1 new york state higher education cio conference west point - july 2005 building an information...
Post on 20-Dec-2015
213 views
TRANSCRIPT
11
New York State Higher Education CIO ConferenceNew York State Higher Education CIO ConferenceWest Point - July 2005West Point - July 2005
Building an Information Building an Information Security Culture in a Security Culture in a
Global EnterpriseGlobal Enterprise
Jane Scott Norris, CISSP CISMChief Information Security Officer
U.S. Department of State
22
Information Security ProgramInformation Security Program
Designed to Protect INFORMATIONDesigned to Protect INFORMATION
Policy and ProceduresPolicy and Procedures• To support business objectives while considering security To support business objectives while considering security
requirementsrequirements
Informing users of their responsibilitiesInforming users of their responsibilities• Employees must know policies, understand their obligations, and Employees must know policies, understand their obligations, and
actively complyactively comply
Monitoring and review of programMonitoring and review of program
33
Information Security DriversInformation Security Drivers
Constantly changing ITConstantly changing IT Increasing connectivityIncreasing connectivity Rush to marketRush to market Readily available hacking toolsReadily available hacking tools Increasing RiskIncreasing Risk Only as strong as the weakest linkOnly as strong as the weakest link
Insider threat is always greatest: deliberate, Insider threat is always greatest: deliberate, carelesscareless, , irrationalirrational or or uninformeduninformed
44
3 Waves of Information Security3 Waves of Information Security
Technical WaveTechnical Wave• Authentication and access controlAuthentication and access control
Management WaveManagement Wave• Policies, proceduresPolicies, procedures• CISO and separate security staffCISO and separate security staff
Institutionalization WaveInstitutionalization Wave• Information Security AwarenessInformation Security Awareness• Information Security CultureInformation Security Culture
Standardization, certification and measurementStandardization, certification and measurement Human AspectsHuman Aspects
Von Solms (2000)
55
It’s A People ProblemIt’s A People Problem
Information and Information Systems Security:Information and Information Systems Security:
ProductsProducts
ProcessesProcesses
PeoplePeople
Ensuring that employees receive tailored and timely awareness, training, and education is paramount to maintaining effective security
H/W and S/W
ManagementOperational
UsersAdministrators
66
The Security GapThe Security Gap
Security technology is essential Security technology is essential • Firewalls, anti-virus, intrusion detection, encryption etc.Firewalls, anti-virus, intrusion detection, encryption etc.
Technology is not enoughTechnology is not enough• Gartner: 80% of downtime is due to people and processes Gartner: 80% of downtime is due to people and processes
Tighter the security controls, the harder they are to break Tighter the security controls, the harder they are to break and the target becomes the user and the target becomes the user • Technology can make it difficult to forge IDs but can’t stop Technology can make it difficult to forge IDs but can’t stop
people getting real IDs under fake namespeople getting real IDs under fake names
Technology can never stop social engineering Technology can never stop social engineering • People are still tricked into disclosing their passwordsPeople are still tricked into disclosing their passwords
CCrreeaattiinngg aanndd mmaaiinnttaaiinniinngg aa sseeccuurriittyy ccuullttuurree iiss ccrriittiiccaall ffoorr cclloossiinngg tthhee sseeccuurriittyy ggaapp
Creating and maintaining a security Creating and maintaining a security culture is critical for closing the culture is critical for closing the
security gapsecurity gap
77
People and MachinesPeople and Machines
Security controls deal with known riskSecurity controls deal with known risk People spot irregularitiesPeople spot irregularities Employees that are security conscious and Employees that are security conscious and
correctly trained correctly trained • Develop a “feeling” for what is “normal” behaviorDevelop a “feeling” for what is “normal” behavior• Recognize unusual, unexpected behaviorRecognize unusual, unexpected behavior
Employees need to Employees need to • Adapt to new scenariosAdapt to new scenarios• Report and act on incidents Report and act on incidents
A well informed workforce helps to promulgate good security habits, and to identify and mitigate problems quickly
88
Awareness, Training & EducationAwareness, Training & Education
Comparative FrameworkComparative Framework
AwarenessAwareness TrainingTraining EducationEducation
AttributeAttribute WhatWhat HowHow WhyWhy
LevelLevel InformationInformation KnowledgeKnowledge InsightInsight
Learning Learning ObjectiveObjective
Recognition & Recognition & RetentionRetention
SkillSkill UnderstandingUnderstanding
Example Example Teaching Teaching MethodMethod
MediaMedia-Videos-Videos-Newsletters-Newsletters-Posters-Posters
Practical Practical InstructionInstruction-Lecture and/or demo-Lecture and/or demo-Case study-Case study-Hands-on practice-Hands-on practice
Theoretical Theoretical InstructionInstruction-Seminar and discussion-Seminar and discussion-Reading and study-Reading and study-Research-Research
Test MeasureTest Measure True/FalseTrue/FalseMultiple ChoiceMultiple Choice (identify learning)(identify learning)
Problem SolvingProblem SolvingRecognition & Recognition & ResolutionResolution(apply learning)(apply learning)
EssayEssay (interpret learning)(interpret learning)
Impact Impact TimeframeTimeframe
Short-TermShort-Term IntermediateIntermediate Long-TermLong-Term
“The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16
99
Security Awareness ProgramSecurity Awareness Program
Communicate security requirementsCommunicate security requirements• Policy, rules of behaviorPolicy, rules of behavior
Communicate Roles and ResponsibilitiesCommunicate Roles and Responsibilities
Improve understanding of proper security Improve understanding of proper security procedures procedures • At work and at home At work and at home
Serve as basis for monitoring and sanctions Serve as basis for monitoring and sanctions programprogram
Majority of organizations view security awareness as important,although they do not believe they invest enough in this area.
2004 CSI/FBI Computer Crime and Security Survey
1010
NIST GuidanceNIST Guidance
NIST SP 800-53NIST SP 800-53 ““An effective information security program should An effective information security program should
include … security awareness training to inform include … security awareness training to inform personnel of the information security risks associated personnel of the information security risks associated with their activities and responsibilities in complying with with their activities and responsibilities in complying with organizational policies and procedures designed to organizational policies and procedures designed to reduce these risks”reduce these risks”
NIST SP 800-50NIST SP 800-50 ““Awareness involves guiding and motivating people on Awareness involves guiding and motivating people on
appropriate behaviors”appropriate behaviors”
NIST SP 800-16NIST SP 800-16 The fundamental value of security awareness is to create The fundamental value of security awareness is to create
“a change in attitudes which change the organizational “a change in attitudes which change the organizational culture”culture”
1111
Information Security CultureInformation Security Culture
Information Security culture must Information Security culture must complement the Organizational culturecomplement the Organizational culture• Congruent with the missionCongruent with the mission• Commensurate with risk appetiteCommensurate with risk appetite
Common elements of a security culture Common elements of a security culture across organizationsacross organizations• Privacy, internal controlsPrivacy, internal controls• Protection of proprietary informationProtection of proprietary information• LawsLaws
Employee Vigilance and Appropriate Response are natural activities in the daily activities of every employee
1212
Attitude AdjustmentAttitude Adjustment
Attitude is importantAttitude is important• Predictor of BehaviorPredictor of Behavior• Motivator of BehaviorMotivator of Behavior• Source of RiskSource of Risk• Irrational behavior based on passion (love, Irrational behavior based on passion (love,
anger)anger)
PERSUASION: Changing attitudes and behavior
Attitude can be changedAttitude can be changed• Social PsychologySocial Psychology• Fish!Fish!
1313
Social PsychologySocial Psychology
ATTITUDE
Affect
Behavior Cognition
Influencing Behavior and Decision-MakingInfluencing Behavior and Decision-Making
Sam Chum, CISSP: Change that Attitude: The ABCs of a Persuasive Awareness Program
1414
ABC ModelABC Model
AffectAffect• Emotional responseEmotional response• More likely to do activities that More likely to do activities that
Are fun or make us feel goodAre fun or make us feel good Avoid negative feelings (guilt, fear, pain) Avoid negative feelings (guilt, fear, pain)
BehaviorBehavior• Feedback for attitudesFeedback for attitudes• Doing leads to likingDoing leads to liking
CognitionCognition• Opinions formed by reasoningOpinions formed by reasoning
1515
Influence TechniquesInfluence Techniques
ReciprocityReciprocity Cognitive DissonanceCognitive Dissonance Diffusion of Diffusion of
ResponsibilityResponsibility IndividualizationIndividualization Group DynamicsGroup Dynamics Social ProofSocial Proof AuthorityAuthority RepetitionRepetition
CONSISTENCY OF CONSISTENCY OF MESSAGEMESSAGE
1616
ReciprocityReciprocity
o IndebtednessIndebtedness• Obligation to reciprocate on debtObligation to reciprocate on debt
TrinketsTrinkets• Lanyards, pens, mousepads, lunch bagsLanyards, pens, mousepads, lunch bags• Simple sloganSimple slogan
Large ROILarge ROI
1717
Cognitive DissonanceCognitive Dissonance
o Performing an action that is contrary to Performing an action that is contrary to beliefs or attitudebeliefs or attitude
o Natural response is to reduce the Natural response is to reduce the tension/discordtension/discord
o Requirement to repeat unpopular Requirement to repeat unpopular procedure makes it more palatableprocedure makes it more palatable
Examples:Examples:• Mandatory, periodic change of passwordMandatory, periodic change of password• Requirement for Strong passwordsRequirement for Strong passwords
1818
Diffusion of ResponsibilityDiffusion of Responsibility
o Members of a group take less personal Members of a group take less personal responsibility when group output, not responsibility when group output, not individual contribution, is measuredindividual contribution, is measured
o Avoid anonymityAvoid anonymity Remind employees that they are Remind employees that they are
responsible for all system activity responsible for all system activity conducted under their logonconducted under their logon
ELSECyber Security: It’s Everyone’s Job!
Λ
1919
IndividualizationIndividualization
o Opposite of Diffusion of ResponsibilityOpposite of Diffusion of Responsibilityo Individual AccountabilityIndividual Accountability ID badgesID badges Personalized messagesPersonalized messages In-person deliveryIn-person delivery Individual rewardsIndividual rewards
Information Assurance – It’s MY job too!
2020
Group DynamicsGroup Dynamics
o In a group, individuals tend to adopt more In a group, individuals tend to adopt more extreme attitudes to a topic over timeextreme attitudes to a topic over time• Diffusion of ResponsibilityDiffusion of Responsibility• Leaders tend to be those with stronger views, Leaders tend to be those with stronger views,
more extreme attitudesmore extreme attitudes Group interaction will enhance security in Group interaction will enhance security in
a group that has a propensity for securitya group that has a propensity for security Peer PressurePeer Pressure
2121
Social ProofSocial Proof
o People mimic others’ behaviorPeople mimic others’ behavior Be aware of informal communicationsBe aware of informal communications
• Most frequentMost frequent• Must be on messageMust be on message
Ensure good examples; discourage bad Ensure good examples; discourage bad behaviorbehavior
One ill-chosen comment from an influential person can undo months of awareness efforts
2222
Obedience to AuthorityObedience to Authority
o Natural tendency to obey authorityNatural tendency to obey authority Ensure executive commitmentEnsure executive commitment Ensure line manager buy-inEnsure line manager buy-in
Message Multipliers: Senior Management Participation and Senior Leadership by Example
2323
RepetitionRepetition
o Repeated exposure to a Repeated exposure to a consistentconsistent message can change attitudes message can change attitudes
More familiar with policies and procedures, More familiar with policies and procedures, the more that correct behavior is inducedthe more that correct behavior is induced
Use all channels of communicationUse all channels of communication• Formal and InformalFormal and Informal• Push and PullPush and Pull
If a stimulus, originally an attention-getter, is used If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the repeatedly, the learner will selectively ignore the
stimulus. stimulus. NIST SP 800-16
2424
Fish! Approach to WorkFish! Approach to Work
Choose Your AttitudeChoose Your Attitude PlayPlay Make Their DayMake Their Day Be PresentBe Present
Fish! Lundin Stephen C., Paul, Harry and Christensen, JohnHyperion Books, 2000
“Boost Morale and Improve Results”
2525
ConsistencyConsistency
Familiarity breeds contempt?Familiarity breeds contempt?
Repetition induces likingRepetition induces liking• Chun: Change that AttitudeChun: Change that Attitude
Even a boring job can be funEven a boring job can be fun• Fish!Fish!
Variety is the spice;
Consistency the Staple
2626
Target AudienceTarget Audience
Every system userEvery system user
NIST defines 5 rolesNIST defines 5 roles• ExecutivesExecutives• Security PersonnelSecurity Personnel• Systems OwnersSystems Owners• Systems Admin and IT Support Systems Admin and IT Support • Operational Managers and System UsersOperational Managers and System Users
2727
The Awareness TeamThe Awareness Team
Senior ManagementSenior Management CIO and CISOCIO and CISO Functional ElementsFunctional Elements Security ProfessionalsSecurity Professionals System AdministratorsSystem Administrators Every Every individualindividual employee! employee!
The more YOU know, the stronger WE are!
2828
Tailored ApproachTailored Approach
Mandatory annual awareness presentation for allMandatory annual awareness presentation for all• GeneralGeneral• Real world examplesReal world examples• Lots in the Press about Identity TheftLots in the Press about Identity Theft
Home PC SecurityHome PC Security• Bring the message homeBring the message home
Other sessions tailored for particular groupsOther sessions tailored for particular groups• Targeted messages and examplesTargeted messages and examples
Involve people in awareness to overcome their Involve people in awareness to overcome their resistance to changeresistance to change
Individuals have different learning styles
2929
DeliveryDelivery
Prior to being granted privilegesPrior to being granted privileges• No access without awarenessNo access without awareness
PeriodicallyPeriodically• Mandatory Annual AwarenessMandatory Annual Awareness• Classes or On-lineClasses or On-line
Interim, short communiquésInterim, short communiqués• E-mails, broadcasts, “Tip of the Day”E-mails, broadcasts, “Tip of the Day”• In response to new threats, vulnerabilities and policiesIn response to new threats, vulnerabilities and policies
Small group sessionsSmall group sessions Less formal eventsLess formal events
• Fairs, Awareness Days Fairs, Awareness Days • Games – Security JeopardyGames – Security Jeopardy
Push – Pull techniquesPush – Pull techniques
3030
On-going ProgramOn-going Program
Cultural Change takes timeCultural Change takes time Continuous ProgramContinuous Program Maintain employee awareness and Maintain employee awareness and
organizational commitmentorganizational commitment
Awareness presentations must be on-going, creative, and motivational, with the objective of focusing the learner’s attention so that learning will be incorporated into conscious decision-making. NIST SP 800-16
3131
ROI from Security AwarenessROI from Security Awareness
Cost AvoidanceCost Avoidance Support of Mission ObjectivesSupport of Mission Objectives Protection of ImageProtection of Image Prevention of Down Time, Damage and Prevention of Down Time, Damage and
DestructionDestruction
Security conscious employees make better cyber citizens
3232
Measurement of ProgramMeasurement of Program
Externally in response to FISMA:Externally in response to FISMA:• Congress and OMBCongress and OMB• Quarterly and AnnuallyQuarterly and Annually• President’s Management AgendaPresident’s Management Agenda• Congress FISMA GradeCongress FISMA Grade
Internally:Internally:• Quarterly Bureau ScorecardsQuarterly Bureau Scorecards• FeedbackFeedback
What gets measured gets done!
