SlideShare a Scribd company logo

IS Awareness in practice, isaca moscow 2019 10

ā€¢
ā€¢
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

IS Awareness in practice for ISACA

Leadership & Management
1 of 14
Download to read offline
IS Awareness in practice Andrey Prozorov, CISM ISACA Moscow, 28.10.2019
IS awareness is easy! Letā€™s print posters! ļŠ)) 2
IS Awareness Strategy ā€¢ Why will you do that? ā€¢ What is your goal? ā€¢ Who you are targeting in your program? ā€¢ What will you teach them? ā€¢ How will you engage and communicate to people? 3
IS Awareness Domains: ā€¢ Intro (terms, policy, requirements, risks, objectives, incidents, roles and responsibilitiesā€¦) ā€¢ Processes (information classification and labeling, change management, information transfer, incident notification, business continuity, backup and recoveryā€¦) ā€¢ Acceptable use policy (BYOD, laptops, IT services, shared folders, Internetā€¦) ā€¢ Physical Security (badges, access control, secure areas, key management, visitors, documents disposal, clear desk policyā€¦) ā€¢ IT Security (antimalware, VPN, password policy, notification about monitoring (DLP, SIEM, web)ā€¦) ā€¢ Remote work and business trips ā€¢ Public Information (social medias, presentation, PRā€¦) ā€¢ Data protection (GDPR+) ā€¢ Special cases https://www.patreon.com/posts/is-awareness-30631920 4
SANS Security Awareness Maturity Model https://www.sans.org/security-awareness-training/reports/2019-security-awareness-report 5
SANS Security Awareness Maturity Model https://www.sans.org/security-awareness-training/reports/2019-security-awareness-report 2 FTEs 3.8 FTEs 6
2017 2018 2019 2020 ā€¢ Document study ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ E-mailing (not regular) ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ E-mailing ā€¢ Posters ā€¢ Presentations: ā€¢ Introduction (1.0), 60% ā€¢ Site security (1.0), 100% ā€¢ Presentations: ā€¢ Introduction (2.9), 80% ā€¢ Site security (2.0), 100% ā€¢ Phishing (1.2), 50% ā€¢ Presentations: ā€¢ Introduction (3.x) ā€¢ Site security ā€¢ Phishing ā€¢ Classification and Handling ā€¢ e-Learning platform testing ā€“ Failure ā€¢ Video recording ā€“ Failure ā€¢ Posters ā€“ Failure ā€¢ Phishing and e-Learning platform testing ā€“ Failure ā€¢ Phishing platform testing ā€“ Failure ā€¢ Phishing platform (?Gophish) ā€¢ e-Learning platform (?SCORM format) My IS awareness programme: Chronology 7
A few words about metrics Basic metrics - % of employees trained. We'll complicate it laterā€¦ In case of incidents (including tests) - one more trainingā€¦ Observations: ā€¢ The number of incident notifications has increased ā€¢ The number of incidents has decreased (by category) ā€¢ The number (and topics) of requests have changed Input for CI 8
Content !!! Good Looking Plain language AIDA ActualUseful Smart Tests Easy to update e-Learning ā€¢ Attention ā€¢ Interest ā€¢ Desire ā€¢ Action ā€¢ Real cases ā€¢ Company / Industry ā€¢ Region ā€¢ Corporate culture ā€¢ Business context ā€¢ Personal context ā€¢ We need a designer! ā€¢ Buy the pictures ā€¢ Use the photos ā€¢ T/F questions are better than multiple choice questions ā€¢ Answers in the text ā€¢ Explanations ā€¢ Native language ā€¢ No slang ā€¢ Humor ā€¢ No video / audio ā€¢ SCORM 9
Good example: https://elearning.iaea.org/m2/course/index.php?categoryid=104 10
Usually we don't have time (and motivation) for IS awareness and training... 11
Usually we don't have time (and motivation) for IS awareness and training... ā€¢ IS team ā€¢ Management ā€¢ Employees 12
Five ā€œSā€s to Success ā€¢ Support ā€¢ Staff ā€¢ Soft skills ā€¢ Simplicity ā€¢ Smart By SANS 13
Thanks! Andrey Prozorov, CISM My blog My Patreon My Linkedin 80na20.blogspot.com www.patreon.com/AndreyProzorov www.linkedin.com/in/andrey-prozorov-cism-90018530

Recommended

ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
Ā 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
Ā 
Challenges and opportunities for European MSPs
Challenges and opportunities for European MSPsChallenges and opportunities for European MSPs
Challenges and opportunities for European MSPsKaspersky
Ā 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
Ā 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9UISGCON
Ā 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
Ā 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipRedZone Technologies
Ā 
How to Enhance Your Career with AI
How to Enhance Your Career with AIHow to Enhance Your Career with AI
How to Enhance Your Career with AIKeita Broadwater
Ā 

Recommended

ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
Ā 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
Ā 
Challenges and opportunities for European MSPs
Challenges and opportunities for European MSPsChallenges and opportunities for European MSPs
Challenges and opportunities for European MSPsKaspersky
Ā 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
Ā 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9UISGCON
Ā 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
Ā 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipRedZone Technologies
Ā 
How to Enhance Your Career with AI
How to Enhance Your Career with AIHow to Enhance Your Career with AI
How to Enhance Your Career with AIKeita Broadwater
Ā 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramBGA Cyber Security
Ā 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
Ā 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
Ā 
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityAI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityTasnim Alasali
Ā 
Its not ITs problem
Its not ITs problemIts not ITs problem
Its not ITs problemShiva Bissessar
Ā 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
Ā 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators
Ā 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
Ā 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
Ā 
Is The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification QuestionsIs The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification QuestionsChristopher Gentry, PMP, ITILv3
Ā 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
Ā 
1-Intro to MIS
1-Intro to MIS1-Intro to MIS
1-Intro to MISRaymond Gao
Ā 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionStephen Cobb
Ā 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
Ā 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
Ā 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
Ā 
Security Review of Software (Asset Management)
Security Review of Software (Asset Management)Security Review of Software (Asset Management)
Security Review of Software (Asset Management)Krutarth Vasavada
Ā 
Competitive Cyber Security
Competitive Cyber SecurityCompetitive Cyber Security
Competitive Cyber SecurityCoastal Pet Products, Inc.
Ā 
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ... Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...Jai Natarajan
Ā 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?digital_shadows
Ā 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Ā 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Ā 

More Related Content

Similar to IS Awareness in practice, isaca moscow 2019 10

Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramBGA Cyber Security
Ā 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
Ā 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
Ā 
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityAI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityTasnim Alasali
Ā 
Its not ITs problem
Its not ITs problemIts not ITs problem
Its not ITs problemShiva Bissessar
Ā 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
Ā 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators
Ā 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
Ā 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
Ā 
Is The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification QuestionsIs The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification QuestionsChristopher Gentry, PMP, ITILv3
Ā 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
Ā 
1-Intro to MIS
1-Intro to MIS1-Intro to MIS
1-Intro to MISRaymond Gao
Ā 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionStephen Cobb
Ā 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
Ā 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
Ā 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
Ā 
Security Review of Software (Asset Management)
Security Review of Software (Asset Management)Security Review of Software (Asset Management)
Security Review of Software (Asset Management)Krutarth Vasavada
Ā 
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ... Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...Jai Natarajan
Ā 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?digital_shadows
Ā 

Similar to IS Awareness in practice, isaca moscow 2019 10 (20)

Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response Program
Ā 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
Ā 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Ā 
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityAI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
Ā 
Its not ITs problem
Its not ITs problemIts not ITs problem
Its not ITs problem
Ā 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber Security
Ā 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best Practices
Ā 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Ā 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
Ā 
Is The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification QuestionsIs The Sky Falling? Segmented Risk Identification Questions
Is The Sky Falling? Segmented Risk Identification Questions
Ā 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Ā 
1-Intro to MIS
1-Intro to MIS1-Intro to MIS
1-Intro to MIS
Ā 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
Ā 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Ā 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Ā 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
Ā 
Security Review of Software (Asset Management)
Security Review of Software (Asset Management)Security Review of Software (Asset Management)
Security Review of Software (Asset Management)
Ā 
Competitive Cyber Security
Competitive Cyber SecurityCompetitive Cyber Security
Competitive Cyber Security
Ā 
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ... Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Enterprise Grade Data Labeling - Design Your Ground Truth to Scale in Produ...
Ā 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?
Ā 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Ā 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
Ā 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
Ā 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
Ā 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Ā 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
Ā 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Ā 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Ā 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
Ā 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
Ā 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
Ā 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Ā 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Ā 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Ā 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Ā 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
Ā 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Ā 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Ā 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
Ā 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
Ā 

Recently uploaded

digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdfArtiSrivastava23
Ā 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
Ā 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
Ā 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
Ā 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamraAllTops
Ā 
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot ModelNitya salvi
Ā 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siligurimeghakumariji156
Ā 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
Ā 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownSandaliGurusinghe2
Ā 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Ram V Chary
Ā 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxAss.Prof. Dr. Mogeeb Mosleh
Ā 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
Ā 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
Ā 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalWilliam (Bill) H. Bender, FCSI
Ā 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
Ā 

