SlideShare ist ein Scribd-Unternehmen logo

Fissea09 mgupta-day3-panel process-program-build-effective-training

S
Swati Gupta

The document provides an overview of designing and developing an effective security awareness and training program. It defines security awareness training, discusses why such programs are important, and outlines best practices for doing it correctly. The presentation agenda includes defining security awareness training, discussing its importance, and presenting Mittal Technologies' security awareness training solution. The document then provides details on developing effective security awareness training, including establishing goals and success criteria, designing the program, developing training content at different levels, and tracking results.

Daten & Analysen
1 von 53
Downloaden Sie, um offline zu lesen
Presented by: Mittal Technologies Designing and developing an effective Security Awareness and Training program Meenu Gupta,CISA,CISM,CISSP,CIPP President Mittal Technologies Meenu.gupta@Mittal-Tech.com
•Defining Security Awareness Training •Why is it important •Doing it correctly •The Solution •Questions Agenda
From the Internet…. “……raising awareness on critical security issues” “Our all-inclusive turn-key, enterprise security awareness program trains your employees to protect your network against security breaches and keeps them security aware through ongoing awareness programs. …“ “An active security awareness program can greatly reduce many risks which cannot be addressed through security software and hardware devices. In these cases, it's the human element of security that must be addressed which is exactly what our products are designed to do.” Defining Security Awareness Training
National Institutes of Standards and Technology (NIST) Public Law 100-235 titled, "The Computer Security Act of 1987," mandated NIST and OPM to create guidance on computer security awareness and training based on functional organizational roles. Guidance was produced in the form of NIST Special Publication 800-16 titled, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." The learning continuum modeled in this guidance provides the relationship between awareness, training, and education. The publication also contains a methodology that can be used to develop training courses for a number of audiences which may be deemed to have significant information security responsibilities. In October 2003, NIST also published Special Publication 800-50 - "Building an Information Technology Security Awareness and Training Program." Awareness ...to focus attention on security Training ...to produce relevant and needed security skills and competency Education ...to integrate all (security skills and competencies) into a common body of knowledge, adding a multidisciplinary study of concepts, issues, and principles Professional Development (Organizations and Certifications) ...imply a guarantee as meeting a standard by applying evaluation or measurement criteria Defining Security Awareness Training
ENISA (European Network and Information Security Agency) The Information Security Forum (ISF) is one of the world’s leading independent authorities on information security. Through surveys and research, the ISF have defined information security awareness as: ‘an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change.’ Defining Security Awareness Training
Defining Security Awareness Training Objectives ← Communicate risks and vulnerabilities facing the business environment ← Communicate company objectives regarding security and enterprise risk. ← Communicate company policies & procedures regarding security and enterprise risk ← Communicate organization roles and responsibilities →→ Invite audience inputInvite audience input →→ Invite audience feedbackInvite audience feedback →→ Invite audience ideasInvite audience ideas ← Provide resources and tools for deeper knowledge ← Provide a mechanism for on-going communication on issues related to risks and vulnerabilities
Defining Security Awareness Training Security Awareness training is the process of educating people about: • the risks and vulnerabilities facing their business environment • the tools they can use to minimize these risks and vulnerabilities • the mechanisms a company has in place by which people are able to keep their knowledge current.
The People Factor1 We already have •Management Controls •Technical Controls •Operational Controls We need •Human Controls 1 – Source: NIST Why is it important?
Risk mitigation through creating: •Awareness of confidentiality, availability, and integrity risks that face the business •Awareness of vulnerabilities that affect computing systems users interact with •Knowledge of corporate policies and procedures designed to address these risks •Understanding of roles and responsibilities Why is it important?
Also, it is an opportunity to: •Hold an enterprise-wide discussion on risk. •Get security out of the inner sanctums of IT and into the hands of the end user •Create an environment that constantly reminds people of the “right thing” to do If we can get the user to say “what role can I play” that’s a sign of success! Why is it important?
Myth: Security Awareness training will teach users about security. Problem: Most security awareness programs are hastily created PowerPoint slides Challenge: Creating a program that is relevant, effective and entertaining A Bigger Challenge: Making this program a part of your organizational processes and keeping it updated Doing it Right
1. Establish realistic goals for the organization 2. Design the program 3. Develop the training I. Establish criteria for success II. Get executive buy-in 4. Implement the training I. Make it a part of the organization processes II. Measure effectiveness Solution
Wrong! 1. It is mandatory! 2. Teaching employees about security 3. Making employees aware of security How about? 1. Proper handling of sensitive information 2. Reduction in internet usage for personal purposes 3. Adherence to password policies 4. Preparedness for contingency events Make security relevant! Goals
1. Formal Training 1. Self-paced, Computer based 2. Instructor Led 3. Educational conferences 2. Informal Training 1. Knowledge sharing 2. Presentations on key topics 3. Roundtables 4. Banners 5. Self study 6. Other Designing the Program
1. Identify a Champion/Owner 2. Identify organization needs o Surveys o Metrics o Events 3. Identify the target population 4. Identify customer needs and if they are part of the target population 5. Identify a team of subject matter experts from Security, Policies, Risk areas 1. Establish goals 2. Establish the success criteria 3. Assist with needs assessment 4. Choose Awareness Topics Developing the Training Key Steps
6. Determine training levels and complexity Basic Intermediate Advanced 7. Determine course length and delivery schedule 8. Determine the delivery vehicle 9. Identify resources for implementation 10.Develop content Off the shelf In-house 11.Deploy 12.Track and Measure Developing the Training Key Steps
Basic • Target Audience – Everyone • Features • Visible risks • Everyday security issues • Policy focus • Broad range of topics • Designed to generate discussion • See sample training Training Levels and Complexity
Intermediate • Target Audience – Management, Developers, Tech Savvy Users • Features • Hidden risks • Potential security issues • Consideration of security in business processes • Consideration of security in SDLC • Risk and Controls Framework • Policy enforcement • Compliance and Audits Training Levels and Complexity
Advance • Target Audience – System Administrators, Technical Personnel • Features • Potential vulnerabilities, threats, and risks in computing systems and their mitigation • Security Controls • Security Policy Settings • Security tools • Security Log Management • Security Reviews Training Levels and Complexity
Confidentiality Integrity Availability Security Awareness AWARE ALERT WATCHFUL Organization Controls Risks ProceduresPolicies Roles/Responsibilities Basic Training Everyone Advanced Training Administrators Intermediate Supervisors/ Developers/Analysts Training Development Model
Sample Security Awareness Training Outline Basic
Presented by: Mittal Technologies http://www.enisa.europa.eu Training Content
