Security Awareness – Essential Part of Security Management

Ilze Murane

Agenda

Security management Security awareness in organization Security awareness for home user

Questions for discussion

ISF Standard

Information Security Forum The Standard of Good Practice for

Information Security http://www.isfsecuritystandard.com

Security Management I

Management commitment Security policy Security organization

– Information security function

– Security awareness

– Security classification

– Ownership

– Information risk analysis

Security Management II Secure environment

– Security architecture– Information privacy– Physical protection– Business continuity– Use of cryptography– Remote working

Security Management III Malicious attack

– Virus protection– Intrusion detection– Forensic investigations– Patch management

Management review– Security audit/review– Security monitoring

Security Awareness

Information security awareness is the degree to which every member of staff understands the importance of information security, their individual security responsibilities

…and acts accordingly

Security Awareness in organization

Principle– Specific activities should be undertaken, such as a

security awareness programme, to promote security awareness to all individuals who have access to the information and systems of the enterprise

Objective– To ensure all relevant individuals understand the key

elements of information security and why it is needed, and understand their personal information security responsibilities

IT security lessons: example I

Passwords– Do not share passwords

– Use ‘strong’ passwords

– Don’t write passwords down

IT security lessons: example II

Viruses– Beware of viruses, particularly in e-mail

attachments

– Ensure that anti-virus software is installed and updated

IT security lessons: example III

E-mail and Internet use– Don’t send sensitive information over the

Internet

– Don’t publish your e-mail address in the Internet

– Internet use must comply with corporate policies

Case study

Awareness “history”– IT security– Information security– Business Continuity Testing– Security including physical security

Regular seminars

From awareness to behaviour change

Security-positive behaviour should be encouraged by– making attendance at security awareness

training compulsory– publicizing security successes and failures

throughout the organization– linking security to personal performance

objectives

Security Awareness for home user

No regulations Personal risk experience More electronic information

– Internet banking

Everyone is in theInternet

Lessons for everybody Main risks

– Viruses– Spyware– Phishing– Spam

About– Safe e-mail usage– Safe internet browsing– Securing your computer

At school?

Other security (safety)– road traffic regulation– electricity (physics)– fire protection

IT security...

Questions?Discussion...

ilze@latnet.lv

?

Is IT security concerns everybody How to educate society Special software/game What are our responsibilities ...