1: Security & Risk Management

• CIA triad

  • confidentiality
    • only authorized users have access to resources
    • keeping secrets from prying eyes
    • disclosure attacks undermine confidentiality

• integrity

  • protect information from unauthorized changes
  • alteration attacks undermine integrity

• confidentiality

  • ensure authorized users have access
  • inability to access may impact business
  • denial attacks undermine confidentiality

• controls are aligned with the CIA triad

• access controls: restrict access to sensitive info w/o permission
  • encryption
    • protects info at rest or in transit
    • plaintext → ciphertext

• ensures that info doesn’t change w/o authorization
• sources of integrity failures
  • intentional
  • user error
  • hardware/software errors
  • acts of God
• controls:
  • hashing:
    • creates a message digest from a large file
    • like a fingerprint
    • indicates changes in a file
  • digital signatures:
    • authenticity: recipient can be confident that the message came from the recipient
    • non-repudiation: recipient can prove to a third party that the message came from the recipient
    • to use:
      • sender:
        • hashes message
        • encrypts w/ private key
      • recipient:
        • decrypts signature w/ public key
        • computes hash
        • compares

• failure causes

  • attackers
  • component failures
  • application failures
  • utility failures

• redundant controls

  • protect against failures of a single part of a system

• high availability

  • protect services against a failure of a single server

• fault tolerance

  • protect services against disruption from small failures

• OS and application patching act as a control against availability issues

• remember that security provides support services to the org
• security leaders
  • act as SME on CIA for the org
  • also act as business leader the understands the mission, goals, objectives of the org
  • must balance security needs w/ business needs
    • can be difficult
    • watch for exam questions

• need to justify time and money

• need to balance security and business

• need to achieve CIA

• need to explain to management

• admin tasks are also important to the business

  • budgets
  • meetings
  • employee performance evals
  • etc

• infosec must align w/ business functions and processes

• information governance committee

• risk management committee

• board of directors

• Integrating security governance

  • ensure that governing bodies understand risk and controls
  • inform the of security incidents
  • review audits w/ them

• find a security governance model that fits the org

• require integration of security controls
• security teams must come together to merge

• require a separation of controls
• ties should be cut between orgs

• differ between orgs

• usually the COO or similar position
• provides oversight
• funds
• ensures testing
• prioritizes business functions → criticality
• establish strategy / vision / framework
• sign off on policy, BIA, documents

• oversight of the infosec program
• liaison between
  • management
  • business
  • IT
  • infosec

• senior-most infosec leader
• may report to IT org or to the risk management leader
• leads a team or generalists and specialists

• functional management
• determines the “how”

• the customer
• determines data classification

• in the trenches

• evaluate controls and policies
• the audit determines compliance

exam tip
auditors should audit and report only! they should not go in and fix issues that they find.

• raise awareness
• create a security-positive environment
• teach the “why” of what we are doing

• fulfilling legal requirements and professional best practices

• taking reasonable measures to investigate security risks

• security controls must cover many different risks
• this is hard to do, can use security frameworks as a guide
• control frameworks guide security program design

• business focused control framework

• six principles

  1. Provide Stakeholder Value
  2. Holistic Approach
  3. Dynamic Governance System
  4. Governance Distinct from Management
  5. Tailored to Enterprise Needs
  6. End-to-End Governance System

• contains important guidance

• ISO 27001: info systems controls objectives
• ISO 27002: info systems controls implementation
• ISO 27701: privacy controls
• ISO 31000: risk management programs

• NIST SP 800-53

  • security and privacy controls
  • mandatory of government agencies

• NIST CSF (Cybersecurity Framework)

  • provides common language for cybersecurity risk

  • helps identify and prioritize actions

  • aligns security actions across control types

  • five functions divided into categories

    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

  • different value for different orgs

    • some use as a reference
    • some follow more rigidly

• proof beyond a reasonable doubt – makes it hard to prove in a court
• can involve jailtime

• prepondernace of evidence – a bit easier to prove

• related to standards, governmental requirements
• usually monetary penalties

• protects “property of the mind” – ideas, designs, logos, etc.
• WIPO – run by the UN
• licensing is a big failure related to intellectual law

• a resource that provides competitive value to an org ex. McDonald’s “secret sauce”
• must be obvious and unique

• failure to execute due care / diligence by management can be negligence

  • culpable negligence is often used to prove liability

• prudent man rule

  • perform duties that prudent people would do in a similar situation

• due diligence

  • doing the necessary research

• due care

  • taking the necessary actions

• downstream liabilities

• national, territorial and state laws and regsulations protect sensitive info

  • can be tricky: depends on org location, customer location, cloud provider location, etc.

• PCI DSS (Payment Card Industry Data Security Standard)

  • self-regulatory, and applies worldwide to credit card transactions

• work with legal department to resolve jurisdiction issues

• orgs must protect info throughout the data lifecycle

• PII (personally identifiable info)

  • any info that can be traced back to an individual

• PHI (protected health info)

  • individually identifiable health records governed by HIPPA

• GAPP (Generally Accepted Principles and Practices):

  • developed by
    • AICPA
    • CICA
    • ISACA
    • IAA

• governed by ten principles:

  1. Management
  2. Notice
  3. Choice and Consent
  4. Collection
  5. Use, Retention and Disposal
  6. Access
  7. Disclosure to Third Parties
  8. Security
  9. Quality
  10. Monitoring and Enforcement

• all ten ensure development of a comprehensive info privacy program

• ISO 27018: PII in the cloud

• privacy impact assessments should be done regularly by orgs

• some infosec laws involve criminal penalties

• CFAP

  • makes hacking illegal
  • prohibits:
    • unauthorized access to computer systems
    • malicious code creation

• ECPA (Electronic Communications Privacy Act)

  • restricts government interception of electronic communications

• ITDA

  • makes ID theft a federal crime

• software is important intellectual property
• it’s protected by software agreements

• different types based on use
  • individual use
  • amount of data use
  • location of use
  • number of servers in use
• agreement types
  • negotiated contracts
    • usually many rounds of back-and-forth between org and vendor
  • click through agreements
    • typically not read
  • shrinkwrap agreements
    • rarely used today

• intellectual property must be protected from unauthorized use

• protects creative works
• automatically applied when work is created
  • don’t necessarily have to apply
• 70 years beyond the creator’s death
• after 70 years, moves into the public domain

• protects words and symbols
• must register
  • renewable every 10 years
  • must be in active use, inactive use expires after 5 years of inactivity
• ™, ® after registered with the government

• protects inventions
• requirements
  • novel: is it a new idea?
  • useful: is it of value?
  • non-obvious: you can’t patent the wheel!
• usually protects for 20 years after filing
• requires public disclosure (through filing documentation)
  • enters into free-use after patent expires

• alternate to a patent
• no public disclosure

• countries have restrictions on what can come into and out of the country

• export controls: restrict the flow of goods and data

  • ITAR (International Traffic in Arms Regulations)
    • defense articles
    • plans for defense articles

• EAR (Export Administration Regulations)

  • covers “dual use” items
    • lasers, GPS, naval equipment, etc.
      * OFAC (Office of Foreign Assets Control)
  • covers restrictions of exports to sanctioned countries

• consequences
  • reputation damage
  • identity theft
  • fines
• laws and regulations govern response to breaches
  • industry specs.
    • HIPPA
    • SOX
    • PCI DSS
  • jurisdiction specs.
    • states
    • federal government
    • GDPR
• common PII elements that can be breached
  • SSN
  • driver’s license
  • bank account #
• orgs must notify victims and the government
• encryption can protect the org
  • many notification laws/requirements have an exemption for breached encrypted data

• infosec professionals are bound by codes of ethics
  • org code
  • (ISC)²

important
(ISC)² members must report violations of code of ethics.

• written guidance is crucial to security

• foundation of security program

• compliance is mandatory of all employees

• approved by highest level of the org

• not specific — must be able to stand test of time

  • example: “must encrypt all sensitive data,” not “all sensitive data must be encrypted by 3DES”

• three types:

  • corporate/organization
    • management’s intent
  • system-specific
    • usually for a specific system (i.e. a domain controller)
  • issue-specific
    • change management
      • how to make and track changes. only approved changes are made
    • acceptable use
      • how employees can can use company resources
    • privacy
      • expected by employees. if infringed, must be notified.
        notification is vital and best practice.
    • data/system ownership
      • making clear who owns the system and who owns the data
    • separation of duties
      • no one individual has too much power.
      • forces collusion. if more parties are involved, they are less likely to succeed
    • mandatory vacations
      • detective control. can detect a bad employee - perform an audit while they are out
    • job rotation
      • detective control. similar concept to mandatory vacations. also provides redundancy.
    • least privilege
      • action
    • need-to-know
      • data
    • dual control
      • two people are needed to perform an action
    • M of N control
      • similar concept to dual control but more people. m and n are variables. ex. 4 of 15 admins needed to make a change.

