Guide to Implementing an Effective Security Education &

Awareness ProgramPresented by:

Calvin Weeks, Director, OU Cyber Forensics Lab, University of OklahomaShirley Payne, Director, Security Coordination and Policy, University of

VirginiaKrizi Trivisani, Chief Security Officer, The George Washington University

Copyright Calvin Weeks, Shirley Payne, Krizi Trivisani 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

2

Overview

This presentation will offer help in implementing a security awareness

program that teaches physical and system security precautions, establishes realistic expectations, and decreases the overall

cost of securing an enterprise network by teaching users to share best practices with

peers and by improving security in the workplace and in home work

environments.

3

Calvin Weeks

Introduction and Definitions

Audience

Roles and Responsibilities

4

Shirley Payne

Collaboration

Institutional Culture

5

Krizi Trivisani

Policies

Key issues and Pitfalls

Resources and Samples

Measurement of Success

6

Introduction

Security programs cannot be successful without good leadership from the very top of your organization down. Even with all the staff, technology, resources, and budget, a Chief Information Officer (CIO) or Chief Security Officer (CSO) will not and cannot secure an environment without the rest of the organization. Every person in your organization plays a very important role in the security of all physical and virtual assets. But, why would anyone be motivated to participate in security? What are the key issues and concerns for your organization, CIO, CSO, directors, staff, faculty, students, parents, system / network administrators, contractors, guests, and many other types of people internally and externally? How do these people know what their role or responsibilities are?

7

EDUCAUSE Security Awareness & Education Task Force

Mission/Purpose:The Education and Awareness Initiative team will identify and take steps to implement and/or publicize various methods by which awareness of information technology security issues are raised amongst university and college computer and network users, administrators, and executives.

8

EDUCAUSE Security Awareness & Education Task Force

Team Goals/ Expected Outcomes (Deliverables and Metrics):

The team will:1) Identify current projects and current materials and methods (primarily developed within the higher education and non-profit communities, but also vended products where they have been proven to be (or may be) particularly useful to universities and colleges.2) Use existing methods available via EDUCAUSE to publicize identified offerings.3) Where gaps may exist in available offerings, commission development of programs or materials as needed.

9

EDUCAUSE Security Awareness & Education Task Force

Boundaries for the Team (Scope of Work & Authority):The team will concern itself with education and awareness

of 1) end-users (essentially faculty, staff, and students)2) technicians and administrators who maintain systems for campuses3) executives.The team will not venture into the realm of educating security professionals, or into formal for-credit curriculum development.

10

EDUCAUSE Security Awareness & Education Task Force

Team Leadership:

Co-Chairs:

Kelley Bogart, University of Arizona

Mark Bruhn, Indiana University

11

Definition

Webster’s New World Dictionary, Third College Edition Awareness – Knowing or realizing; conscious; informed.Training – the process or experience of being trained. [train] – to instruct so as to make proficient or qualified.Education – knowledge, ability, etc. thus developed. [develop] – to become larger, fuller, better, etc.; grow or evolve, esp. by natural processes.

12

Awareness

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.”

National Institute of Standards and Technology (NIST), Special Publication 800-50

13

Awareness

What behavior are we wanting to influence?

Examples:

“Change your password every 60 days”

“Sec-U-R-IT-y”

“Secure-IT”

“Time for a checkup: Patches, Virus definitions, passwords”

14

Awareness Links

http://www.itsa.ufl.edu/posters/passwords.pdfhttp://www.itsa.ufl.edu/posters/10reasons.pdfhttp://www.asu.edu/it/security/s101/https://www.itso.iu.edu/howto/http://security.ou.edu/bestpractices/index.html

15

Bookmarks

16

Training

“Training strives to produce relevant and needed security skills and competencies.”

National Institute of Standards and Technology (NIST), Special Publication 800-50

17

Training

What skills do we want to have learned?

Examples:

Professional development training

Seminars

Workshops

Conferences

Employment job duty performance

18

Sample Programs

http://security.ou.edu/sec_catalog.htm

http://www.it.ufl.edu/training/

http://register.perfectorder.com/it/2005/workshop.php

http://sans.org/

19

Education

“Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge…and strives to produce IT security specialists and professionals capable of vision and proactive response.”

National Institute of Standards and Technology (NIST), Special Publication 800-50

20

Education

What knowledge do we have to share/collaborate?

Examples:

EduCause National Conference, College degree, 10 years experience, and 400 contact hours of training.

21

Why?

HIPAA

FERPA

GLBA

Sarbanes Oxley Act

Grant requirements

Compliance

other local state and federal regulations.

22

Does it make a difference?

RPC vulnerability and the Welchia/Nachia attacks – users aware

SQL Slammer attacks – technical education

SoBIG.F e-mail attacks – users aware and technical training

23

Centers of Academic Excellence

The Centers of Academic Excellence in Information Assurance Education (CAEIAE) program, established in November 1998, helps NSA partner with colleges and universities across the nation to promote higher education in information assurance (IA). This program is an outreach effort that was designed and is operated in the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure Protection, dated May 1998. The program is now jointly sponsored by the NSA and Department of Homeland Security (DHS) in support of the President's National Strategy to Secure Cyberspace, February 2003. The goal of the program is to reduce vulnerability in our national information infrastructure by promoting higher education in information assurance (IA), and producing a growing number of professionals with IA expertise in various disciplines.59 Centers throughout the US.

24

Who is our Audience?

Faculty

Staff

Students

Parents

Contractors

Visitors

Community/industry partners - outreach

25

Target your Audience!

GeneralTechnical/non-technicalLocal/remoteFaculty/researchers/professorsManagement/staffSystem/network administrators/support staffStudents/parentsHome/travel usersHIPAA, FERPA, GLBA, Sarbanes OxleyContractors/new employees

26

Roles

President or Head

CIO/CSO

Information System Security Officer Security T.E.A. Program Manager

Directors/managers

Faculty/staff/students/Users

27

T.E.A. Manager

Training, Education, and Awareness (T.E.A.)

Program/Curriculum development

Course and Instructor coordination

Program promotions

Measure expectations/requirements vs. outcomes/results.

28

Questions?

29

When I Go To U.Va….

http://www.itc.virginia.edu/pubs/docs/RespComp/videos/when-I-go-to-UVA-lg.mov

Collaboration

Or, Great Security Education and Awareness With A Little Help

From Your Friends!

31

IT Security Staffing Landscape

What percent of surveyed institutions have a chief IT security officer?

What is the average number of full-time security staff at surveyed doctoral institutions? At baccalaureate institutions?

What percent of surveyed institutions have no formal awareness programs for students, faculty and staff?

From 2003 EDUCAUSE Center for Applied Research Survey

32

Typical Responsibilities of Security Officers

Strategic PlanningAwareness, Education & Technical TrainingTechnical Communications (Alerts)Policy Development ComplianceRisk Assessment & Business ContinuityIncident Detection & Response

33

These Responsibilities Require Many Roles To Be Filled

Strategic Planner

Champion

Communications Expert

Teacher

Technical Expert

Policy Writer

Lawyer

Enforcer

Watch Dog

Incident Responder

Etc., etc., etc.

34

Which Roles Suffer First?

Strategic Planner

Champion

Communications Expert

Teacher

Technical Expert

Policy Writer

Lawyer

Enforcer

Watch Dog

Incident Responder

Etc., etc., etc.

35

Collaborations Make All The Difference!

New ideas

Access to others' competencies

Expanded scope of influence

Shared labor and cost

36

Executives

Examples:Boards of TrusteesPresidentsVice Presidents & ProvostsDeans & Department HeadsChiefs of Staff

Potential Gains:Policy approvalFunding and staffing approvalInfluence (directives, reviews, role-models)Appropriate expectations

37

Testimonial

Tom Hennessey, Chief of Staff, George Mason UniversityShown with permission from the producer Cathy Hubbs, IT Security Coordinator, George Mason

University

http://security.gmu.edu/HennesseyResponse.mpg

38

Faculty, Staff, & Student Leaders

Examples:Chief of Human ResourcesFaculty Senate ChairDean of StudentsStudent CouncilDorm Resident AdvisorsStudent Honor Committee

Potential Gains:Input on security awareness plansNew championsPeer-to-peer influence

39

Central IT Staff

Examples:Network and System EngineersUser Support Staff, e.g. Help Desk

Potential Gains:Identification of problem areas, emerging threats, and prioritiesSecurity alertsSecurity awareness tool development

40

Departmental Staff

Examples:System AdministratorsOffice Managers

Potential Gains:Input on security awareness needs and prioritiesInput on guidelines and policiesSecurity champions in their departmentsDissemination of security alerts within their departments

41

Departments with Security Interests

Examples:Audit DepartmentLegal CouncilCampus Police

Potential Gains:Participation in awareness eventsInput on awareness prioritiesContribution to development of guidelines and policies

42

Interested Faculty & Students

Examples:

Instructors

Student class projects

Potential Gains:

Participation in awareness events

Input on awareness tool design

Tool development

43

Communications Experts

Examples:

Public Relations Office

Campus and Community Press

Potential Gains:

Design of professional literature

Development of creative marketing tools that deliver the security message in unique and innovative ways

Communication of alerts, events and other information

44

Security Experts & Organizations

Examples:EDUCAUSE http://www.educause.edu/security Virginia Alliance for Secure Computing & Networking http://vascan.org

Others

Potential Gains:Multiple perspectivesFresh ideasEliminates wheel reinvention

•SANS Institute http://www.sans.org

•CERT Coordination Center http://www.cert.org

•CERIAS http://www.cerias.purdue.edu

•NIST Computer Security Resource Center http://csrc.nist.gov

•and many more

45

Back to that U.Va. video…

Collaborators: Concept and story board – IT Publications

staff Video production – School of Continuing &

Professional Studies Actors: children of IT staff Closed captioning – local commercial firm

Cost was less that $3,000

Making Collaborations Work

47

Choose Long-term Collaborators Carefully

Should have common goals

Should be recognized benefits on both sides

Should be based upon mutual trust

48

Manage the Collaborations

Set realistic expectations

Communicate well

Resolve issues quickly

Periodically review collaboration health

Recognize their contributions

Institutional Culture

Or, When in Rome….

50

What Defines Culture?

Strategic Planning and Decision-Making Examples:

• Top-down• Bottom-up• Consensus-based

Institutional Values Examples:

• Student honor code• Strong faculty influence• Emphasis on accountability at all levels of institution• High bond rating

51

What Defines Culture?

Control of Operational Functions Examples:

• Centralized

• Decentralized

Long-term Institutional Priorities Examples:

• Increase research

• Increase community outreach

Other influences on culture?

52

Ideas For Using Culture

Decentralized Control Over Computing

Formalize and leverage network of departmental system administrators

How? Some Examples:University of Virginia LSP Program

http://www.itc.virginia.edu/dcs/lspGeorge Mason University SALT Group

http://itu.gmu.edu/security/sysadmin/salt-description.html

53

Ideas For Using Culture

Increasing Emphasis on Compliance

Spotlight Federal Regulations Related to Security & Privacy

How? Some Examples:IT Security for Higher Education: A Legal Perspective

http://www.educause.edu/ir/library/pdf/csd2746.pdfFamily Educational Rights & Privacy Act

http://www.ed.gov/policy/gen/guid/fpcp/ferpa/index.htmlGramm Leach Bliley Act

http://www.ftc.gov/privacy/glbact/index.htmlHealth Insurance Portability & Accountability Act

http://www.hhs.gov/ocr.hipaa

54

Ideas For Using Culture

Strong Leadership at the Top

Make Executive-level Awareness a Top Priority

How?ACE Letter to Presidents Regarding Cybersecurity

http://www.acenet.edu/washington/letters/2003/03march/cyber.cfmInformation Security: A Difficult Balance

http://www.educause.edu/pub/er/erm04/erm0456.aspGaining the President’s Support for IT Initiatives at Small Colleges

http://www.educause.edu/apps/eq/eqm04/eqm0417.aspPresidential Leadership for Information Technology

http://www.educause.edu/ir/library/pdf/erm0332.pdf

55

Changing Culture

Awareness, education, and training change attitudes

Changing attitudes can force change in institutional culture.

Also, major security incidents should initiate examination of cultural influences and possible need for change

56

Real Life Example(real name changed to protect the guilty)

Changing Culture

57

Changing Culture

I hear and I forget.I see and I remember.I do and I understand.

Chinese Proverb

58

Exercise

Divide into groupsAssign target audience to each group: Executives Administrative staff Students Faculty Researchers IT professionals

Brainstorm ideas for building awareness 8 minutes Prepare bulleted list Select spokesperson

Share results

Cool Examples!

PoliciesKey issues and Pitfalls

Resources and SamplesMeasurement of Success

60

Let’s Play!