3333
Output vs. OutcomeOutput vs. Outcome
OutputsOutputs• Number of employees trainedNumber of employees trained
OutcomesOutcomes• Fewer Audit FindingsFewer Audit Findings• Fewer material weaknessesFewer material weaknesses• Fewer violationsFewer violations• Less severe incidentsLess severe incidents• Less repetition of errorsLess repetition of errors• Less damageLess damage• Reduced cost of complianceReduced cost of compliance
3434
Measurement of PeopleMeasurement of People
Measurement by organizational elementMeasurement by organizational element• Peer pressurePeer pressure
Measurement by individualMeasurement by individual• Awards/RewardsAwards/Rewards• Include in employee evaluationInclude in employee evaluation
Sanction by individualSanction by individual
3535
Security Minded CultureSecurity Minded Culture
When Employees …
• Are aware of the threats, vulnerabilities and consequences of exploits
• Recognize and report suspicious activity
• Can discuss why controls are necessary
• Take an active role in protecting information
A risk managed approach balances security requirements and mission need
3636
A Habit not a MandateA Habit not a Mandate
If we understand why observing good If we understand why observing good information assurance practice is the right information assurance practice is the right thing to dothing to do
Then we will do things because we believe Then we will do things because we believe it’s the right thing to do, rather than it’s the right thing to do, rather than because we’re told to do thembecause we’re told to do them
Assimilation: An individual incorporates new Assimilation: An individual incorporates new experiences into an existing behavior patternexperiences into an existing behavior pattern
3737
Challenge for Security ProfessionalsChallenge for Security Professionals
• Keep current on new threats, vulnerabilities and solutions
• Educate general users and senior management of threats and exploits. Show them why cyber security is needed and what they can do to protect information
• Instill in all employees a feeling of shared responsibility
• Sell information security
3838
It’s a DialogueIt’s a Dialogue
Security Awareness personnel need to …Security Awareness personnel need to …
Understand Understand Security climateSecurity climate Business objectivesBusiness objectives Line managers’ concerns, problemsLine managers’ concerns, problems Individual and group issuesIndividual and group issues
PossessPossess IT Background and security knowledgeIT Background and security knowledge Communication SkillsCommunication Skills Marketing SkillsMarketing Skills Business SavvyBusiness Savvy
3939
The Business Case for SecurityThe Business Case for Security
Use the language of businessUse the language of business
Show how security supports mission objectives Show how security supports mission objectives
Demonstrate the return on investment Demonstrate the return on investment associated with good security associated with good security
Talk with management (and users) in terms Talk with management (and users) in terms they can understand – avoid the language they can understand – avoid the language barrierbarrier
Drop the “Geek Speak”
4040
SummarySummary
AttitudesAttitudes BehaviorBehavior
CultureCulture
Whether it’s a homogeneous group in a campus setting or a diverse, global
workforce, a variety of techniques and consistency of message are needed
4141
10 Cs of Information Security Culture10 Cs of Information Security Culture
1.1. ComedyComedy2.2. CompleteComplete3.3. Consistent MessageConsistent Message4.4. Customized SessionsCustomized Sessions5.5. Current, relevant contentCurrent, relevant content6.6. Communication ChannelsCommunication Channels7.7. Common (plain) LanguageCommon (plain) Language8.8. Commitment from ExecutivesCommitment from Executives9.9. Continuing Awareness ProgramContinuing Awareness Program10.10. Compulsory Annual Awareness OfferingCompulsory Annual Awareness Offering
4242
ReferencesReferences
Chun, Sam: Chun, Sam: “Change that Attitude: The ABCs of a Persuasive Awareness “Change that Attitude: The ABCs of a Persuasive Awareness Program”Program” Information Security Management Handbook, 5Information Security Management Handbook, 5thth Edition, Volume 2, Edition, Volume 2, Auerbach, 2005Auerbach, 2005
NIST Special Publication 800-53: NIST Special Publication 800-53: “Recommend Security Controls for “Recommend Security Controls for Federal Information Systems”, FebFederal Information Systems”, Feb 2005 2005
NIST Special Publication 800-50: NIST Special Publication 800-50: “Building an Information Technology “Building an Information Technology Security Awareness and Training Program ”, Security Awareness and Training Program ”, Oct 2003Oct 2003
• de Zafra, Dorothea: de Zafra, Dorothea: “The Human Factor in Training Strategies”“The Human Factor in Training Strategies” presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 presentation to the Federal Computer Security Program Managers’ Forum, Nov. 1991 as quoted in NIST SPas quoted in NIST SP 800-16800-16
NIST Special Publication 800-16: NIST Special Publication 800-16: “Information Technology Security “Information Technology Security Training Requirements: A Role- and Performance-Based Model”, Training Requirements: A Role- and Performance-Based Model”, April 1998April 1998
Lundin Stephen C., Paul, Harry and Christensen, John:Lundin Stephen C., Paul, Harry and Christensen, John: “FISH!FISH!” ” Hyperion Books, 2000
4343
Contact InformationContact Information
For further information or comments, please e-mail:
Subject: NY State CIOs