search

 Building an IT Security Awareness & Training Program

0 comments

file time: 2008-02-16

filetype:ppt

Click Here To Download...

>  
 
 
 
 

1  

Building an IT Security Awareness & Training Program 

Mark Wilson

Computer Security Division, ITL

National Institute of Standards and Technology

-  November 1, 2001  -

mark.wilson@nist.gov

(301) 975-3870 (voice)         (301) 948-0279 (fax)

http://csrc.nist.gov/

 
 
 
 
 

2  

Cornerstones for Success 

Policy Roles and Responsibilities CIO IT Security Program Manager Managers Users Budget Management Support . . . Commitment  
 
 
 
 

3  

A Life-cycle Approach 

Identify Needs Design Develop Implement Maintain  
 
 
 
 

4  

Designing Your Awareness & Training Program 

Build a Strategy Determine Organization00 Needs Needs Assessment Incorporating Results of Program Reviews Develop an Awareness and Training Plan Identify Audiences; Scope Needs; Establish Priorities; Set the Bar; Get Mgmt/Org Buy-in!  
 
 
 
 

5  

Developing Your Awareness & Training Material 

Policy and Guidance Issues Your program is dependent on policy OMB Circular A-130, Appendix III NIST guidance - http://csrc.nist.gov Infrastructure & Deployment Issues Web-based deployment the common theme CD-ROM  
 
 
 
 

6  

Developing Your Awareness & Training Material 

Developing Awareness Material: Samples Password usage/creation/changes Protection from viruses - scanning and updating PDA security issues Laptop security while on travel Personal use and gain issues Software patches and security settings on client systems Software license restriction issues  
 
 
 
 

7  

Developing Your Awareness & Training Material 

Developing Awareness Material: Sources E-mail advisories On-line IT security daily news websites Periodicals http://csrc.nist.gov/ATE http://csrc.nist.gov/organizations/fissea . . . previous conference presentations  
 
 
 
 

8  

Developing Your Awareness & Training Material 

Developing Training Material: Sources In-house Contractors/vendors Mix of in-house and contractor support http://csrc.nist.gov/ATE   . . . NIST Special Publication 800-16  
 
 
 
 

9  

Implementing Your Awareness & Training Material 

Messages on trinkets: e.g., key fobs, post-it notes, notepads, first aid kits, clean-up kits, diskettes with a message, frisbees, 00otcha00cards Posters Access (to my PC) lists 00o and Don0000lists  
 
 
 
 

10  

Implementing Your Awareness & Training Material 

Screensavers, warning banners/messages Newsletters Desk-to-desk alerts Organization-wide e-mail messages Videotapes Web-based sessions Organization00 IT security homepage  
 
 
 
 

11  

Implementing Your Awareness & Training Material 

Computer-based sessions Teleconferencing sessions In-person, instructor-led sessions 00rown bag00seminars Rewards programs - plaques, mugs, letters of appreciation . . . all-hands meetings (public humiliation)      ;-)  
 
 
 
 

12  

Maintaining Your Awareness & Training Program 

Monitoring Success - Use of Evaluation and Feedback Evaluation forms (classroom) Web- and computer-based evaluations Pre- and post-testing Feedback from management and users  
 
 
 
 

13  

Maintaining Your Awareness & Training Program 

Managing Change Technological Architectural Organizational Raising the Bar  
 
 
 
 

14  

Common Themes in Successful Programs 

Budget = Successful Program Defined Roles = Successful Program Web-based Material Keep Material Interesting and Current Movement Toward Professionalization Training Plans Mix of Awareness and Role-based Training  
 
 
 
 

15  

Questions? 

Mark Wilson

NIST

mark.wilson@nist.gov

(301) 975-3870 (voice)

(301) 948-0279 (fax)

http://csrc.nist.gov/

http://csrc.nist.gov/ATE

http://csrc.nist.gov/organizations/fissea

   download Building an IT Security Awareness & Training Program

Responses to Building an IT Security Awareness & Training Program

It's no comment...

 

Your Name:
Your Email:
Your Talk: