Ohio IT Policies http://www.oit.ohio.gov/IGD/policy/OhioITPolicies.aspx Your Agency’s Data Privacy Point of Contact Your Agency’s Chief Legal Counsel State of Ohio Chief Privacy Officer Sol Bermann, 644-9391, sol.bermann@oit.ohio.gov Where can I get more information?

13. Where do I start? • Your Agency’s Policies • IT Resource Usage • Password-PIN • Mobile Computing • Data Classification • Security Education and Awareness • Incident Response • And more

14. Where do I start? • Special Areas of Concern • Sensitive data • E-mail • Portable computing devices • Storage media – electronic and non-electronic • Internet & Usage • Physical security • Exit procedures • Incident response

15. Remember Privacy & Security are everybody’s business!

16. Questions???