• specific details of security controls
• derive authority from policy
• less vigorous approval process
• compliance is mandatory of all employees
• often draw on benchmarks
  • CIS benchmarks
  • vendor guidelines

• security advice to the org
• follow industry best practices
• not mandatory for all employees
• “should” not “shall”

• step-by-step processes for activities
• mandatory or optional

exam tip
policies and standards are mandatory.
guidelines are optional.
procedures can be either mandatory or optional.

• crucial component of cybersec.

• foundational authority for data security efforts
• sets clear expectations for data security responsibility
• guidance for requiring access to data
• process for granting exceptions to policy

• appropriate storage locations
• access control requirements
• encryption requirements

• what data can be transferred
• transport encryption requirements
• acceptable transfer mechanisms

• Data Retention Policy

  • minimum/maximum periods that org will retain different data
    • keep data as long as needed, but no longer

• Data Disposal Policy

  • proper techniques for disposing of data

• what data can be moved / stored in the cloud
• how the org approves cloud use

• core responsibility of cybersec professionals
• controls are designed to keep business running in the face of adversity
• sometimes called COOP (continuity of operations plan)
• primary control for maintaining availability

• what business activities should be covered?
• what systems should be covered?
• what controls should be considered?

• goal

  • identify and prioritize risk

• results

  • list of risks and ALE

• BCP in the cloud is a partnership between the org and cloud provider

• redundancy protects against a failure of a single component

• single point of failure (SPOF) analysis

  • identifies and removes SPOF
    • examples:
      • web server → replace w/ cluster
      • firewall → add another for high availability pair
  • continues until cost of addressing risk outweighs benefits of implementing fix
  • analysis should consider multiple risks
  • remember to perform succession planning for staff as well
    • who would replace someone if they left?

• multiple systems protect against a service failure

• protect services against disruption from small failures

• spreads demand across systems

• power supplies
  • moving parts (fans, etc.)
  • high failure rates
  • can be redundant
    • two PSUs on one server
  • data centers can use multiple power suppliers
• storage
  • RAID
    • RAID-1: stores same data on two disks
    • RAID-5 data striping with parity, 3+ disks
    • RAID provides fault tolerance, it is not a backup plan
• networking
  • multiple ISPs
  • NIC teaming
  • redundant networking
  • multi-path networking (especially storage)

• use diverse…
  • technologies
  • vendors
  • cryptography
  • security controls

• important part of the foundation of security
• security program should be built around it
• handle security policy violations carefully
  • never handle alone w/o HR, legal, management
• question to ask: what personal use of org resources are acceptable on the org network w/ org data?
• education is the best defense against social engineering attacks
• insider threats are significant
  • 25% of data breaches are from an insider
  • defense
    • background investigation
    • monitoring
    • manager training
    • data loss prevention

• hiring is an important decision
• poses a significant threat to the org re: insider threats
• pre-employment screening new employees prior to hiring

• criminal record check
• sex offender registry
• reference checks
• education and employment history verification
• credit check
  • will need candidate consent

• should include an NDA
• should include provisions for asset return
• include security policy in new hire training and orientation
• ensure that vendors / contractors / consultants are subject to similar rigorous personnel security program

• should be trained on new security requirements of new position
• old privileges should be revoked

• all employees will leave
  • voluntarily
  • retirement
  • firings
• exit interviews are a good tool for gathering info and to debrief employees
  • remind them of their NDA
• access should be revoked promptly… but not prematurely
  • voluntary/retirement: end of their last day
  • involuntary
    • too soon: show your hand and they will know that they are getting canned
    • too late: disgruntled employee will still have access
• retrieving property — do so as quickly as possible, likely not to get items back after they are gone
  • keys
  • access badge
  • laptop
  • papers / electronic documents

• orgs collect sensitive info about employees
  • sensitive personal info:
    • background check results
    • SSN
    • salary and pay details
    • health / benefits info
• orgs have a legal and ethical responsibility to protect that info
• protection is acheived by:

  • minimization

    • collect the minimal amount of info about an employee
    • keep that info for the shortest amount of time needed

  • limited access

    • as few employees as possible should have access to sensitive employee info

  • encryption

  • masking

    • removing portions of sensitive data

• social media can be a valuable business tool
  • outreach
  • advertising
  • recruiting
• many attacks target legitimate accounts
• accounts should be protected
  • use MFA

• offer post approval flow

• can schedule posts

• offer comment management and moderation

• stats on engagement

• orgs should evaluate social media carefully

  • treat like a cloud service

• orgs should adopt a social media policy

  • cover personal use
  • official stances

• security professionals often conduct investigations

• seek to resolve technical issues
• seek to restore normal operations
• have a low standard of evidence
• should end with a root cause analysis

• look into possible crimes
• involve fines / jail time
• use the “beyond a reasonable doubt” standard

• resolve issues between two parties
• no fines / jail time
• use the “preponderance of evidence” standard

• conducted by government or industy regulators

• may be civil or criminal in nature

• interviews are a valuable tool for investigations

  • should always be voluntary
  • involuntary interviews are an interrogation — this should be left to law enforcement

Identify…

1. assets
2. threats
3. existing controls
4. vulnerabilities
5. consequences

feeds ↓ into

risk assessment process

• look!
  • risk docuementation
  • incident reports
  • SMEs
  • media

• need to understand the business
• risk is measured by the business, not the IT system

• risk context – every org is different
• risk management framework/strategy is universal throughout the org!
• there are three lines of defense:
  • senior management
  • users
  • audit

• orgs face a wide variety of cybersecurity risks
• addressing these risks takes time and money
• risk assessment identifies and priorizes risks to make best use of time and money

• asset
  • anything of value to the organization
• threat
  • external force that jeopardizes security
  • out of the org’s control
• threat agent
  • an actor who carries out an attack
• exploit
  • an instance of compromise
• threat vector
  • way that an external force gains access to a system
• vulnerability
  • weakness in a security control
  • a lack of a safeguard
  • org can control
• risk
  • a combination of a vulnerability and a corresponding threat
  • the probability/likelihood of a threat occurring
  • total risk
    • risk before any controls
  • residual risk
    • leftover risk after controls are implemented
  • secondary risk
    • when one risk response triggers another
• controls
• physical, administrative or technical protections against a threat
  • safeguard
    • proactive
  • countermeasure
    • reactive
• incident
  • a risk event that has happened

risk should be prioritized by likelihood and impact:

• likelihood
  • probability that a risk will occur
• impact
  • amount of damage expected
• qualitative
  • subjective judgement to evaluate risk likelihood and impact
• quantitative
  • objective numberic value

• subjective analysis to help prioritize probability and impact of risk
• can use the Delphi technique to measure
  • Delphi technique
    • using anonymous surveys
• uses terms like: high, medium, low
• inexpensive / quick way to begin prioritization of risks

• aids in data-driven decision making
• perform quantitative risk assessment for a single risk and asset

• dollar value of an asset
• techniques for determining
  • original cost
  • depreciated cost (an accounting favorite)
  • replacement cost (a risk manager’s favorite)

• expected percentage damage to an asset

• expected dollar loss if a risk materializes one time
• SLE = AV × EF

• number of times a risk is expected to occur each year
• can be a decimal if not expected annually
  • ex.: once every 20 years = 0.05 ARO

• expected dollar loss of any given year
• ALE = SLE × ARO

• time to restore a service depends on whether a component is repairable

  mean time to failure (MTTF)

  • average time a non-repairable component will last

  mean time between failures (MTBF)

  • average time gap between failures of a repairable component

  mean time to repair (MTTR)

  • average time to return a repairable component to service

• risk management and treatment

  • systematic analysis of potential responses to each risk

  • implementing strategies to control those risks

  • risk profile

    • the full set of risks facing an org

  • inherent, residual and control risk

    • inherent → control applied → residual + control

  • risk appetite

    • how much risk an org is willing to accept
    • control + residual risk ≤ risk appetite

• lessen the probability or the impact of risk
• may require several controls
• reducing risk to zero is avoiding the risk

• shift the impact of risk to another org
• insurance policy
• SLAs and contracts determine how much risk is transferred
• can’t transfer risk completely

remember:
you can’t transfer liability!

• reduce the likelihood or impact of a risk

• accept risk w/o taking further action
• no mitigation
• after cost/benefit analysis, cost of the control is determined to be more than the cost of the potential loss
• sometimes this is the only choice
• due diligence is still used, we can show that good business decisions were made
• risk levels and impacts are changing – regular reviews are needed on accepted risk
• only after thoughtful analysis

• not acceptable
• ignoring the problem… putting your head in the sand

• risk response is based on a risk assessment at a set point in time
• risk is everchanging
  • controls can become less effective
  • there are new threats, technology, vulnerabilities
• monitoring is needed

• early warning
• backwards-looking view on risk events
• documentation and analysis of trends
• indicates risk appetite / tolerance
• increase likelihood of achieving strategic objectives
• assist in risk governance
• KRIs support:
  • risk appetite
  • risk identification
  • risk mitigation
  • risk culture of the org
  • risk measurement / reporting
  • regulatory compliance

Risk must be managed because it can’t be eliminated!

