Upload
anup-narayanan
View
1.631
Download
0
Embed Size (px)
DESCRIPTION
A brief overview regarding risks to information security due to poor awareness and irresponsible behavior. Based on my methodology HIMIS (Human Impact Management for Information Security). To know more about HIMIS, visit http://www.isqworld.com/himis
Citation preview
Creating a RESPONSIBLE Information Security Culture
Presented by Anup Narayanan, First Legion Consulting
Information
Employees
1
What is the problem?2
Client/ Customer
data
Regulatory data
Financial Data
Employee data
Business Information
Most problems are a cultural issue,
•The new generation employees
talk about business in Facebook
and Orkut or while storing
information in mobile devices
•Many make mistakes while sharing
information through email, phone,
printing or even while traveling etc.
Poor Information Security Awareness and Behavior impacts
the business
3
If you are interested in financial data!
*Average annual loss due to computer
crimes shot up to $350,424/ per
company in 2007 from $168,000 in
2006
*Insider abuse of network access or e-
mail is the No:1 threat
Note - The numbers are debatable, but
what matters is that “money” is involved
and hence it matters
*Source: Computer Security Institute
Survey
4
Principal focus: “Awareness” is not “Behavior”
Awareness: Everyone
knows traffic rules
Behavior: Few follow
them
Reason
Culture
Quality of enforcement
12/29/2008
5
(C) First Legion Consulting. All Rights Reserved
Definitions: Awareness, Behavior & Culture
Awareness
• Knowledge or understanding of an object, idea or thought
Behavior
• The action or reaction of a person under specific circumstances
Culture
• The attitudes and “BEHAVIOR” that are characteristic of a particular social group or organization”
6
To change behavior???
“ All behavior is learned through the
consequences that follow. If a
person likes the consequence, the
behavior will be repeated; if a
person does not like the consequence,
the behavior is less likely to be
repeated.”
7
What is the challenge?8
The Challenge
Stage 1: I don’t know
• I don’t know about password security
• (No awareness)
Stage 2: I know but I don’t do
• I know about password security
• (Awareness)
Stage 3: I know and I do
• I practice password security
• (Awareness and
Behavior)
9
Focus on the “3rd” angle of Information Security - PEOPLE
Technology and processes
are only as good as the
people who use them
Technology (Firewall)
Process (ISO
27001)People??
10
Why focusing only on “awareness” does not
produce results?
Case Study11
Analysis of an Information Security “Awareness” Project
Client name: with-held
Type of industry: Retail
No: of employees 5000+
Position: Market Leader
Type of Information handled: Customer data,
Intellectual Property
Spending on Information Security Awareness: USD
100, 000
12
Spending Vs. Returns
Sharing of
company/customer
information is wrong
Sensitive Information
must be protected
Access Control Cards
must be protected
More….
Customer records were leaked to competitor
Salary information of top executive was given to head hunter (job recruiting firm)
Printouts lying unattended
Visitors can enter the facility without informing security guard
More….
Awareness that was spread Behavior Created: What we found ?
13
Problem 1: Poor “Visibility” & “Clarity”
Problem 2: Poor “Enforcement”
What was the problem?14
Problem 1: Poor Visibility & Clarity
An organization has
many “rules” and
“regulations”
Where is the
“information security
rule?”
The workforce is
confused !!
15
Example: What are the employees saying?
Message in the campaign
• Don’t share passwords
Employee reaction (3 employees)
• Which password? Desktop, Sales ERP, Document passwords?
• I am stuck in Traffic Jam, have to update my sales calls by 6 p.m. Tell me what I should do?
• I am sorry, but I didn’t know that there was a policy like this
Message in the campaign
• Protect Sensitive Information
Employee reaction
• To me all information is sensitive
• Does this mean that I cannot share it even with my colleagues
• How do I protect?
More reactions!
“It takes 48-96 hours to get a password reset –
What should I do, not do my work?”
“I get these annoying “Security Screen Savers” every
90 seconds. Why so much overkill!!”
“We have 100 new employees every month, whereas
the security training is once in 6 months. How will you
handle these “unaware” employees”
Root cause analysis
Poor Visibility - 50% of the workforce are off-role employees, they don’t have an email ID – Not covered in the campaign
Poor Clarity – Examples
“See something suspicious – Report it”
“Don’t share passwords”
“You have zero privacy anyways – Get over it”
Poor business relevance
Generic
Not business specific
Poor enforcement
Problem 2: Poor Enforcement
Awareness:
“I know, but I
don’t do”
Behavior:
“I know and I
do”
Migration is
determined by
ENFORCEMENT
19
Remember !!
