Date: Fri, 29 Mar 2024 01:36:37 +0000 (UTC) Message-ID: <112614369.7365.1711676197064@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7364_368308441.1711676197062" ------=_Part_7364_368308441.1711676197062 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Last reviewed: June 2017= span>
This guide is for campuses with an existing Information Security Awarene= ss Program that may be able to dedicate more time and resources to developi= ng their own materials.
Table of Contents
=Rotate Key Messages as Monthly Themes Throughout the Year
Customize a Security Awareness Website
Develop and Brand Campus-Specific Posters and Videos
Develop and Brand a Campus-Specific Security (Awareness) Newsl= etter
Develop or Outsource Training Materials
Build Relationships (Internal and External)
Communicate Policies and Procedures
Send Community Alerts as Needed (Use Credible Sources; Keep Me= ssages Short and Simple)
Create and Deliver Presentations
Establishing an annual schedule for educating your community helps to de= liver a more coherent message and allows subsequent communications to build= on previous ones. The schedule can be based on your community's needs as i= dentified through a risk assessment analysis, or can be based on best pract= ices and standards. For example, you can use the following strategies:
Break the year into three topic areas as follows:
Each of the four month periods can be further broken down into a develop= ment cycle:
Selection of topics can be further fine tuned by local, national, and in= ternational trends or new requirements.
Another approach is outlined in the n= ew year-round Campus Security Awareness Campaign, which is a framework designed to s= upport security professionals and IT communicators as they develop or enhan= ce their own security awareness plans. Materials include monthly security t= opics and 12 blog posts on the monthly topics with ready-made content for y= our campus communications channels. (Three dozen guest blogs developed betw= een 2016 and 2018 are currently available.)
You can use these resources to create= a steady stream of privacy and security awareness information for faculty,= students, and staff. Adapt the content to make it work with your current p= lans and campus needs--promote each suggested topic monthly or use a 90-day= awareness plan to promote a group of topics quarterly.
For additional suggested themes and ideas see the Cybersec= urity Awareness Resource Library.
Now that you have the basic framework for a security web site in place, = it's time to decide whether to take it to the next level. While it may seem= trivial, maintaining an effective web presence can be a time-consuming tas= k. Numerous tools exist to make this process easier, but the rule of thumb = is that the larger and more comprehensive the site, the work required to ma= intain the site is inversely proportional to the amount of effort spent on = building the site and associated management tools. Review = this guide, and then make decisions upfront about how much time (and money)= you can invest. This will help you plan accordingly.
Read: Developing Your Campus Information Security We= bsite
This document provides a great start, offering five key elements for a s= uccessful web site, plus a list of numerous other college and university se= curity web sites.
It's nearly impossible to fight every fight, especially on a higher educ= ation budget. There are countless security and privacy issues out there, an= d your site can't possibly serve as your school's comprehensive resource fo= r all of them; there simply aren't enough hours in the day. Start to listen= and learn what applies most to your constituents. Communicate with your in= cident response staff, and focus on content that will best fill in the secu= rity gaps at your institution.
As the Security Awareness Quick Start Guide mentions, leverage = the work of other EDUCAUSE institutions that make their work available, in = addition to other non-higher ed resources, such as sites by the National Cyber Securit= y Alliance and the U.S. Federal Government (e.g., OnGuardOnline.gov or Stop.Think.Conn= ect.). You can find great topics and plenty of reusable content - eithe= r to link to or repurpose on your site.
Using a Content Management System
The most effective way to maintain an updated web site is to employ some s=
ort of web content management system. Many open-source systems are freely a=
vailable, easy to setup and deploy, and have large development communities.=
That said, the rule of thumb applies - designing a site that makes it simp=
le for multiple users to contribute content to and yields a more extensible=
framework means you'll spend a bit more time building the site infrastruct=
ure. Consider employing date stamps on information, expira=
tion dates, or scheduled reviews of the content along with assigned roles a=
nd responsibilities to check currency of information annually, semi-annuall=
y or before the start of each academic session. Also consider using a QA to=
ol (often offered through your web publishing group) that monitors pages fo=
r broken links, misspellings, and other minor errors.
Leveraging Social Networking and Related Media
Many security awareness professionals utilize social media, such as Facebo=
ok, Twitter, blogs, and more. These can be powerful yet easy way to connect=
with members of your college/university community, especially students. To=
ols like this bring most of the infrastructure with them, so you need only =
worry about the content. Remember though, most Facebook and Twitter users a=
re used to checking in with these tools for new and updated information. If=
you let your content become stale, people may not feel it's worth their wh=
ile to check in with your pages. Consider delegating rotating =E2=80=
=9Csocial media duty=E2=80=9D to a small team of employees to ensure new co=
ntent is added on a regular basis.
When using social media for communications, keep in mind tha= t these channels can also be compromised. Check security and privacy settin= gs on a regular basis and be sure to keep track of which employees can acce= ss each account. Here is a cautionary tale from the University o= f Michigan: Hacked: A Case Study.= p>
Location Location Location
Just as in the real world, location in cyberspace can assist you immensely=
. Choose an effective URL, or even better, start an information security ca=
mpaign or brand and package the URL as part of that. Several institutions c=
urrently employ this approach:
If you're not quite ready to begin an entire campaign or brand, start sm= all. A good URL will be easy to remember, type, and say verbally, such as a= t an event or over the phone. You may decide a brand is the way to go later= (as you read through this guide), and a web site can always be redesigned = or tweaked to include updated campaigns and themes.
Web Standards Can Help You
Building a site that follows good Web practices can only serve to help you=
, now, and in the future. Marketing and design companies try to sell people=
on concepts such as search engine optimization, which is really just smoke=
and mirrors. There's no secret or trick with modern search engines (like G=
oogle, Yahoo, or Bing) - except good, clean, well-formed HTML that complies=
with web standards. Other benefits of taking web standards into account ar=
e: better usability, improved accessibility for screen readers and other su=
ch devices, and an extensible infrastructure that allows you to easily repu=
rpose your content for a wide array of audiences and consumption mediums.=
p>
Additionally, well-formed content will more easily allow for inevitable = redesigns and rebranding. Remember, the more effort you put in to building = a site, the greater the flexibility and robustness later on.
For more about web standards, visit:
Campus specific posters allow you to address those security issues that = present the greatest threats at your campus. By creating posters specific t= o the audience, one can more effectively deliver the message. In the follow= ing examples, Purdue University staff designed a series of 50's style carto= on characters promoting safe use of computers and internet/network connecti= vity that were posted throughout its entire residence hall system.
When Purdue was promoting an emergency text messaging system, they featu= red one poster targeting the student demographic and another to market to s= taff and faculty.
Short informational videos are also popular and can be shared via websit= es, social media, or TVs on campus.
Additional materials could include postcards, bookmarks, flyers, screens= avers, etc.
These are just a few examples of the printed or digital materials that c= an be used to promote computer security awareness. For additional examples = of videos, posters, and other materials created by institutions that can be= modified for re-use, please visit the Cybersecurity Awarenes= s Resource Library.
Newsletters are a good way to supplement your security awareness message= . Their expanded format lets you stretch out beyond incident bullets and he= adline splashes on home pages. They can provide in-depth explanations of cu= rrent threats, promote local security initiatives, and allow you to reach y= ou audience on a personal and emotional level through shared stories, such = as dealing with identity loss after the theft of a laptop.
If you haven't prepared a newsletter before, begin by looking at others = publications for inspiration and what might work for you (see below for som= e examples). For some general tips on newsletter development, read Newsletter Design and Publishing or Graphic-Designs for Hard Times and 12 Most Common Newsletter Design Mistakes fro= m the Design & Publishing Center. Free templates like those in the Microsoft Office gallery are available to help get= you started quickly.
Form a partnership with your communications team to review a= nd finalize the format and delivery of your important messages. IT staff pr= ovides the content and ensures accuracy of the information. The communicati= ons staff ensures readability and ease of understanding for the target audi= ence.
A newsletter can be presented in a variety of formats. Consider your aud= ience and resources when selecting what works best for you and your campus.= Are you trying to reach a specific audience? If so, where do they get thei= r information? Are you trying to stand out from other messages bombarding y= our campus? You may decide that with all of the electronic communication a = hard copy of your newsletter in key offices may catch your readers' attenti= on.
Here are examples of the most common formats. You may decide to go with = one or a combination of two or more:
If your time is at a premium, consider using customizable materials from= such sources as the Multi-State Information Sharing and Analysis Center (M= S-ISAC). Their "Cyber Security Tips Newsletter" is produced monthly= and can be readily adapted for local use.
RSS feeds can provide dynamically refreshed content. One example is the = MS-ISAC "Cyber Security Tips News= letter" mentioned above. It is one of several RSS sources = that Rutgers aggregates and includes on their security site.=
New Mexico State University developed in-house IT Compliance and Security Awareness training<= /span> for faculty, staff, and students. More details about NMSU'= s approach are detailed in the EDUCAUSE Review ar= ticle, "IT Compl= iance Framework for Higher Education."
Partner with your institution=E2=80=99s learning and development t=
eam so your training materials incorporate best designs and techniques for =
adult learning and engagement. If you are interested in learning more about=
instructional design
Learn more about third-party security awareness training tools
6) Build Rel= ationships (Internal and External)
Building relationships on or off campus helps you discover resourc= es that you may not be aware of and helps you access those resources more e= fficiently when you need help in time sensitive situations.
One critical task for IT or information security departments= is communicating about campus policies and procedures. This includes highl= ighting the most important components of those policies, communicating with= students, faculty, and staff through training or other in-person education= al events, and following up with students, faculty, and staff to ensure the= ir understanding. Also be sure to include training on how and where the cli= ent can easily look up less frequently discussed policies and standards.
