View
15
Download
2
Category
Preview:
DESCRIPTION
IT security is the responsibility of each member of the community. By leveraging existing university governance structures, collaborating with departments, and using a multitude of communication tools, the University of North Carolina at Wilmington has developed a layered approach to IT security and created a culture of security, which has resulted in a better network and improved data security for the community. As an example, we ensure that Computrace is installed on university-owned computers (and provide it for students at a discount). This program garnered the 2010 EdTech Digest IT Security Office Recognition Award and, most recently, UNCW won the Center for Digital Government's Cybersecurity Leadership and Innovation Award in 2013. OUTCOMES: Learn how to use governance and collaboration to build cross-campus IT security awareness * Learn how to establish programs and outreach such as certifications for system admins and new student, faculty, and employee training * Learn how to leverage and collaborate with other campus initiatives to thread in IT security http://www.educause.edu/events/security-professionals-conference/2014/building-culture-it-security-awareness
Citation preview
EDUCAUSE Security Professionals Conference
Building a Culture of IT Security AwarenessMay 7, 2014
1
The tale of two campuses
IT Security Awareness a Process
• Foundation• Build relationships• Build Culture• Resources, Training & Service• Multi-layer approach• Emerging Challenges• Opportunities• CISO Frustrations
3
Foundation
• Start in ITS– Ensure CIO support– Establish Chief Information Security Officer– Establish IT culture
• Develop program(s) in accordance with industry standards and generally accepted security principles
• Understand environment and context as it relates to Security• Understand any decentralized organizations or other areas of
sensitivity• Establish short and long term awareness goals and measures• Establish strategic buy in at the executive level
4
Build Relationships
• Meet key stakeholders• Establish viable and robust working relationships• Create or utilize campus governance/organizations• Develop a community approach conveying the idea of
"What's In IT For Me?" • Be supportive of the initiatives of others within the
organization • Build infrastructure and services to support decentralized
IT organizations• Formalize relationships and responsibilities
5
Activity: Governance & other organizations
• Who are the key stakeholders?
• What governance or other organizational structures do you use?
• Who are the members?
Build Culture/Empower
• Give the principal parties responsibility and resources/support for securing data
• Develop an operational non-punitive climate that is information security conscious
• Embed IT Security into everything • Offer training, support and services• Establish processes with units across campus • Provide debriefs and documentation if/when necessary• Be a resource; be proactive
7
Resources,Training & Services
• Empower data stewards and others• Participate in faculty, staff and student orientation• Provide scans or other services for decentralized IT • Establish CBTs (or other training) for all (central and
decentralized) System Admins• Provide just in time training• Develop presentations • Train administrators such as Student Affairs officers
on DMCA
8
Activity: How do you keep your campus informed?
• Phishing• Vulnerabilities• DMCA/RIAA• Viruses• Etc…
Layers
• Orientations• DMCA & Safe computing in ITS comprehensive new
student communication • Security Corner in every ITS Bulletin• Presentations across campus• Regional and National organizations and activities• Endpoint/data protection, free antivirus, anti-
phishing campaign, Be Safe campaign
10
Emerging Challenges
• BYOA • Work from anywhere• ID Management• Social networking• Cloud• Others?
11
Opportunities
Utilize these to establish ongoing buyin:• Educause• Cybersecurity month• DR/BC planning• Incidents in the news• Legal/Audit• Organizations/governance
Source of CISO Frustrations
• Unresourced expectations• Inconsistency in policy/rule enforcement• "It won't happen to us" attitude• "It's gonna happen and we can do anything
about it."• It's ITs problem
13
Samples
15
"Information Security is Everyone's Business"
Remember When It Comes to
se U R IT y
Recommended