The poster near the
water cooler is great
for the 1st 2 weeks
Then it BLENDS into the
environment
Methodology Content (Awareness) Enforcement
Solution model21
First, Methodology
Enforcement
Content
Methodology
22
Methodology:
Creative Commons License, Free for Non-Commercial use
Download from www.himis.org, created and owned by First
Legion
HIMIS™
Human Impact Management
for Information Security
First Legion
23
What can you do with HIMIS?
1. Assess the current level of
Information Security Awareness and
Behavior
2. Understand the business impact
3. Define “Desirable Information
Security Behavior” for each function
group (HR, R&D, Finance etc.)
4. Define “Enforcement Strategies”
5. Create a roadmap, measure and
monitor
24
HIMIS: Notes
DNV (Det Norske Veritas), a leading “Safety Risk
Management Company”, has created an
“Independent Assessment Model” for HIMIS
HIMIS is the first “Information Security Behavior”
methodology to achieve this
Vodafone India is the first organization to undergo
the verification assessment through DNV
25
Next, Content
Tool
Content
Methodology
26
Importance of Content
Content is a key propellant for
creating good Information Security
awareness
27
Qualities of a good Information Security Awareness Campaign
Defined by HIMIS
The campaign must have
Reach
Visibility
Content must have the following qualities
1. Business relevance: Not generic but Specific
2. Impact visualization: Show what can go wrong
3. Consider cultural factors: Consider the characteristics of the
population
4. Clarity & Ease of understanding: Keep it simple; Less
Jargons
28
“I can’t attend the information security training”
I have to prepare a
report
I will be on
vacation
I am traveling on
businessI have a meeting
People are busy!
29
Fact: Inputs to designing a good security awareness
campaign
How clear is my
language?
Is the impact
visualized clearly?
Security Awareness Campaign
What’s my workforce?
Who am I talking to?
What information
do they access?
Next, Enforcement
Enforcement
Content
Methodology
31
Remember!
Awareness:
“I know, but I
don’t do”
Behavior:
“I know and I
do”
Migration is
determined by
ENFORCEMENT
32
Solution Model
Create two teams,
The Core Information Security Management Team
A Team of Information Security Champions
Tasks
The Core Information Security Management Team will create the
“Enforcement Strategies”
The Information Security Champions will assess the awareness
and behavior levels, create awareness and provide feedback
The Core Information Security Management team will
enforce awareness strategies based on the feedback
33
The Solution: Steps of Execution
Step 1 – Core team defines the Enforcement Strategies
Step 2 – Create a team of “Information Security Champions”
The champions will be trained on Information Security Awareness and
Behavior Management
They champions will be given tools to analyze and record awareness and
behavior levels
Step 3 – Support the champions with “Information Security
Awareness Content”
The champions will be given a set of content to be distributed to their
target group
The content will be created after taking the inputs from the champions
Step 4 – The champions provide the feedback to the core team
for enacting enforcement strategies
34
What is the benefit of this model?
1. Information security enters a micro level (functional level)
rather than being at a superficial top level
2. Information security awareness is tailor-made for each
functional level
Eg:- A champion from Finance team will focus on protecting financial
data
Eg:- A champion from HR team will focus on protecting privacy of
employee records
3. Business relevance – The champions will give inputs for
creating information security awareness content
35
What is the benefit of this model? (Contd….)
4. The champions will be assigned targets that will
be monitored and measured
5. You gain an internal capability to manage
information security awareness rather than
depending on an external consultant
36
The importance of Enforcement & how it
produces results
Case Study37
Case Study 1: IT Business
Company
Offshore Development, 3 Centers in India
Young workforce: Majority between 22-27
Security Rules
Don’t forwards emails with unofficial attachments
No downloads of videos, music, freeware
No storage of personal content in official systems
38
Case Study 1: IT Business
What we did?
Quarterly “End-User Desktop Audits”
Findings were immediately “Signed and Agreed by
Auditee”
Disputes were noted and “Signed”
Audit findings were submitted to InfoSec Team
39
The key: Repetition and Consistency
?
40
Whatever “Enforcement
Strategy” you may decide, the
key is “Repetition and
Consistency”
Remember!!41
Time and resource requirements
A roadmap of 3 years
A team of InfoSec Champions for year 1 targeting
approximately 5% - 10% of the total workforce
(One champion per 50-100 users’)
Average effort of 18 man-hours per champion per
year
6 hours in quarter 1
4 hours each in remaining 3 quarters
42
Additional notes
The solution model is ISO 27001 aligned
The targets that this solution will achieve will help in
complying to the “Human Resources Security
(Domain A.8 of ISO 27001: 2005)
43
Closing notes: To change behavior
“ All behavior is learned through the
consequences that follow. If a
person likes the consequence, the
behavior will be repeated; if a
person does not like the consequence,
the behavior is less likely to be
repeated.”
44
Presented by
Anup NarayananCISA, CISSP
Founder & Sr. [email protected]
w w w . f i r s t l e g i o n . n e t
45