• security controls

  • procedures and mechanisms that an org uses to manage security risks

• defense-in-depth

  • multiple controls for one objective

• controls can be categorized by purpose or mechanism of action

  • purpose

    • preventative controls

      • stop a security issue from stopping in the first place
      • ex. fences, gates, firewalls
      • detective controls
      • identify a potential security issue that has already happened
      • ex. log reviews, CCTV reviews
      • corrective controls
      • remediate a security issue that has occured
      • ex. AV software

    • mechanism of action

    • technical controls

      • use technology to achieve security control objectives

    • operational controls

      • human-driven procedures to manage technology in a secure manner

      exam tip
      technical controls are implemented by technology.
      operational controls are implemented by people

    • management controls

      • improve the security of the risk management program itself

• false positives and negatives

  • false positive
    • control inadvertently triggers when it shouldn’t
    • reduces confidence in the control
  • false negative
    • control fails to trigger when it should
    • gives admins a false sense of confidence

• risk control assessments only look at a single point in time

• control assessments test controls effectiveness

• ways to measure control effectiveness

  • compromised end-user accounts
  • vulnerabilities in public-facing systems
  • critical findings in web application scans
  • number of data breaches requiring notification

• assesses the state of a risk management program

• five levels of maturity

  1. Ad hoc
  2. Initial
  3. Repeatable
  4. Managed
  5. Leadership

• security programs should embrace continuous improvement

• provide proven, time-tested techniques

• risk mangagement framework
• inputs:
  • architectural description
  • organizational inputs
• steps:
  1. categorize the info system
  2. select security controls
  3. implement security controls
  4. assess security controls
  5. authorize info system
  6. monitor security controls

• orgs need to document and track risk over time

• tracks risk information

  • can be organization-wide or system-specific
  • contains the nature and status of risk

• contents

  • description
  • category
  • probability / impact
  • risk rating
  • risk management actions taken

• sources

  • audit findings
  • team members
  • threat intelligence

• threat intel

  • sharing of risk info
  • may be used strategically or operationally

• risk matrices / heatmaps

  • used to provide easily deigestable information to sr. mangement

• set of activities that an org takes to…
  • educate itself about the threat landscape
  • adapt security controls to threats
• allows the security team to stay current on cybersec threats

• uses publicly available info from various open sources
  • security websites
  • vulnerability databases
  • news media
  • social media
  • darkweb
  • info sharing centers
  • file repos
  • code repos
  • security researchers

• many security companies offer proprietary threat intel solutions
  • these solutions may feed into firewalls, proxy servers, IDSs, etc.
• criteria for evaluating these solutions
  • timeliness
  • accuracy
  • reliability

• use TAXII, STIX, CybOX
• functions supported by intelligence:
  • incidence response
  • vulnerability management
  • risk management
  • security engineering
  • detection and monitoring

• Information Sharing and Analysis Centers
• bring together teams from competing businesses to share intelligence
• usually non-profit organizations

• threat modeling identifies and prioritizes threats
• use a structured approach for identification
  • asset-focsued
    • use asset inventory for basis
  • threat-focused
    • identify specific threats that may affect each info system
  • service-focused
    • identify impact of threats on a specific service

• cybersec used to see role as building an impenetrable defense

• that’s a naïve approach

  • need to make the “assumption of compromise”

• threat hunting

  • organized systemic approach to seeking out indicators of compromise using expertise and analytic techniques
  • threat hunters must think like attacker
  • develop a hypothosis, then go hunting

• indicators of a compromose

  • unusual binary files
  • unexpected processes running or system consumption (CPU, RAM)
  • deviation in network traffic
  • unexplained log entries
  • unapproved configuration changes

• vendors play crucial role in the IT supply chain

• business partner due diligence

  • security professionals should pay attention to business partnerships to protect CIA
  • ensure that vendors’ security policies are at least on par with the org’s

• Vendor selection

  • may be formal (using an RFP)
  • may be informal
  • should include…
    • security requirements
    • assessment of vendor’s risk management policies

