Transcript Security Awareness

Security Awareness – Essential
Part of Security Management
Ilze Murane
Agenda
 Security management
 Security awareness in organization
 Security awareness for home user
 Questions for discussion
ISF Standard
 Information Security Forum
 The Standard of Good Practice for
Information Security
 http://www.isfsecuritystandard.com
Security Management I
 Management commitment
 Security policy
 Security organization
– Information security function
– Security awareness
– Security classification
– Ownership
– Information risk analysis
Security Management II
 Secure environment
– Security architecture
– Information privacy
– Physical protection
– Business continuity
– Use of cryptography
– Remote working
Security Management III
 Malicious attack
– Virus protection
– Intrusion detection
– Forensic investigations
– Patch management
 Management review
– Security audit/review
– Security monitoring
Security Awareness
 Information security awareness is
the degree to which every
member of staff understands the
importance of information
security, their individual security
responsibilities
…and acts accordingly
Security Awareness in organization
 Principle
– Specific activities should be undertaken, such as a
security awareness programme, to promote security
awareness to all individuals who have access to the
information and systems of the enterprise
 Objective
– To ensure all relevant individuals understand the key
elements of information security and why it is needed,
and understand their personal information security
responsibilities
IT security lessons: example I
 Passwords
– Do not share passwords
– Use ‘strong’ passwords
– Don’t write passwords down
IT security lessons: example II
 Viruses
– Beware of viruses, particularly in e-mail
attachments
– Ensure that anti-virus software is installed
and updated
IT security lessons: example III
 E-mail and Internet use
– Don’t send sensitive information over the
Internet
– Don’t publish your e-mail address in the
Internet
– Internet use must comply with corporate
policies
Case study
 Awareness “history”
– IT security
– Information security
– Business Continuity Testing
– Security including physical security
 Regular seminars
From awareness to behaviour change
 Security-positive behaviour should be
encouraged by
– making attendance at security awareness
training compulsory
– publicizing security successes and failures
throughout the organization
– linking security to personal performance
objectives
Security Awareness for home user
 No regulations
 Personal risk experience
 More electronic information
– Internet banking
 Everyone is in the
Internet
Lessons for everybody
 Main risks
– Viruses
– Spyware
– Phishing
– Spam
 About
– Safe e-mail usage
– Safe internet browsing
– Securing your computer
At school?
 Other security (safety)
– road traffic regulation
– electricity (physics)
– fire protection
 IT security...
Questions?
Discussion...
[email protected]
?
 Is IT security concerns everybody
 How to educate society
 Special software/game
 What are our responsibilities
 ...