Statement of Training Goals Company recognizes the risks to our business from improper access, loss or stolen business data, or intrusions that can disrupt our computer environments. Company, a federal contractor, must comply with the FAR -Federal Acquisitions Regulations - which requires that federal contractors be held accountable to the same security standards as the federal government. FISMA (Federal Information Security Management Act) sets the security standards for the federal government and requires that an annual security awareness training be conducted. This training is also required by the Company Corporate Security policy (Information and Technology Policy - Section 4.2). All Company employees must know Corporate and Company Security policies, controls, and procedures to help them identify and prevent breaches of information security. Awareness of potential threats and the knowledge of “what we can do about it” is the key to safeguarding our information and our information systems. Best practices, rules & regulations, and the company policy require that all Company employees undergo a security awareness training annually.
Sample Training Objectives Develop a baseline understanding of common security risks. Learn about Company security policies and procedures. Learn about “what we can do” to protect company’s information assets. Learn about Company Information Security resources that are available to help you with your security related questions.
Sample Topics of Discussion Key Security Risks and Controls Access to our buildings and networks Passwords Data Security and Privacy Social Engineering Virus and Intrusion Attacks E-Mail and Internet Access Desktop, Laptop, and PDA security Business Continuity General Security Precautions Regulatory Compliance Company Contacts Quiz
Access To Company Facilities and Networks Risk: Unauthorized access to our networks or our buildings could result in loss of information assets, interruption of service, or even threat to human lives. We must have appropriate access control procedures to minimize this risk. There are two types of Access Controls that we follow: Physical Access Controls o Physical access controls prevent unauthorized personnel from getting into Company facilities. They also ensure that the level of physical access is commensurate with the job responsibilities. o All Company personnel must wear their badges all the time. Logical Access Controls o Logical access controls prevent unauthorized personnel from getting into our computer networks or our personal computers. We do this by assigning a user id and password. All logical accesses are controlled by userids and passwords. o Your USERID is your “Identity” and is equal to your “Signature” Don’t give your identity away Choose a Secure Password ……… Log off before you leave your workstation
Passwords Access control to our networks and computing resources largely relies on the use of userids and passwords. Weak or exposed passwords translate into “no security”. Company follows a password policy that guides how we create and maintain our passwords. It is our responsibility to comply with the Company password policy. Here are a few facts that will help you manage your password. Maximum password age 99 days Minimum password age 9 days Minimum password length 8 characters Account lockout threshold 9 invalid logon attempts Password needs to be complex and should be a combination of special characters, letters, numbers. Example of a good password: X@Y3as1 Example of bad passwords: Dictionary words, your UserId, simple sequences such as 123XYZ1, repeating characters For more information please follow the link to “Password Management Techniques” on Link…www.company-infosec.com
Data Security and Privacy “Multiple Security Failures at Veterans Affairs In the wake of May's massive data theft, the Department of Veterans Affairs falls under the Spotlight. The immense data loss could easily happen again because of weak security at the agency”. ““Federal agencies are required to report any suspected privacy brFederal agencies are required to report any suspected privacy breaches to theeaches to the USUS--CERT within 1 hour of the breachCERT within 1 hour of the breach””.. Risk: Not adequately safeguarding our information puts us at risk. These risks could be: Legal risk: Inadvertent or untimely disclosure may have legal ramifications – for example, non-disclosures that we sign with our customers and vendors prohibit us from disclosing certain information without prior written approvals. ….. Not adequately safeguarding our privacy data may lead to identity theft. Identity theft is very real issue which costs time and money to resolve.
Data Security and Privacy Additionally, there are many rules and regulations applicable to Company that require us to safeguard our personal and confidential data. The Privacy Act of 1974 The Health Insurance Portability and Accountability (HIPAA) rule Copyright Protection Act of 1995 European Data Protection Act California SB 1386 Privacy Act Cardholder Information Security Program Our company policy requires that: Company personnel take accountability for safeguarding confidential data and privacy information Company personnel take accountability for understanding and following appropriate polices and procedures regarding safeguarding information. Company personnel safeguard their computing devices and promptly report lost/stolen devices to their supervisors. Company notify any suspected or detected breach of data privacy to their supervisors immediately.
Social Engineering Social Engineering refers to the tactics used to commit internet fraud. It could include people making calls and pretending to be a customer or an employee and trying to gain information on a legitimate customer or employee, or people sending e-mails asking for passwords, credit card numbers or other sensitive information. Risk: Social engineering could lead to fraudulent transactions or information exposure. The following guidelines help identify and address social engineering attempts: If someone is calling on the telephone, but they refuse to give any contact information, that may be an attempt to hide their real identity. If they make a request that's out of the ordinary, that should raise a red flag. If they make a request for something sensitive, you must consult the company policy and verify the authenticity of the caller. You may also consult your supervisor. If somebody is flattering you, they might be trying to influence you to cooperate. Or they might use an authority ruse--they pretend to have a higher status than you to force information from you. Never provide your password, account numbers, credit card numbers in the e-mail – personal or business. Before you enter sensitive information on a web site, make sure it is SSL enabled. Only follow web-links from trusted sources. And always verify URL addresses before visiting a web-site.
What Is a Virus? A Virus is a software program that attacks our computers in memory or a Hard drive, in E-mail and spreads from one computer to another. Risk: A virus could delete or corrupt files, or take actions that could be detrimental to our business such as mailing out address lists, causing denial of service by disabling your computer. The Company Anti-Virus policy requires that all users have the latest version of Anti Virus Software and virus data files installed. It requires periodic checking and continuous monitoring of the computer. Company personnel must ensure that the anti-virus software on their computer is running and has up to date signatures.
What Are Symptoms of a Computer Virus ? Here is a list of some of the symptoms you may encounter if your computer has a virus. Files disappear. Files replicate. Mystery files appear. Data is transformed or corrupted. Disk space fills up. Computer slows down or locks up. Hard drive crashes. PC is unable to boot. Unusual system messages appear. If you observe any of these symptoms, promptly notify the ISC helpdesk. Do not try to eradicate the virus yourself!
E-Mail Usage E-mail is provided for the purposes of conducting company business. All electronic messages created, stored, and sent over the Company’s network are considered property of the Company. Risk: Improper use of e-mail could expose our information as e-mails are transmitted in clear text. Sending inappropriate content in the e-mail could expose us to legal and reputational risks. SENDING E-MAILS Company policy RECEIVING E-MAILS Company policy
Internet Usage Company provides Internet access for all employees for business purposes Risk: Inappropriate use of internet could expose our information or result into hacking attempts against our servers. Unauthorized downloads could compromise the integrity of our network as the downloaded code may be malicious. Internet / World-Wide Web: The internet is a highly unsecured environment, don’t put anything out there that you wouldn’t mind seeing in the newspaper. Some guidelines to keep in mind while on the web: Don’t post Company or proprietary information on public discussion forums Don’t download software unless you receive explicit management permission Text Text
Desktop, Laptop, and PDA Security Only Personal Computing Devices (Personal Computers, MACs, PDAs, other devices with network connection capability, including wireless devices) that meet the following requirements are authorized to connect to the Company Network when: Your Personal Computing Device is in compliance with the current Company hardware and software standards Your Personal Computing Device is running an active anti-virus protection software Text
Desktop, Laptop, and PDA Security Keep your laptop close at hand at all times. Never check it as baggage or put it on luggage carts Take particular care in high traffic areas such as airports and hotels. Don’t leave your laptop in the car. Do not store passwords in scripts, as macros, in documents or any electronic file on your laptop Follow all guidelines about storage of sensitive, proprietary, and software licensing Ensure appropriate device encryption software is running as approved by the Company Information Security Office.
Business Continuity The primary objective of this Business Continuity Plan is to ensure the continued operation of our business by providing the ability to successfully recover critical business functions in the event of a disaster or temporary disruption to the work environment. Each Company facility has an active Business Continuity Plan that: Details the course of action that the facility will take Protects and reduces risk to people Minimizes confusion, errors, and expense to the company Reduces loss of services Protects the company assets Each employee should know their crisis coordinator This information can be found on Link…www.company-infosec.com
General Security Precautions Question unescorted visitors in your area. Be aware of the actions of the people around you, especially outsiders or unauthorized individuals. Report any actual or suspected security incidents to the Help Desk. Secure your workstation upon leaving your desk (Press “Ctrl + Alt + Delete”, and then “Lock Computer”) Follow clean desk policy. Do not leave confidential documents unlocked or exposed. Physical security is an important aspect of managing security. Ensure you are aware of the evacuation procedures at your site. If your site does not have evacuation procedures, notify Company Information Security Office. We are all stewards of Company information. If you see areas where our security procedures can be improved, don’t hesitate to contact your Chief Information Security Officer. Periodically check Company IT Security web site for security news updates:
Company Information Security Office Responsible for directing the development and enforcement of information assurance and privacy policies in compliance with regulations and standards. Supports the corporate security awareness program, corporate …….programs Prepares and supports the business for information security audits Manages research and development (R&D) activities associated with the information assurance capability Company Information Security web site: Link…www.company-infosec.com
Company Information Security Office The Information Security Officer (ISO) is: XXXXXXXX Company Information Security Office is located in: XXXXXXXX Contact Telephone: XXXXXXXX Contact E-mail: XXXXXXXXXX Other security resources: Physical Security Risk Office Policy Office Crisis Management Team
Quiz 1. You should write your password on a sticky note and post to your monitor: Always Never Sometimes 2. If you lost a document that contained company proprietary information you should: Inform your supervisor Ask for another copy Inform the CIO 3. As a team player, if your co-worker is having problems accessing Account Payables application, you should: Give her your user-id/password to help her Suggest she contact her supervisor Suggest she contact the help-desk
Training Feedback Training was relevant to my job function Yes No Training was enjoyable Yes No I will apply this training to my daily job responsibilities as follows:
Success Factors 1. Senior level buy in Funding Empowerment Support for broad distribution Executive/senior level messages to staff regarding security Corporate Governance commitment Senior Managers attending the training Senior Management conducting the training 2. Level of attendance at mandatory security forums/briefings. 3. Recognition of security contributions (e.g., awards, contests). While improved security behavior can result in a decline in incidents or violations, reporting of potential incidents may increase because of enhanced vigilance among users. Source: NIST SP 800-50
Resource Estimation RESOURCE REQUIREMENTS COST Staffing $ xxx Contracting Support $ xxx Facilities $ xxx Media $ xxx Source: NIST SP 800-50
Presented by: Mittal Technologies http://www.enisa.europa.eu Cost Justification
Organization Processes 1. Organizational policy on Security Awareness training 2. Security Awareness during new hire orientation 3. Security Awareness as a performance objective 4. Security Awareness on corporate status reports
Measuring Effectiveness 1. Tracking participation 2. Metrics on incident reports/non-compliance 3. Industry benchmarks 4. Survey feedbacks 5. Feedback from the training sessions
Presented by: Mittal Technologies http://www.enisa.europa.eu Measuring Success
Other Considerations If budget constraints or organizational priorities prohibit development of a formal training program, the following options can be considered: 1. Informal training sessions focusing on specific policies or procedures – brown bags, round tables 2. Specialized training focusing on problem areas – such as data security and privacy 3. Hot topics training – presentations on hot topics 4. PowerPoint presentations
Presented by: Mittal Technologies http://www.enisa.europa.eu Measuring the Level of Awareness
Security Awareness topics: 1.Password usage and management – including creation, frequency of changes, and protection 2.Protection from viruses, worms, Trojan horses, and other malicious code – scanning, updating definitions 3.Policy – implications of noncompliance 4.Unknown e-mail/attachments 5.Web usage – allowed versus prohibited; monitoring of user activity 6.Spam 7.Data backup and storage – centralized or decentralized approach 8.Social engineering 9.Incident response – contact whom? “What do I do?” 10.Shoulder surfing 11.Changes in system environment – increases in risks to systems and data (e.g., water, fire, dust or dirt, physical access) 12.Inventory and property transfer – identify responsible organization and user responsibilities (e.g., media sanitization) 13.Handheld device security issues – address both physical and wireless security issues Source: NIST SP PUB 800-50
Security Awareness topics: 14. Use of encryption and the transmission of sensitive/confidential information over the Internet – address agency policy, procedures, and technical contact for assistance 15. Laptop security while on travel – address both physical and information security issues 16. Personally owned systems and software at work – state whether allowed or not (e.g., copyrights) 17. Timely application of system patches – part of configuration management 18. Software license restriction issues – address when copies are allowed and not allowed 19. Supported/allowed software on organization systems – part of configuration management 20. Access control issues – address least privilege and separation of duties 21. Individual accountability – explain what this means in the organization 22. Use of acknowledgement statements – passwords, access to systems and data, personal use and gain 23. Visitor control and physical access to spaces – discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity 24. Desktop security – discuss use of screensavers, restricting visitors’ view of information on screen (preventing/limiting “shoulder surfing”), battery backup devices, allowed access to systems Protect information subject to confidentiality concerns – in systems, archived, on backup media, in hardcopy form, and until destroyed 25. E-mail list etiquette – attached files and other rules. Source: NIST SP PUB 800-50
Questions?

Empfohlen

TRAINING PROCESS
TRAINING PROCESSTRAINING PROCESS
TRAINING PROCESSRenu Sebastian
 
The Training Process
The Training ProcessThe Training Process
The Training Processsimply_coool
 
Measuring Training Effectiveness
Measuring Training EffectivenessMeasuring Training Effectiveness
Measuring Training EffectivenessMichaels & Associates
 
Chapter 5 training and development
Chapter 5 training and developmentChapter 5 training and development
Chapter 5 training and developmentGia Lara
 
Hrm training
Hrm trainingHrm training
Hrm trainingAhmed Shoaib
 
Training Process Framework
Training Process Framework Training Process Framework
Training Process Framework Henry John Nueva
 
Traning and development
Traning and development Traning and development
Traning and development Sujan Sarker
 
Training Implementation Strategies
Training Implementation StrategiesTraining Implementation Strategies
Training Implementation StrategiesUma Pandey
 

Empfohlen

TRAINING PROCESS
TRAINING PROCESSTRAINING PROCESS
TRAINING PROCESSRenu Sebastian
 
The Training Process
The Training ProcessThe Training Process
The Training Processsimply_coool
 
Measuring Training Effectiveness
Measuring Training EffectivenessMeasuring Training Effectiveness
Measuring Training EffectivenessMichaels & Associates
 
Chapter 5 training and development
Chapter 5 training and developmentChapter 5 training and development
Chapter 5 training and developmentGia Lara
 
Hrm training
Hrm trainingHrm training
Hrm trainingAhmed Shoaib
 
Training Process Framework
Training Process Framework Training Process Framework
Training Process Framework Henry John Nueva
 
Traning and development
Traning and development Traning and development
Traning and development Sujan Sarker
 
Training Implementation Strategies
Training Implementation StrategiesTraining Implementation Strategies
Training Implementation StrategiesUma Pandey
 
Training & Development - Concept & Components
Training & Development - Concept & ComponentsTraining & Development - Concept & Components
Training & Development - Concept & ComponentsM R Jhalawad
 
Training ppt
Training pptTraining ppt
Training pptTanuj Poddar
 
The training process
The training processThe training process
The training processTanuj Poddar
 
17551820 training-development-introduction
17551820 training-development-introduction17551820 training-development-introduction
17551820 training-development-introductionUdaya Kumar.p
 
Traning and development
Traning and developmentTraning and development
Traning and developmentTanuj Poddar
 
Training & development
Training & developmentTraining & development
Training & developmentBabasab Patil
 
What is training
What is trainingWhat is training
What is trainingConsultants for Business Leaders
 
Types Of Trainig1
Types Of Trainig1Types Of Trainig1
Types Of Trainig1jim
 
Hrm training
Hrm trainingHrm training
Hrm trainingIrene Tinka
 
Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...Ashish Hande
 
Training & its types
Training & its typesTraining & its types
Training & its typesAtul Ranjan
 
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENTUnit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENTMAHUA MUKHERJEE
 
7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training Calandar7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training CalandarThe Blockchain Academy
 
Strategic Training and Development
Strategic Training and DevelopmentStrategic Training and Development
Strategic Training and DevelopmentJanel P. Phillip, SHRM - SCP, MSc, NLP
 
Chapter 5
Chapter 5Chapter 5
Chapter 5Ali Zahoor
 
Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)financialmanagment
 
Chapter 3- training and development
Chapter 3- training and developmentChapter 3- training and development
Chapter 3- training and development5502
 
Types of training
Types of trainingTypes of training
Types of trainingAdeela Yousaf
 
Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)pratik negi
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 

Weitere ähnliche Inhalte

Was ist angesagt?

Training & Development - Concept & Components
Training & Development - Concept & ComponentsTraining & Development - Concept & Components
Training & Development - Concept & ComponentsM R Jhalawad
 
The training process
The training processThe training process
The training processTanuj Poddar
 
17551820 training-development-introduction
17551820 training-development-introduction17551820 training-development-introduction
17551820 training-development-introductionUdaya Kumar.p
 
Traning and development
Traning and developmentTraning and development
Traning and developmentTanuj Poddar
 
Training & development
Training & developmentTraining & development
Training & developmentBabasab Patil
 
Types Of Trainig1
Types Of Trainig1Types Of Trainig1
Types Of Trainig1jim
 
Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...Ashish Hande
 
Training & its types
Training & its typesTraining & its types
Training & its typesAtul Ranjan
 
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENTUnit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENTMAHUA MUKHERJEE
 
7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training Calandar7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training CalandarThe Blockchain Academy
 
Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)financialmanagment
 
Chapter 3- training and development
Chapter 3- training and developmentChapter 3- training and development
Chapter 3- training and development5502
 
Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)pratik negi
 

Was ist angesagt? (19)

Training & Development - Concept & Components
Training & Development - Concept & ComponentsTraining & Development - Concept & Components
Training & Development - Concept & Components
 
Training ppt
Training pptTraining ppt
Training ppt
 
The training process
The training processThe training process
The training process
 
17551820 training-development-introduction
17551820 training-development-introduction17551820 training-development-introduction
17551820 training-development-introduction
 
Traning and development
Traning and developmentTraning and development
Traning and development
 
Training & development
Training & developmentTraining & development
Training & development
 
What is training
What is trainingWhat is training
What is training
 
Types Of Trainig1
Types Of Trainig1Types Of Trainig1
Types Of Trainig1
 
Hrm training
Hrm trainingHrm training
Hrm training
 
Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...Training Functions, Training Needs Assessment, Action Research, Organizationa...
Training Functions, Training Needs Assessment, Action Research, Organizationa...
 
Training & its types
Training & its typesTraining & its types
Training & its types
 
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENTUnit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
Unit 4 training and development (CHAPTER 4 HUMAN RESOURCE MANAGEMENT
 
7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training Calandar7 Steps To Planning Your Training Calandar
7 Steps To Planning Your Training Calandar
 
Strategic Training and Development
Strategic Training and DevelopmentStrategic Training and Development
Strategic Training and Development
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)Implementing and evaluating the training process (hrm)
Implementing and evaluating the training process (hrm)
 
Chapter 3- training and development
Chapter 3- training and developmentChapter 3- training and development
Chapter 3- training and development
 
Types of training
Types of trainingTypes of training
Types of training
 
Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)Training And Devlopment In Pharma (Pratik Negi)
Training And Devlopment In Pharma (Pratik Negi)
 

Ähnlich wie Fissea09 mgupta-day3-panel process-program-build-effective-training

IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE360 BSI
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE360 BSI
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...360 BSI
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAECybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE360 BSI
 
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...AmeliaJonas2
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Richard Lawson
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...360 BSI
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Security Awareness Training for Community Colleges 2009
Security Awareness Training for Community Colleges 2009Security Awareness Training for Community Colleges 2009
Security Awareness Training for Community Colleges 2009Donald E. Hester
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance programSiddharth Janakiram
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 

Ähnlich wie Fissea09 mgupta-day3-panel process-program-build-effective-training (20)

IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAECybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE
Cybersecurity Management Principles, 12 - 15 Nov 2017 Dubai, UAE
 
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...
The Crucial Role of Security Testing Services in Ensuring a Secure and Effici...
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
Cybersecurity Management Principles, 11 - 14 Sept 2017 KL, Malaysia / 17 - 20...
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Security Awareness Training for Community Colleges 2009
Security Awareness Training for Community Colleges 2009Security Awareness Training for Community Colleges 2009
Security Awareness Training for Community Colleges 2009
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 

Kürzlich hochgeladen

办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一F sss
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfBoston Institute of Analytics
 
Machine learning classification ppt.ppt
Machine learning classification ppt.pptMachine learning classification ppt.ppt
Machine learning classification ppt.pptamreenkhanum0307
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Seán Kennedy
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一fhwihughh
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Cathrine Wilhelmsen
 
Heart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectHeart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectBoston Institute of Analytics
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDRafezzaman
 
While-For-loop in python used in college
While-For-loop in python used in collegeWhile-For-loop in python used in college
While-For-loop in python used in collegessuser7a7cd61
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...Amil Baba Dawood bangali
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhijennyeacort
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Seán Kennedy
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsVICTOR MAESTRE RAMIREZ
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxBoston Institute of Analytics
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanMYRABACSAFRA2
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Cantervoginip
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 

Kürzlich hochgeladen (20)

办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
 
Machine learning classification ppt.ppt
Machine learning classification ppt.pptMachine learning classification ppt.ppt
Machine learning classification ppt.ppt
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)
 
Heart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis ProjectHeart Disease Classification Report: A Data Analysis Project
Heart Disease Classification Report: A Data Analysis Project
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
 
While-For-loop in python used in college
While-For-loop in python used in collegeWhile-For-loop in python used in college
While-For-loop in python used in college
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business Professionals
 
Call Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort ServiceCall Girls in Saket 99530🔝 56974 Escort Service
Call Girls in Saket 99530🔝 56974 Escort Service
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Canter
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 

Fissea09 mgupta-day3-panel process-program-build-effective-training

  • 1. Presented by: Mittal Technologies Designing and developing an effective Security Awareness and Training program Meenu Gupta,CISA,CISM,CISSP,CIPP President Mittal Technologies Meenu.gupta@Mittal-Tech.com
  • 2. •Defining Security Awareness Training •Why is it important •Doing it correctly •The Solution •Questions Agenda
  • 3. From the Internet…. “……raising awareness on critical security issues” “Our all-inclusive turn-key, enterprise security awareness program trains your employees to protect your network against security breaches and keeps them security aware through ongoing awareness programs. …“ “An active security awareness program can greatly reduce many risks which cannot be addressed through security software and hardware devices. In these cases, it's the human element of security that must be addressed which is exactly what our products are designed to do.” Defining Security Awareness Training
  • 4. National Institutes of Standards and Technology (NIST) Public Law 100-235 titled, "The Computer Security Act of 1987," mandated NIST and OPM to create guidance on computer security awareness and training based on functional organizational roles. Guidance was produced in the form of NIST Special Publication 800-16 titled, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." The learning continuum modeled in this guidance provides the relationship between awareness, training, and education. The publication also contains a methodology that can be used to develop training courses for a number of audiences which may be deemed to have significant information security responsibilities. In October 2003, NIST also published Special Publication 800-50 - "Building an Information Technology Security Awareness and Training Program." Awareness ...to focus attention on security Training ...to produce relevant and needed security skills and competency Education ...to integrate all (security skills and competencies) into a common body of knowledge, adding a multidisciplinary study of concepts, issues, and principles Professional Development (Organizations and Certifications) ...imply a guarantee as meeting a standard by applying evaluation or measurement criteria Defining Security Awareness Training
  • 5. ENISA (European Network and Information Security Agency) The Information Security Forum (ISF) is one of the world’s leading independent authorities on information security. Through surveys and research, the ISF have defined information security awareness as: ‘an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change.’ Defining Security Awareness Training
  • 6. Defining Security Awareness Training Objectives ← Communicate risks and vulnerabilities facing the business environment ← Communicate company objectives regarding security and enterprise risk. ← Communicate company policies & procedures regarding security and enterprise risk ← Communicate organization roles and responsibilities →→ Invite audience inputInvite audience input →→ Invite audience feedbackInvite audience feedback →→ Invite audience ideasInvite audience ideas ← Provide resources and tools for deeper knowledge ← Provide a mechanism for on-going communication on issues related to risks and vulnerabilities
  • 7. Defining Security Awareness Training Security Awareness training is the process of educating people about: • the risks and vulnerabilities facing their business environment • the tools they can use to minimize these risks and vulnerabilities • the mechanisms a company has in place by which people are able to keep their knowledge current.
  • 8. The People Factor1 We already have •Management Controls •Technical Controls •Operational Controls We need •Human Controls 1 – Source: NIST Why is it important?
  • 9. Risk mitigation through creating: •Awareness of confidentiality, availability, and integrity risks that face the business •Awareness of vulnerabilities that affect computing systems users interact with •Knowledge of corporate policies and procedures designed to address these risks •Understanding of roles and responsibilities Why is it important?
  • 10. Also, it is an opportunity to: •Hold an enterprise-wide discussion on risk. •Get security out of the inner sanctums of IT and into the hands of the end user •Create an environment that constantly reminds people of the “right thing” to do If we can get the user to say “what role can I play” that’s a sign of success! Why is it important?
  • 11. Myth: Security Awareness training will teach users about security. Problem: Most security awareness programs are hastily created PowerPoint slides Challenge: Creating a program that is relevant, effective and entertaining A Bigger Challenge: Making this program a part of your organizational processes and keeping it updated Doing it Right
  • 12. 1. Establish realistic goals for the organization 2. Design the program 3. Develop the training I. Establish criteria for success II. Get executive buy-in 4. Implement the training I. Make it a part of the organization processes II. Measure effectiveness Solution
  • 13. Wrong! 1. It is mandatory! 2. Teaching employees about security 3. Making employees aware of security How about? 1. Proper handling of sensitive information 2. Reduction in internet usage for personal purposes 3. Adherence to password policies 4. Preparedness for contingency events Make security relevant! Goals
  • 14. 1. Formal Training 1. Self-paced, Computer based 2. Instructor Led 3. Educational conferences 2. Informal Training 1. Knowledge sharing 2. Presentations on key topics 3. Roundtables 4. Banners 5. Self study 6. Other Designing the Program
  • 15. 1. Identify a Champion/Owner 2. Identify organization needs o Surveys o Metrics o Events 3. Identify the target population 4. Identify customer needs and if they are part of the target population 5. Identify a team of subject matter experts from Security, Policies, Risk areas 1. Establish goals 2. Establish the success criteria 3. Assist with needs assessment 4. Choose Awareness Topics Developing the Training Key Steps
  • 16. 6. Determine training levels and complexity Basic Intermediate Advanced 7. Determine course length and delivery schedule 8. Determine the delivery vehicle 9. Identify resources for implementation 10.Develop content Off the shelf In-house 11.Deploy 12.Track and Measure Developing the Training Key Steps
  • 17. Basic • Target Audience – Everyone • Features • Visible risks • Everyday security issues • Policy focus • Broad range of topics • Designed to generate discussion • See sample training Training Levels and Complexity
  • 18. Intermediate • Target Audience – Management, Developers, Tech Savvy Users • Features • Hidden risks • Potential security issues • Consideration of security in business processes • Consideration of security in SDLC • Risk and Controls Framework • Policy enforcement • Compliance and Audits Training Levels and Complexity
  • 19. Advance • Target Audience – System Administrators, Technical Personnel • Features • Potential vulnerabilities, threats, and risks in computing systems and their mitigation • Security Controls • Security Policy Settings • Security tools • Security Log Management • Security Reviews Training Levels and Complexity
  • 22. Presented by: Mittal Technologies http://www.enisa.europa.eu Training Content
  • 23. Statement of Training Goals Company recognizes the risks to our business from improper access, loss or stolen business data, or intrusions that can disrupt our computer environments. Company, a federal contractor, must comply with the FAR -Federal Acquisitions Regulations - which requires that federal contractors be held accountable to the same security standards as the federal government. FISMA (Federal Information Security Management Act) sets the security standards for the federal government and requires that an annual security awareness training be conducted. This training is also required by the Company Corporate Security policy (Information and Technology Policy - Section 4.2). All Company employees must know Corporate and Company Security policies, controls, and procedures to help them identify and prevent breaches of information security. Awareness of potential threats and the knowledge of “what we can do about it” is the key to safeguarding our information and our information systems. Best practices, rules & regulations, and the company policy require that all Company employees undergo a security awareness training annually.
  • 24. Sample Training Objectives Develop a baseline understanding of common security risks. Learn about Company security policies and procedures. Learn about “what we can do” to protect company’s information assets. Learn about Company Information Security resources that are available to help you with your security related questions.
  • 25. Sample Topics of Discussion Key Security Risks and Controls Access to our buildings and networks Passwords Data Security and Privacy Social Engineering Virus and Intrusion Attacks E-Mail and Internet Access Desktop, Laptop, and PDA security Business Continuity General Security Precautions Regulatory Compliance Company Contacts Quiz
  • 26. Access To Company Facilities and Networks Risk: Unauthorized access to our networks or our buildings could result in loss of information assets, interruption of service, or even threat to human lives. We must have appropriate access control procedures to minimize this risk. There are two types of Access Controls that we follow: Physical Access Controls o Physical access controls prevent unauthorized personnel from getting into Company facilities. They also ensure that the level of physical access is commensurate with the job responsibilities. o All Company personnel must wear their badges all the time. Logical Access Controls o Logical access controls prevent unauthorized personnel from getting into our computer networks or our personal computers. We do this by assigning a user id and password. All logical accesses are controlled by userids and passwords. o Your USERID is your “Identity” and is equal to your “Signature” Don’t give your identity away Choose a Secure Password ……… Log off before you leave your workstation
  • 27. Passwords Access control to our networks and computing resources largely relies on the use of userids and passwords. Weak or exposed passwords translate into “no security”. Company follows a password policy that guides how we create and maintain our passwords. It is our responsibility to comply with the Company password policy. Here are a few facts that will help you manage your password. Maximum password age 99 days Minimum password age 9 days Minimum password length 8 characters Account lockout threshold 9 invalid logon attempts Password needs to be complex and should be a combination of special characters, letters, numbers. Example of a good password: X@Y3as1 Example of bad passwords: Dictionary words, your UserId, simple sequences such as 123XYZ1, repeating characters For more information please follow the link to “Password Management Techniques” on Link…www.company-infosec.com
  • 28. Data Security and Privacy “Multiple Security Failures at Veterans Affairs In the wake of May's massive data theft, the Department of Veterans Affairs falls under the Spotlight. The immense data loss could easily happen again because of weak security at the agency”. ““Federal agencies are required to report any suspected privacy brFederal agencies are required to report any suspected privacy breaches to theeaches to the USUS--CERT within 1 hour of the breachCERT within 1 hour of the breach””.. Risk: Not adequately safeguarding our information puts us at risk. These risks could be: Legal risk: Inadvertent or untimely disclosure may have legal ramifications – for example, non-disclosures that we sign with our customers and vendors prohibit us from disclosing certain information without prior written approvals. ….. Not adequately safeguarding our privacy data may lead to identity theft. Identity theft is very real issue which costs time and money to resolve.
  • 29. Data Security and Privacy Additionally, there are many rules and regulations applicable to Company that require us to safeguard our personal and confidential data. The Privacy Act of 1974 The Health Insurance Portability and Accountability (HIPAA) rule Copyright Protection Act of 1995 European Data Protection Act California SB 1386 Privacy Act Cardholder Information Security Program Our company policy requires that: Company personnel take accountability for safeguarding confidential data and privacy information Company personnel take accountability for understanding and following appropriate polices and procedures regarding safeguarding information. Company personnel safeguard their computing devices and promptly report lost/stolen devices to their supervisors. Company notify any suspected or detected breach of data privacy to their supervisors immediately.
  • 30. Social Engineering Social Engineering refers to the tactics used to commit internet fraud. It could include people making calls and pretending to be a customer or an employee and trying to gain information on a legitimate customer or employee, or people sending e-mails asking for passwords, credit card numbers or other sensitive information. Risk: Social engineering could lead to fraudulent transactions or information exposure. The following guidelines help identify and address social engineering attempts: If someone is calling on the telephone, but they refuse to give any contact information, that may be an attempt to hide their real identity. If they make a request that's out of the ordinary, that should raise a red flag. If they make a request for something sensitive, you must consult the company policy and verify the authenticity of the caller. You may also consult your supervisor. If somebody is flattering you, they might be trying to influence you to cooperate. Or they might use an authority ruse--they pretend to have a higher status than you to force information from you. Never provide your password, account numbers, credit card numbers in the e-mail – personal or business. Before you enter sensitive information on a web site, make sure it is SSL enabled. Only follow web-links from trusted sources. And always verify URL addresses before visiting a web-site.
  • 31. What Is a Virus? A Virus is a software program that attacks our computers in memory or a Hard drive, in E-mail and spreads from one computer to another. Risk: A virus could delete or corrupt files, or take actions that could be detrimental to our business such as mailing out address lists, causing denial of service by disabling your computer. The Company Anti-Virus policy requires that all users have the latest version of Anti Virus Software and virus data files installed. It requires periodic checking and continuous monitoring of the computer. Company personnel must ensure that the anti-virus software on their computer is running and has up to date signatures.
  • 32. What Are Symptoms of a Computer Virus ? Here is a list of some of the symptoms you may encounter if your computer has a virus. Files disappear. Files replicate. Mystery files appear. Data is transformed or corrupted. Disk space fills up. Computer slows down or locks up. Hard drive crashes. PC is unable to boot. Unusual system messages appear. If you observe any of these symptoms, promptly notify the ISC helpdesk. Do not try to eradicate the virus yourself!
  • 33. E-Mail Usage E-mail is provided for the purposes of conducting company business. All electronic messages created, stored, and sent over the Company’s network are considered property of the Company. Risk: Improper use of e-mail could expose our information as e-mails are transmitted in clear text. Sending inappropriate content in the e-mail could expose us to legal and reputational risks. SENDING E-MAILS Company policy RECEIVING E-MAILS Company policy
  • 34. Internet Usage Company provides Internet access for all employees for business purposes Risk: Inappropriate use of internet could expose our information or result into hacking attempts against our servers. Unauthorized downloads could compromise the integrity of our network as the downloaded code may be malicious. Internet / World-Wide Web: The internet is a highly unsecured environment, don’t put anything out there that you wouldn’t mind seeing in the newspaper. Some guidelines to keep in mind while on the web: Don’t post Company or proprietary information on public discussion forums Don’t download software unless you receive explicit management permission Text Text
  • 35. Desktop, Laptop, and PDA Security Only Personal Computing Devices (Personal Computers, MACs, PDAs, other devices with network connection capability, including wireless devices) that meet the following requirements are authorized to connect to the Company Network when: Your Personal Computing Device is in compliance with the current Company hardware and software standards Your Personal Computing Device is running an active anti-virus protection software Text
  • 36. Desktop, Laptop, and PDA Security Keep your laptop close at hand at all times. Never check it as baggage or put it on luggage carts Take particular care in high traffic areas such as airports and hotels. Don’t leave your laptop in the car. Do not store passwords in scripts, as macros, in documents or any electronic file on your laptop Follow all guidelines about storage of sensitive, proprietary, and software licensing Ensure appropriate device encryption software is running as approved by the Company Information Security Office.
  • 37. Business Continuity The primary objective of this Business Continuity Plan is to ensure the continued operation of our business by providing the ability to successfully recover critical business functions in the event of a disaster or temporary disruption to the work environment. Each Company facility has an active Business Continuity Plan that: Details the course of action that the facility will take Protects and reduces risk to people Minimizes confusion, errors, and expense to the company Reduces loss of services Protects the company assets Each employee should know their crisis coordinator This information can be found on Link…www.company-infosec.com
  • 38. General Security Precautions Question unescorted visitors in your area. Be aware of the actions of the people around you, especially outsiders or unauthorized individuals. Report any actual or suspected security incidents to the Help Desk. Secure your workstation upon leaving your desk (Press “Ctrl + Alt + Delete”, and then “Lock Computer”) Follow clean desk policy. Do not leave confidential documents unlocked or exposed. Physical security is an important aspect of managing security. Ensure you are aware of the evacuation procedures at your site. If your site does not have evacuation procedures, notify Company Information Security Office. We are all stewards of Company information. If you see areas where our security procedures can be improved, don’t hesitate to contact your Chief Information Security Officer. Periodically check Company IT Security web site for security news updates:
  • 39. Company Information Security Office Responsible for directing the development and enforcement of information assurance and privacy policies in compliance with regulations and standards. Supports the corporate security awareness program, corporate …….programs Prepares and supports the business for information security audits Manages research and development (R&D) activities associated with the information assurance capability Company Information Security web site: Link…www.company-infosec.com
  • 40. Company Information Security Office The Information Security Officer (ISO) is: XXXXXXXX Company Information Security Office is located in: XXXXXXXX Contact Telephone: XXXXXXXX Contact E-mail: XXXXXXXXXX Other security resources: Physical Security Risk Office Policy Office Crisis Management Team
  • 41. Quiz 1. You should write your password on a sticky note and post to your monitor: Always Never Sometimes 2. If you lost a document that contained company proprietary information you should: Inform your supervisor Ask for another copy Inform the CIO 3. As a team player, if your co-worker is having problems accessing Account Payables application, you should: Give her your user-id/password to help her Suggest she contact her supervisor Suggest she contact the help-desk
  • 42. Training Feedback Training was relevant to my job function Yes No Training was enjoyable Yes No I will apply this training to my daily job responsibilities as follows:
  • 43. Success Factors 1. Senior level buy in Funding Empowerment Support for broad distribution Executive/senior level messages to staff regarding security Corporate Governance commitment Senior Managers attending the training Senior Management conducting the training 2. Level of attendance at mandatory security forums/briefings. 3. Recognition of security contributions (e.g., awards, contests). While improved security behavior can result in a decline in incidents or violations, reporting of potential incidents may increase because of enhanced vigilance among users. Source: NIST SP 800-50
  • 44. Resource Estimation RESOURCE REQUIREMENTS COST Staffing $ xxx Contracting Support $ xxx Facilities $ xxx Media $ xxx Source: NIST SP 800-50
  • 45. Presented by: Mittal Technologies http://www.enisa.europa.eu Cost Justification
  • 46. Organization Processes 1. Organizational policy on Security Awareness training 2. Security Awareness during new hire orientation 3. Security Awareness as a performance objective 4. Security Awareness on corporate status reports
  • 47. Measuring Effectiveness 1. Tracking participation 2. Metrics on incident reports/non-compliance 3. Industry benchmarks 4. Survey feedbacks 5. Feedback from the training sessions
  • 48. Presented by: Mittal Technologies http://www.enisa.europa.eu Measuring Success
  • 49. Other Considerations If budget constraints or organizational priorities prohibit development of a formal training program, the following options can be considered: 1. Informal training sessions focusing on specific policies or procedures – brown bags, round tables 2. Specialized training focusing on problem areas – such as data security and privacy 3. Hot topics training – presentations on hot topics 4. PowerPoint presentations
  • 50. Presented by: Mittal Technologies http://www.enisa.europa.eu Measuring the Level of Awareness
  • 51. Security Awareness topics: 1.Password usage and management – including creation, frequency of changes, and protection 2.Protection from viruses, worms, Trojan horses, and other malicious code – scanning, updating definitions 3.Policy – implications of noncompliance 4.Unknown e-mail/attachments 5.Web usage – allowed versus prohibited; monitoring of user activity 6.Spam 7.Data backup and storage – centralized or decentralized approach 8.Social engineering 9.Incident response – contact whom? “What do I do?” 10.Shoulder surfing 11.Changes in system environment – increases in risks to systems and data (e.g., water, fire, dust or dirt, physical access) 12.Inventory and property transfer – identify responsible organization and user responsibilities (e.g., media sanitization) 13.Handheld device security issues – address both physical and wireless security issues Source: NIST SP PUB 800-50
  • 52. Security Awareness topics: 14. Use of encryption and the transmission of sensitive/confidential information over the Internet – address agency policy, procedures, and technical contact for assistance 15. Laptop security while on travel – address both physical and information security issues 16. Personally owned systems and software at work – state whether allowed or not (e.g., copyrights) 17. Timely application of system patches – part of configuration management 18. Software license restriction issues – address when copies are allowed and not allowed 19. Supported/allowed software on organization systems – part of configuration management 20. Access control issues – address least privilege and separation of duties 21. Individual accountability – explain what this means in the organization 22. Use of acknowledgement statements – passwords, access to systems and data, personal use and gain 23. Visitor control and physical access to spaces – discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity 24. Desktop security – discuss use of screensavers, restricting visitors’ view of information on screen (preventing/limiting “shoulder surfing”), battery backup devices, allowed access to systems Protect information subject to confidentiality concerns – in systems, archived, on backup media, in hardcopy form, and until destroyed 25. E-mail list etiquette – attached files and other rules. Source: NIST SP PUB 800-50