• Vendor onboarding

  • verify contract details
  • arrange for secure data transfer
  • establish incident procedures

• Vendor monitoring

  • conduct site visits
  • review independent audits
  • handle security incidents

• Vendor offboarding

  • destroy confidential info
  • unwind business relationship

• may start process again w/ same or different vendor

• ISO 27036: infosec for supplier relationships

• help facilitate vendor relationships

• NDAs protect confidential info

• service level requirements (SLRs)

  • describe requirements of vendor’s services
  • examples:
    • response time
    • availability
    • data preservation
  • SLRs should be documented in an SLA

• other agreement types

  • MOU: memorandum of understanding
  • BPA: business partnership agreement
  • ISA: interconnection service agreement
  • MSA: master service agreement
  • SOW: statement of work

• document security and compliance requirements
• facilitate customer monitoring of compliance
• ensure the right of audit and assessment

• agreements should contain clear data ownership language

• customer should retain uninhibited ownership of their data
• vendor’s right to data use should be limited to…
  • activities performed on behalf of the customer
  • activities performed with the customer’s consent
• agreements should
  • limit data sharing with third parties
  • include data protection provisions

• verify that security controls function properly

• evaluates security controls

• provides a report

• should always begin with a planning process

  • outlines scope of engagement
  • timeline for completion
  • expected deliverables
  • reduces the likelihood of misunderstandings later

• assessments vs. audits

  • assessment
    • usually requested internally
      • IT staff, management, etc.
  • audit
    • often imposed by external requirements
      • board of directors, regulators, etc.

• internal vs. external auditors

  • internal auditors
    • work for the org
    • report independently from area being audited
    • work at the request of org leadership
  • external auditors
    • independent firms
    • work at the request of external groups (board, regulators)

• audits should always have clearly defined scopes

• user access reviews

  • validate rights and permissions of users’ accounts

• gap analysis

  • provides a roadmap of future work
  • provides a list of controls that are missing or not functioning

• cloud service use adds complexity to audits and assessments
• use of cloud services expands audit scope
  • not possible to physically do
    • can’t visit every location that a cloud provider maintains
  • cloud providers couldn’t keep up with audit requests from all of their customers
  • must rely on SOC reports

• system and org controls

• covered by SSAE 18 in the US
• covered by ISAE 3402 internationally

• offer managed IT services to customers

• offer managed IT security services to customers
• if used, must be carefully monitored and documented
• examples of services offered
  • management of entire security infrastructure
  • monitoring of system logs
  • management of firewalls and network security
  • performance of IAM

exam tip
MSSPs may also be referred to as security as a service (SECaaS)

• add a third party security layer between an org and their cloud service provider
  • network-based CASBs
    • intercepts network traffic between the org and cloud
    • monitors traffic for security issues
    • can block access if issue discovered
• API-based CSABs
  • queries cloud service by API and monitors
  • may be limited by API access and what information is available from API

• train your people
• … through awareness, training and education
• the goal is to modify employee behavior

• security training programs help educate users about risks
• users can’t follow procedures and rules if they don’t know about them
• can increase reporting after training… because users now have knowledge of procedures and how to report issues

• provides users with detailed info about how to protect the org’s info

• security training methods

  • in-person classes
  • integration into orientation and onboarding
  • online learning
  • vendor-provided classroom training

• should use a diversity of training techniques

  • phishing simulations
  • gamification
  • capture-the-flag events
  • security champions that share cybersec messages w/ peers
  • training should be customized based on user roles

• training frequency

  • initial training during onboarding
  • updated training when users change roles
  • annual refreshers
  • awareness campaigns during the year

• remember to review training materials periodically to ensure relevancy

• reminders of lessons learned to keep training in mind

• orgs often face external requirements to implement security controls

• complaince programs

  • ensure that org’s infosec controls are consistant w/ laws/regs/standards that govern the org

• compliance obligations should be a part of security training

• begin compliance efforts with gap analysis

• security training should educate users on good security practices
  • secure password practices
  • clean desk polices
  • data handling practices
  • reminders of NDA terms
  • physical security
    • reminders about tailgating
  • BYOD policy
    • acceptable use
    • security policy
  • acceptable use policy
    • violations
  • social media policies
  • peer-to-peer network policies

• should measure the effectiveness of security training/awareness efforts
  • simulated phishing
    • directly measures user awareness
• security awareness surveys
  • measures awareness over time
  • can use results to change training and tactics as needed