You are on page 1of 37

IT Best Practices for Community Colleges Part 4:

Awareness Training
Donald Hester
April 20, 2010

For audio call Toll Free 1-888-886-3951

and use PIN/code 254482

• Maximize your CCC Confer window.

• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio

1) If you’re listening on your computer, adjust your volume using

the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon
Emoticons and Polling

1) Raise hand and Emoticons

2) Polling options
IT Best Practices for Community Colleges Part 4:
Awareness Training
Donald Hester
What is Security Awareness?

 Awareness is not training

 The purpose of awareness presentations
is simply to focus attention on security
 Awareness presentations are intended to
allow individuals to recognize IT security
concerns and respond accordingly
 Security awareness efforts are designed
to change behavior or reinforce good
security practices
How does Training differ from
 In awareness activities, the learner is the
recipient of information
 the learner in a training environment has
a more active role
 Awareness relies on reaching broad
audiences with attractive packaging
 Training is more formal, having a goal of
building knowledge and skills
Cycle of Security Training
Awareness Program
 Establish a policy
 Assign responsibility (CIO, Director)
 Needs assessment
 Develop Awareness and Training
 Implementation of the program
 Update and monitor program

Needs Assessment

 What awareness, training and/or

education are needed?
 What is currently being done to meet
these needs?
 How well is it working?
 Which needs are most critical?
 NIST SP 800-50 has a Sample Needs
Assessment and Questionnarie

Needs Assessment

Establish Priorities

 Availability of Material/Resources
• In house or outsourced
 Role and Organizational Impact
• How ill this help people do their job
• How will this help us reach our overall goals
 State of Current Compliance
• How informed are staff and students about
security and privacy practices
 Critical Project Dependencies
• Funding

 “What behavior do we want to reinforce?”

 “What skill or skills do we want the
audience to learn and apply?” (training)
 Watch out for the “we’re here because
we have to be here” attitude
 An awareness and training program can
be effective, if the material is interesting
and current

 One way to get users involved and

invested in the training is to make the
training cover topics they are interested
 For example a class on “FaceBook” or
 Users are interested in what they are
interested in, use it to your advantage

Possible Topics

•Password usage and •Web usage

management •Data backup and
•Unknown e-mail storage
attachments •Social engineering
•Policy •Inventory and property
•Personal use and gain transfer
issues •Portable device issues
•System and application •Laptop security
patching •Physical security
•Personal systems at •Software licensing
work •Use acknowledgements


 Use marketing skills

 Get students involved
 Assignment for class
 Branding
 Use Social Media
 Use Posters
 Use Email reminders
 Leverage Safety Awareness
 Mascots
 Alerts
Use multiple vectors
Use real life examples
 Website notices of incidents

 RSS Feeds Use incidents as an

 Posters opportunity to teach
“what not to do”
 Emails
The news has stories
 Announcements everyday you can use
 Logon banners
The best stories are
 Seminars and classes often those “closest to
 Games and contests home”

Initial User Training

 Upon hire and annually thereafter

 Must complete before access is granted
 Serves as notification (legal)
 What do they need to know to do their job
 A basic IT security course – often online


Some people question

the usefulness of these

However it serves at the

least as a subconscious

Legal questions arise

Sample Posters

Buy Posters

Short and to the point

NIST Posters

Maintenance of the Program

 Continuous
should always be
the theme for
security awareness
and training
initiatives, as this is
one area where
“you can never do
Input for Updates

Maintain the Program

 Frequency that each target audience

should be exposed to material
 Documentation, feedback, and evidence
of learning for each aspect of the
 Evaluation and update of material for
each aspect of the program
 Is this working???

Goal of Training

 Training is separate from awareness but

there overlapping areas
 The goal of training is to produce
relevant and needed skills and
 It is crucial that the needs assessment
identify those individuals with significant
IT security responsibilities, assess their
functions, and identify their training

 Training plan should identify an

audience, or several audiences, that
should receive training tailored to
address their IT security responsibilities
 Each user may need specific training for
their job
• Network admins may need Windows or
Cisco security training
• Admissions may need special training for
handling student records
Example of Training

 This course falls under training

 Focus on job roll skills and competencies
• Specifically tailored for managers and
decision makers
• Designed to help them (You) with their job
 Online delivery (CCCConfer)
 Live instructor and recorded archive

KPI (Key Performance Indicators)

 Sufficient funding to implement the agreed-upon strategy

 Appropriate organizational placement to enable those with key
responsibilities to effectively implement the strategy
 Support for broad distribution (e.g., web, e-mail, TV) and posting
of security awareness items
 Executive/senior level messages to staff regarding security
 Use of metrics (e.g., to indicate a decline in security incidents or
 Managers do not use their status in the organization to avoid
security controls that are consistently adhered to by the rank and
 Level of attendance at mandatory security forums/briefings
 Recognition of security contributions (e.g., awards, contests)
 Motivation demonstrated by those playing key roles in
managing/coordinating the security program

 Consider Partnerships
• Other community colleges have the same needs – work together
 Books
• Managing an Information Security and Privacy Awareness and
Training Program ISBN 978-1439815458
 Standards and Guidance
• NIST SP 800-50 Building an IT Security Awareness and Training
 Posters
• Monthly subscriptions
• New York
 Social Media Example

Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
Evaluation Survey Link

Help us improve our seminars by filing

out a short online evaluation survey at:
IT Best Practices for Community Colleges Part 4:
Awareness Training
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at: