Digital self defense iia isaca it audit seminar

transcript

Rochester IIA & ISACA IT Audit SeminarDecember 10, 2015Ben Woelk, CISSP

ISO Program ManagerRochester Institute of Technology

Presentation Overview• Background• Communications Plan Basics• RIT Implementation• Success?• Discussion

BACKGROUND

My Background• Corporate• Higher Education

– ISO Office– Adjunct

• Techcomm• Computing Security

Rochester Institute of Technology

• RIT Environment– 18,500 students– 3,500 faculty and

staff– International

Locations– ~40,000+ systems on

the network at any given time

– Very skilled IT security students

RIT Information Security • RIT ISO

– 3 full time• Information Security

Officer• Program Manager• Sr. Forensics Investigator

– 1-4 student employees• Mix of coop and part-time

• Risk Management, not Information Technology

COMMUNICATIONS PLAN BASICS

Communications Plan• Benefits

– Systematic approach– Repeatable– Set and achieve goals– Be proactive– Be strategy driven, not event driven– Strategic plan drives marketing/communications

TechComm 101• “We explain things” (R. J. Lippincott,

Intercom)• Characteristics

– Interactive and adaptable– Reader centered

• Personas– Contextualized– Concise– Visual– Cross cultural

RIT IMPLEMENTATION

Digital Self Defense Goals• Inform the entire population about threats.• Educate new members of the RIT community

on Information Security topics.• Maintain current information outputs and

engagement on Information Security topics.• Create new avenues for communication to

expand awareness of Information Security office.

• Inform community of new Infosec initiatives

Challenges• Multiple audiences• Messaging overload• 30% annual turnover• What, me worry?• Dry/technical subject

Security Awareness Plan• Components

– Audience analysis– Key messages– Communications channels– Calendar of promotions– Develop relationships

Target Audiences

Strategies• Consistent outreach• Creative/fun deliverables • New communication channels• “What’s in it for me?” fulfillment

– Emphasizing home use– Easy-to-implement best practices– Consequences of non-compliance– Interactive elements

Key Message• Short and Simple

Calendar of Promotions

Monthly TopicsMonth Topic

June, July, August Pre-Semester, Start of Semester

September New Students, New Semester, New Threats

October Cyber Security Awareness Month

November No Click November

December Scams and Hoaxes

January Data Privacy Month

February Ph(F)ebruary Phish

March Mobile Device Madness

April Spring Cleaning

May Graduating to Good Passwords

Pre-Semester/Start of Semester

Communications Channels• What’s the best vehicle?

Develop Relationships

RIT Infosec Website

RIT Social Media

Posters

Go Phish

https://www.pinterest.com/ritinfosec/playing-cards-by-rit-information-security/

Alerts and Advisories• Message Center

Portal/email• Ad hoc• ~20 per academic

Move-in

New Student Orientation

Lightning Talks• Six minute presentations• Slides move every 18 seconds• Topics

– Online reputation management– Illegal file sharing– Safe use of social media– Securing mobile devices

DSD Lightning Talk

• https://www.youtube.com/watch?v=-Yo8TV-ZLbE

New vehicles this fall• Bus posters• Employee Benefits Fair• RIT Information Security

Field Guide to Identifying Phishing and Scams

DSD 101 classes• Tips, Tricks, and Best Practices for staying

safe online– Monthly– Departmental presentations

RIT Digital Self Defense Team• Launched 11/11/15

– Using internal survey tool to collect metrics and recruit team members

– 535 survey participants; 206 joined DSD Team

In Development• Phishing exercises

SUCCESS?

Evaluation Tools• Internal survey tool

– Fall baseline (open now)– Spring progress

Social Media Evaluation

External Evaluations• Use with care• Kred (2013)

– Influence (trust)– Outreach (propensity to share)

• Klout (2009)– Perceived social influence

Evaluate and Make Mid-Course Corrections

• You will make mistakes• Don’t be afraid to make a change• Did it make a difference?

• Ways to evaluate– Surveys– Analytics

From austinevan

Key Success Factors• What’s in it for them?• Relevant at home as well as at work• Reach them where they are

Resources• EDUCAUSE

– Cybersecurity Awareness Resource Library– Security Awareness Quick Start and Advanced

Guides• W. K. Kellogg Foundation

Template for Strategic Communications Plan• Richard Johnson-Sheehan Technical

Communication Today• Society for Technical Communication

Contact MeBen WoelkBen.woelk@gmail.com; ben.woelk@rit.edu Benwoelk.com@benwoelkwww.linkedin.com/in/benwoelk/

DISCUSSION