Recently uploaded (16)

digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
Ā 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
Ā 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
Ā 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
Ā 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
Ā 
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Ā 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Ā 
Abortion pills in Jeddah |ā€¢ +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |ā€¢ +966572737505 ] GET CYTOTECAbortion pills in Jeddah |ā€¢ +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |ā€¢ +966572737505 ] GET CYTOTEC
Ā 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
Ā 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
Ā 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
Ā 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
Ā 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Ā 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
Ā 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
Ā 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
Ā 

IS Awareness in practice, isaca moscow 2019 10

  • 1. IS Awareness in practice Andrey Prozorov, CISM ISACA Moscow, 28.10.2019
  • 2. IS awareness is easy! Letā€™s print posters! ļŠ)) 2
  • 3. IS Awareness Strategy ā€¢ Why will you do that? ā€¢ What is your goal? ā€¢ Who you are targeting in your program? ā€¢ What will you teach them? ā€¢ How will you engage and communicate to people? 3
  • 4. IS Awareness Domains: ā€¢ Intro (terms, policy, requirements, risks, objectives, incidents, roles and responsibilitiesā€¦) ā€¢ Processes (information classification and labeling, change management, information transfer, incident notification, business continuity, backup and recoveryā€¦) ā€¢ Acceptable use policy (BYOD, laptops, IT services, shared folders, Internetā€¦) ā€¢ Physical Security (badges, access control, secure areas, key management, visitors, documents disposal, clear desk policyā€¦) ā€¢ IT Security (antimalware, VPN, password policy, notification about monitoring (DLP, SIEM, web)ā€¦) ā€¢ Remote work and business trips ā€¢ Public Information (social medias, presentation, PRā€¦) ā€¢ Data protection (GDPR+) ā€¢ Special cases https://www.patreon.com/posts/is-awareness-30631920 4
  • 7. 2017 2018 2019 2020 ā€¢ Document study ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ E-mailing (not regular) ā€¢ Document study ā€¢ The corporate portal and Shared Folders (Z) ā€¢ Security Presents ā€¢ E-mailing ā€¢ Posters ā€¢ Presentations: ā€¢ Introduction (1.0), 60% ā€¢ Site security (1.0), 100% ā€¢ Presentations: ā€¢ Introduction (2.9), 80% ā€¢ Site security (2.0), 100% ā€¢ Phishing (1.2), 50% ā€¢ Presentations: ā€¢ Introduction (3.x) ā€¢ Site security ā€¢ Phishing ā€¢ Classification and Handling ā€¢ e-Learning platform testing ā€“ Failure ā€¢ Video recording ā€“ Failure ā€¢ Posters ā€“ Failure ā€¢ Phishing and e-Learning platform testing ā€“ Failure ā€¢ Phishing platform testing ā€“ Failure ā€¢ Phishing platform (?Gophish) ā€¢ e-Learning platform (?SCORM format) My IS awareness programme: Chronology 7
  • 8. A few words about metrics Basic metrics - % of employees trained. We'll complicate it laterā€¦ In case of incidents (including tests) - one more trainingā€¦ Observations: ā€¢ The number of incident notifications has increased ā€¢ The number of incidents has decreased (by category) ā€¢ The number (and topics) of requests have changed Input for CI 8
  • 9. Content !!! Good Looking Plain language AIDA ActualUseful Smart Tests Easy to update e-Learning ā€¢ Attention ā€¢ Interest ā€¢ Desire ā€¢ Action ā€¢ Real cases ā€¢ Company / Industry ā€¢ Region ā€¢ Corporate culture ā€¢ Business context ā€¢ Personal context ā€¢ We need a designer! ā€¢ Buy the pictures ā€¢ Use the photos ā€¢ T/F questions are better than multiple choice questions ā€¢ Answers in the text ā€¢ Explanations ā€¢ Native language ā€¢ No slang ā€¢ Humor ā€¢ No video / audio ā€¢ SCORM 9
  • 11. Usually we don't have time (and motivation) for IS awareness and training... 11
  • 12. Usually we don't have time (and motivation) for IS awareness and training... ā€¢ IS team ā€¢ Management ā€¢ Employees 12
  • 13. Five ā€œSā€s to Success ā€¢ Support ā€¢ Staff ā€¢ Soft skills ā€¢ Simplicity ā€¢ Smart By SANS 13
  • 14. Thanks! Andrey Prozorov, CISM My blog My Patreon My Linkedin 80na20.blogspot.com www.patreon.com/AndreyProzorov www.linkedin.com/in/andrey-prozorov-cism-90018530