I’ve Got Email is an educational form of bingo that incorporates IT security related words and phrases. This is a good activity for a security or IT department. Play it as a normal bingo game but when someone gets five in a row (or four corners, etc) they shout “I’ve Got Email!” To add an additional educational affect to it, you might ask them to explain each of the terms in the winning row.

I’ve Got EMAIL

1

Router

Virus

Standards

Risk

Infor-mation

Warfare

Phishing

Certifi-cation

Linux

Reliability

User ID

Privacy

Interface

Authoriz-ation

SnifferTech-nology

Solution

Architecture

Detection

Password

Policies

Modules

Firewall

Alert

Monitor

www.securityawareness.com

Copyright 2000-2004 Security Awareness, Inc - All Rights Reserved

E M A I L

FREE

61

Security ImplementationRelies On:

Process

People

Technology

Systems must be built to technically

adhere to policy

People must understand their responsibilities

regarding policy

Policies must be developed,

communicated, maintained and

enforced

Processes mustbe developed thatshow how policies

will be implemented

62

Policies

The cornerstone of an effective information security architecture is a well-written policy statement. This is the source from which all other directives, standards, procedures, guidelines and other supporting documents will spring. As with any foundation, it is important to establish a strong footing.

63

Why Implement a Security Policy?

In the absence of an established policy, the University’s current and past activities become the de facto policy.Since there is no formal policy with which to be defended, the University may be in greater danger of a breach of security, loss of competitive advantage, customer confidence and government interference.By implementing policies, the University takes control of its destiny.

64

Why Implement a Security Policy?

The goal of an information security policy is to maintain the integrity, confidentiality and availability of the information resources.

The basic threats that may prevent the University from reaching this goal are unauthorized access, modification, disclosure or destruction - whether deliberate or accidental - of the information or the systems and applications that process the information.

65

Why Implement a Security Policy?

When developing the policy, there is as much danger in saying too much as there is in saying too little.The policy should provide the direction required by the University while maintaining business unit management discretion in the actual implementation of the policy.The more intricate and detailed the policy, the more frequent the update requirements and the more complicated the training process for users.

66

Policy Structure

Laws, Regulations, and Requirements

Policy

Standards

Procedures,Practices

Guidelines

67

Awareness and Training on the Security Policy

Now you have a policy… but has anyone read it?

Or better yet… do they understand it?

Policy resources:

http://www.educause.edu/CampusPolicyInitiatives/332

68

Key Issues and Pitfalls

Make sure your Implementation Plan for the Security Policy includes training!Make sure your training materials and policy are not in conflict.Know your audience and adjust your training as appropriate by keeping their needs in mind.Get feedback! BUDGET for training and awareness.Utilize free resources and solicit volunteers, interns, and partnerships with departments and other Universities.

69

Resources

The Education & Awareness Working Group of the EDUCAUSE/Internet2 Security Task Force compiled cyber security awareness resources that will be distributed on a CD.

The resources were collected to showcase the variety of security awareness efforts underway at institutions of higher education and to provide resources for colleges and universities that are looking to jump-start a program for their organization. 

70

What’s on the CD?

PamphletsLinks to School’s Security Web Page(s)VideosSecurity Awareness DocumentsSecurity CardsSecurity QuizzesScriptsSurveysSecurity Tools

Book MarksBrochuresChecklists FlyersGamesGovernment ResourcesHandoutsPost CardsPresentations

71

Measurement of Success

SurveysQuizzesPassword CrackingReduction/Increase in infectionsAudits – baseline then monitor progressMetrics (and yes, color graphics are worth it when presenting to management)Incentives and recognition to most improved and others actively working to increase security in their departmentsLather, rinse, repeat!

72

Measurement of Success

Did you meet the goals of your awareness program?Did you set goals?Samples: To reduce risk by implementing best practice information To reduce risk by implementing best practice information

security programs while balancing academic freedomsecurity programs while balancing academic freedom

What are the Goals of GW's Security Awareness Program? To educate members of the University community To educate members of the University community To identify and address risk To identify and address risk To promote and encourage good security habits To promote and encourage good security habits

73

Exercise

Divide into groupsYou are planning your first Cyber Security Awareness Day for your campus. What are your goals? What will the event involve? How will you make it interesting for your audience?

Brainstorm ideas 8 minutes Prepare bulleted list Select spokesperson

Share results

74

Questions?

Contacts Calvin Weeks cweeks@ou.edu Shirley Payne payne@virginia.edu Krizi Trivisani krizi@gwu.edu