training of information security for common users dr. francisco eduardo rivera faa salt conference,...
TRANSCRIPT
![Page 1: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/1.jpg)
Training of Information Security for Common Users
Dr. Francisco Eduardo Rivera
FAA
SALT Conference, February 18, 2004
![Page 2: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/2.jpg)
2
Overview
What is training of IS Importance and Background Common Final Users, The Problem Approaches Re-orientation Awareness, Support and Responsibility The scenario approach Conclusion
![Page 3: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/3.jpg)
3
What is Information Security Training?
It is not a computer literate trainingIt is not an academic courseIt is not just for new employeesIt is not another trainingIt is an urgency!It must be part of the essential policy of
the organization
![Page 4: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/4.jpg)
4
InfoSec or Cybersecurity training?
Not only for IT expertsAll workers dealing with Information Cover all aspectsPrevention oriented rather than
Remedial orientedPractical approach rather than theoryContinuously
![Page 5: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/5.jpg)
5
Information security, what for?
Protecting assets: Information resources, including computing time
and memory destruction alteration corruption misuse Steal of information
Avoiding Intruders Keeping Confidentiality and Privacy
![Page 6: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/6.jpg)
6
Possible Consequences
Enormous potential costs if Information security is breached
LiabilityLoss of competitive advantagesImage damageNational interest
![Page 7: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/7.jpg)
7
Information Security has changed
From teen hackersTo serious and professional hackersInformation warThe number and quality of attacks
Is growing rapidlyThe speed of spread is growingDistributed and evolving attacks
![Page 8: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/8.jpg)
8
A growing discipline?
MaturityThe experienceThe complexity of subjectThe coverage and inter-disciplineThe technical detailsThe changing environmentMore than 500 enterprisesExpenditures of more than $5 billion/year
![Page 9: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/9.jpg)
9
Cybersecurity
Many organizations involvedACM, NIST, CSI, ISACA, IEEE, ISOC,
ISSA, SANS etc .More than 300 universities programsSpecialized training and certifications
CISSP, CISA, CISM, SSCP, Security+, SCP, GIAC, TICSA
A czar, federal agencies: DHA, NSA, OMB, Information Security Act,…
![Page 10: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/10.jpg)
10
The problem
The security strength is the strength of the weakest part
Traditional: high security in Computer Centers
Traditional: centralized control of security management and operations
Traditional: users only deal with internal data and no external connection
![Page 11: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/11.jpg)
11
The problem (continuation)
The Internet asThe extended information resourceThe standard way of communicationThe use of network bandwidth for other
purposesThe connectivity w/InternetPresent version is intrinsically insecure
The new unsecured wireless networksThe holes in operating systems
![Page 12: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/12.jpg)
12
Common Final User
Is the employee who manage corporate information through computers and networks, but is not in charge of the function of systems, programs, networks and equipment
He/she is not an expertHe/she is computer literateIs the most important resource in the
organization followed by information
![Page 13: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/13.jpg)
13
General Training Approaches
Mission orientedGlobal coveringCost effective oriented
But in the case of Information SecuritySense of urgencyImplicationsPractical aspects
![Page 14: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/14.jpg)
14
Specific Training approaches
Information classification – mostly academic
Information Systems Development Cycle (SDLC) – mostly professional organizations
Standards and Models – mostly certification organizations
Around specific software packages
![Page 15: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/15.jpg)
15
The NIST approach
Security Education, Training and Awareness SETA
To divide in three levels of depthEducation – CurriculumTraining – OrganizationAwareness – Final users
![Page 16: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/16.jpg)
16
Re-orientation
Awareness is not enough!What is important in security?
Basic understandingMotivationBasic what to do and what not to doWhere to goRecognize problems and importancePreventFollow Policies
![Page 17: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/17.jpg)
17
Our approach
Similar to INISTBut some training is also for Final
usersBased on
Awareness, Support and Responsibility
![Page 18: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/18.jpg)
18
Integration
Awareness
Support Responsibility
Prevention through Policies
Practical Knowledge
Motivation
![Page 19: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/19.jpg)
19
Motivation
“Raison d’être”For the organizationFor the departmentFor his/her specific position
Improve systemDetect problemsUnderstanding of implicationsThe cost of not doing
![Page 20: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/20.jpg)
20
Prevention
It needs responsibilityFollow strictly the policiesDo some routine tasksPeriodical
Review BackupUpgrade
It needs support from IT and other users
![Page 21: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/21.jpg)
21
Practical Knowledge
Identify problemsLevels of riskOpen to suggestionsHow to do
PasswordsNetwork identification
Who to address in case of problem and what to do ( and not to do)
![Page 22: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/22.jpg)
22
Responsibility
The new elementWho is the owner of information?Final user is not a user but
he/she is co-responsible of:DataManagement of dataBasic security and accessibility
![Page 23: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/23.jpg)
23
The Scenario Approach
The field is so largeLess technical information and more
decision making abilitiesWhat are the basic cases?Simple to Complex problemsInteraction with other usersRapid response
![Page 24: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/24.jpg)
24
Scenarios (in plural)
Illustrate with practical real casesMany variantsTo identify key issuesWhen to explore?More than one right answerInteractive discussionGraphical presentation
![Page 25: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/25.jpg)
25
Conclusion
InfoSec Training is and investment Need to Review periodicallyTo update with new problemsChallenging user attitudes in:
awareness, support and responsibilityUse Plain LanguageThe user is an integral part of the
solution
![Page 26: Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004](https://reader035.vdocuments.us/reader035/viewer/2022062722/56649f325503460f94c4ecca/html5/thumbnails/26.jpg)
26
Questions ?
Comments?