Daily Security Awareness Training

1
Daily Security Awareness Training

• January 2, 2009

2
Topics

• TOD Concept of Operations
• Daily TOD operation
• User Customization
• Alerts
• Organizational Reporting
• Organizational Customization
• Implementation Process

3
Current Events Highlight Challenge
4
Management Responses Needed and how ToD Handled
Them
OMB requires reminder to every employee, with
statistics on delivery. You cant do that with
e-mail.
From CIOs and Deputy CIOs mailtoCIO-DEPTCIO_at_LIS
TSERV.GSA.GOV On Behalf Of Evans, Karen Sent
Wednesday, June 07, 2006 505 PM To
CIO-DEPTCIO_at_LISTSERV.GSA.GOV Subject CIOCD
Request for Information Importance High   Hi
Everyone   By 800am tomorrow morning, I need to
have a status of where you are on the requirement
included in the May 22, 2006 memo from Clay which
states   "In addition, please ensure your agency
employees are reminded within the next 30 days of
their specific responsibilities for safeguarding
personally identifiable information, the rules
for acquiring and using such information as well
as the penalties for violating these
rules."   Please report the percentage of
employees notified and the method of
notification.   Thanks in advance Karen
5
Response Provided

• Tips of the Day provided statistics on
• Who read he message,
• Whether it was understood, and
• Who didnt receive it.

Delivery was achieved within 2 days, not 30.

• From Streufert, John(M/DCIO))
• Sent Thursday, June 08, 2006 840 AM
• To 'Evans, Karen' Karen_Evans_at_omb.eop.gov
  'Schlarman, Glenn R.
• Cc Bussow, Mark Heneghan, Phil(M/DCIO) Moore,
  George(M/DCIO) Hughes,
• Mike(M/AAAINS) Alumbaugh, John(GC/LE) Haiman,
  Arnold J(GC)
• Subject RE CIOCD Request for Information
• Importance High
• Karen,
•  
• Summary.  Within 24 hours after Clay Johnsons
  notice (May 23, 2006) USAID had notified its
  staff in 20 time zones world-wide regarding
  employee responsibilities for protecting
  personally identifying information as a result of
  the Veterans Administration incident.  This event
  included confirmed receipt of delivery to
  individuals by name at 80 overseas locations,
  awareness training and testing of concept
  understanding.   
• ..
• 97.7 coverage (8,268 people)
• All Agency employees who failed to answer the
  True False question concerning the VA incident
  correctly the first time were immediately
  retested. 
• Fifty-five employees world-wide answered the
  question incorrectly twice
• And 169 personnel did not respond to the test.

6
Tip of the Day Meets These Needs

• New threats need quick response and
  confirmation that the threat was understood
• Adults learn by doing daily security
  interactions build habits and reinforce learning
• Users need the big picture -- comprehensive
  training for new users, transgressors periodic
  refreshment.

7
Lines of Business Criteria

• Improve security decision-making
• Establish common solutions
• Reduce costs through shared services
• Improve level of information security
• Consolidate certain products services

8
JSAS Offers Leading

• People
• Process
• Technology

9
People

• Security Subject Matter Experts
• Certified Security Practitioners
• Threat Specialists
• Policy analysts
• Instructional Systems Designers
• Adult learning specialists
• Data Managers
• Slicing and dicing data supporting metrics

10
Processes

• JSAS Elements
• Awareness Needs Assessment
• Customer Relationship Management
• Content Management
• Technology Management
• Risk Management
• Rapid Response
• Metrics Effectiveness Efficiency
• Training Administration
• Annual Training and Daily Reminders

11
Technology

• The Joint State-Aid Solution is
• Easy To Use
• Comprehensive and Complete
• Timely, Compliant and Secure
• Flexible Delivery
• Annual Training
• Daily Refresher

12
Awareness Package

• Adults Learn By Doing (Effective)
• Comprehensive Awareness Course
• Awareness Daily Reminder
• Required Interaction
• Results (Efficient)
• Instant Feedback
• Certificate of Completion
• Automated Administration

13
Normal Operation

• User logs into system and receives a tip
• User reads the question.
• User presses one button to answer.
• Single sign-on.
• User may not need to read the tip.
• No user navigation is required
• Concise and Actionable.

14
What if I miss a Question?

• User is warned when they miss a question.
• They may click close to continue or
• They may click Review my Results to see a
  report and review the tip.
• (User cannot change their answer.)

15
User Report Review My Results
User May Click to Review Tip
ADD IMAGE
16
User Customization

• User Options
• Reached from the options link on any tip.
• User may choose to get more tips less often.
• For 508 compliance, user may request text only
  tips which are black white.

a
a
17
Organizational Metrics
Organizations Score
Individuals Score
Diagnostic Symptoms
18
Agency-Specific Content Frequency

• Users have system-roles
• Which contain content categories
• Which contain tips
• aCustomer agencies have great flexibility in
  setting up tip frequency by role, category, and
  or individual tips, to fine tune content to
  emerging issues/threats.

19
Categories of Tips
a
20
Agency-Specific Configuration
These Configurable Features, and MoreMore

• Systems Covered
• System Roles Covered
• The probability of selecting content from a
  System Role
• Categories of content within each System Role
• The probability of selecting a category within
  the selected system role.
• Tips within each category.
• The probability of selecting a tip from within a
  category
• New User Defaults
• New User Default Alerts
• Customer Organizational Structure
• Customer Organizations

• Organizational Contact Types
• Contact Address Types
• User-Account Types (active, inactive, group,
  etc.)
• User Roles for Administration and Reporting
• Method of linking users to organization (via
  domain or directly).
• Questions for each set of tip-content.
• Buttons that are used for answers.
• Buttons for each tip-content/question
  combination.
• Whether to record user IP address
• Whether to record user machine name
• Whether to record user MAC address
• Passing Grades, etc.

21
Forming A Partnership

• Step 1 Partner Survey
• Step 2 Joint Engineering
• Step 3 Provide JSAS as partner
• 3.1 Roles
• 3.2 What you receive
• 3.3 Service Level Agreement

22
Step 1 Partner Survey

• Data Needed
• Users (Volume and Variants)
• Client workstations (configuration, locations,
  login scripts, workstation administrators)
• Network and Firewall Structure (including modes
  of user connectivity, domain structure, etc.)
• Extranet Connection Policies.
• Likely timing of daily TIP distribution.
• Pilot training delivery to about 100-1000 users.
• Decisions Needed
• To what degree do you want/need to customize our
  generic content?
• What adjustments do you want to make to the
  normal distribution of roles and responsibilities
  between you as partner and JSAS as your support
  team?
• Your environment and decisions drive our
  partnership

23
Step 2 Joint Engineering

• This is scoped, based on the partner survey
• Deliverables
• Requirements document specific to your needs.
• Technical architecture/design for implementation.
• Organizational architecture/design for
  implementation.
• Alternatives analysis showing tangible benefits
  and cost savings.
• Cost/Schedule/Plan for implementation/operation.
• Proposed Service Level Agreement specific to your
  needs.
• Test results of training delivery from all your
  workstation/network configurations.
• Orientation of your staff.
• Documentation of Operating Procedures for
  Implementation.
• Decisions Needed
• How would you like to structure our partnership?
• How soon shall we start to meet your 2009
  training requirements?
• Result A clear contract for our partnership

24
Step 3.1 Provide JSAS as Partners

• JSAS Partners for Excellence Roles
• Security Awareness Team
• TIP Users (JSAS-TOD-Recipients)
• Login Script Managers
• Network Administrators/Security Managers
• Your Help Desk
• JSAS Troubleshooting Team
• JSAS Central Support Team Roles
• JSAS-Training Delivery Support Team
• Web Services and Tips of the Day Support Team
• Network Administrators/Security Managers
• Oracle Data Base Administrators
• Your can adjust this allocation.
• We have draft responsibilities for each role.

25
Step 3.2 Provide JSAS as Partners

• You receive
• Tools to customize and administer your content.
  Future
• Regular updates to generic JSAS content.
• Ability to customize content delivery by user
  roles.
• Delivery of TIPS at user login (typically 1 per
  day).
• The ability to schedule Alerts to all users at
  next login.
• Regular reports on individual and organizational
  training performance (content delivery and test
  results).
• Trouble reports.
• Support for your team to effectively integrate
  your workstations and network with our JSAS
  extranet.
• Performance that meets our joint Service Level
  Agreement.
• Input into JSAS program CCBs enhancement
  priorities and schedule.
• At a predictable fixed cost per year.

26
Step 3.3 Provide JSAS as Partners

• Our Service Level Agreement covers our mutual
  responsibilities.
• These include
• Content and User Management and Data Services
• TIP Delivery Services
• Data Recording Services (Training Delivery, User
  Tests, and Diagnostics)
• Report to users on their personal test results
• Reports to you on delivery/results by user and
  organization
• Help Desk Support (Level 1 and 2)
• Performance of our Infrastructure
• Connectivity Services
• Level 2 Trouble Diagnosis/Resolution Services
• Security Services
• Privacy Services
• 508 Compliance Service
• We are committed to the excellence of your
  Cybersecurity Program

27
Partners for Excellence in Security Awareness
Training

• Working together to
• Meet all your FISMA refresher security awareness
  training requirements in FY09.
• Significantly reduce your training costs.
• Improve your FY09 security grade.
• What can we do to support you
• in preventing Cybersecurity incidents?