Additional policy website examples:
RIT (also = refer to = RIT's 2015-16 Information Security Office Communication Plan= a>)
8) Send Community Alerts as N= eeded (Use Credible Sources; Keep Messages Short & Simple)
Information security alerts and advisories are used to warn the communit= y of actual and potential threats. They can be delivered through e-mail and= other traditional channels and should be incorporated into your institutio= n's centralized messaging service when available. Avoid the temptation to b= e too wordy or too technical. You need to consider your audience, their att= ention span, and their technological "savvy."
Creating a template for your alerts and advisories will help recipients = scan the information quickly
For e-mail alerts, make sure the subject line and initial words wi= thin the message body (=E2=80=9Cpre-header=E2=80=9D) provide enough informa= tion that those receiving the email in mobile device interfaces recognize t= he importance of the alert and will open the message for further instructio= n.
Examples of College & University Alerts and Advisories:=
Brown University provides the Phish Bowl, a central reposit= ory for reports of or questions about phishing incidents.
Princeton University also hosts a Phish Bowl= on the information security office's website that shows the latest phishin= g alerts.
RIT maintains an Information Security Alerts and Advis= ories website about recent job scams, phishing attacks, and vulnerabili= ties.
The University of Rhode Island posts warnings to its = Information Security Alerts page.
The University of Arizona has a web page dedicated to phi= shing alerts. (For reference, see rece= nt scam alerts from the FTC.)
Longwood University provided an <= a href=3D"/download/attachments/50528536/2013%20-%20Scam%20Alert.pdf?versio= n=3D1&modificationDate=3D1453771398439&api=3Dv2" data-linked-resour= ce-id=3D"94044264" data-linked-resource-version=3D"1" data-linked-resource-= type=3D"attachment" data-linked-resource-default-alias=3D"2013 - Scam Alert= .pdf" data-nice-type=3D"PDF Document" data-linked-resource-content-type=3D"= application/pdf" data-linked-resource-container-id=3D"50528536" data-linked= -resource-container-version=3D"25">identity theft scam alert in 2013 an= d an eBay data breach alert in 2014.
An issue faced by most of us is how to ensure that the recipients know t= hat the communications they've received are "official" and not part of a ph= ishing attempt. We addressed this at RIT by drafting a Signature Standard t= hat required specific elements in official communications
To reach students, you need to go where the students are. Students are h= eavy users of social networking sites such as Facebook, Twitter, Instagram,= Pinterest, and Tumblr. In response, many information security departments = are incorporating a social media presence into their communications strateg= ies. Use of tools such as HootSuite and TweetDeck will enable easy one-time publ= ishing of content that you can push to different social media sites. If you= are looking for timely content to share, follow the Higher Education Infor= mation Security Council (HEISC) on Twitter (@HEISCouncil) and Facebook= . You can also follow other institutions such as RIT and Brown.
REN-ISA= C: Join the Research and Educat= ion Networking Information Sharing and Analysis Center (please see the membership page for inst= ructions on how to join).
Once you=E2=80=99ve developed your awareness materials and built r= elationships across campus, it=E2=80=99s time to start delivering presentat= ions to students, faculty, and staff across campus. Here are a few ways to = begin your outreach efforts.
Summer activities for new students
Student orientations (Note: consider including student present= ers)
Employee orientations (Note: consider adding references to imp= ortant IT and security policies in the institution=E2=80=99s confidentialit= y agreements)
Res Hall meetings
Management meetings
Wellness or other campus-sponsored fairs
=E2=80=9CRoad Shows=E2=80=9D (could be tailored to a specific = audience or focus on a hot topic)
Those with a more mature security awareness program should plan to= measure their successes and record attendance numbers, as well as response= rates for online quizzes, surveys, key messages, phishing campaigns, and o= ther training efforts.
Consider using services to train that include testing or measu= rement, such as =E2=80=9Cphishme.com=E2=80=9D or the SANS phishing training= /testing service.
Offer short quizzes at the end of a training session with an o= ffer to participate in a drawing for those show complete the quizzes.
The IT world can be a confusing place, filled with complex and methodica= l information. As a result, many common terms, processes, and names in the = IT world must be equally precise - some requiring four or five words to acc= urately describe. This has given way to hundreds of various acronyms over t= he years - many that while are worlds apart in terms of functionality, can = look, sound, or have very similar spellings.
The precision that computers and networks operate around constantly requ= ires IT professionals be meticulous in nature, seldom leaving room to class= ify anything as minutia. For instance, when setting up a firewall ruleset, = a network administrator who confused SNMP with SMTP could cause a relativel= y dangerous vulnerability.
The security and privacy world is no different - often requiring underst= anding of these IT processes and names. If your security awareness program = includes more and more of these, consider using a glossary to help your use= rs understand your documentation a bit better. It may also help them grasp = a firmer understanding of the scope and/or mission of your agenda.
A few institutions have begun such projects:
Top of p= age
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).