Security Awareness Quick Start Guide

Draft Version 2.0: June 2010

Quick Start Guide (Basic)

This guide is for campuses just getting started with a Security Awareness Program. It may also serve as a checklist to assess an institution's existing program.

1) Establish an Information Security Program

EDUCAUSE provides a number of resources to help institutions develop and improve their information security programs. While larger institutions may have resources dedicated to information security, many schools may "handle" information security issues as part of their operational information technology services.

Both models depend heavily on encouraging users to use best practices Without an effective security awareness program, you'll find it difficult to help users understand the risks they face and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. Review the presentation below and consider how you can move things forward.

• Presentation from Homeland Security with checklist (see Appendix A)
• Get buy-In from upper management
• Dedicate one person to focus on security awareness
• Conduct extensive research (e.g., Surveying the Steps to a Secure Emory University, a March 2006 ECAR Research Bulletin)

2) Develop a Security Awareness Plan

Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determined how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.

The materials in this section provide the tools needed to develop your awareness plan and also provide examples of techniques used by other schools. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year over year. But don't forget to "think outside the box" as you develop your plan!

Resources

• Security Awareness Plan Template
• Advancing Digital Self-Defense: Establishing a Culture of Security Awareness at RIT (EDUCAUSE 2007 poster session)
• Creating and Maintaining a Security Awareness Program (Security 2008 presentation)
• SANS Security Awareness Roadmap

Creating a Communications Strategy: Planning Tools

• Sample Marketing Strategy (RIT 2007-8)
• Sample Communications Plan Matrix (RIT 2007-8)
• Sample Communications Plan Elements (RIT 2007-8)
• Sample Communications Plan (RIT 2004-5)
• Sample Audience Profiles (RIT 2004-5)

Alert/Advisory Templates (Consider using these templates when preparing electronic email or web portal communications regarding information security issues.)

• Advisory--Is your computer safe? (RIT 2008)
• Advisory--Online Scams (RIT 2010)

Integrating Social Networking (To reach students, you need to be where the students are--social networking sites. We've found that many students rely on these sites for up-to-date information. They don't always read their email. They do check to see what's on Facebook and other sites.)

• Facebook Fan Pages
  • KU IT Security (Be SeKUre)
  • RIT Information Security
  • VCU Information Security
  • UW Information Security
• Twitter
  • KU IT Security (Be SeKUre)
  • RIT Information Security
  • Rutgers security news RUSecure
• YouTube
  • EDUCAUSE Security Awareness Contest Channel
  • National Cyber Security Alliance Channel

3) Adopt and Modify "Key Messages"

The Higher Education Information Security Council (HEISC) is creating resources that address most facets of information security. Consult these resources for help in determining critical issues to communicate to your users.

• Develop a key message for your overall security program that fits your university culture and mission
• Awareness campaigns: look for a motto or key message that fits your current information security challenges. There are plenty of useful websites to spark your imagination, here are some examples: http://www.nativeintelligence.com/ni-free/awareness-slogans.asp, http://www.onguardonline.gov/, http://www.sans.org/reading_room/
• Review the Hot Topics pages
• Join the Security Discussion Listserv
• Other Resources: http://www.staysafeonline.org/teach-online-safety/higher-education/

4) Establish a Security Awareness Website

Establishing a security awareness website allows you to communicate effectively and efficiently with members of your university community. It can quickly become a trusted resource to:

• provide a trusted go-to resource for timely and updated information
• compile external repositories of accurate information for more in-depth reading
• act as your communication hub, promoting additional resources, such as Facebook pages, Twitter profiles, and RSS feeds

On the page linked below are some tips and suggestions for how to compile a website. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic; leverage the work of other EDUCAUSE peers and that of external organizations, like the National Cyber Security Alliance. Instead, focus on building a comprehensive list of key groups and constituencies within your college/university. After all, a great web site that no one visits won't be very helpful.

• Read Organizing Your Campus IT Security Website: Five Elements for a Successful Security Website, which provides excellent tips, as well as links to other university sites.

Additional ideas for web site components:

• Identity Theft videos by Federal Trade Commission: Fighting Back Against Identity Theft and Who's Calling - Phone Fraud
• Security Cartoons, can be placed on existing web page or printed Security Cartoon
• Anti-Phishing Working Group Public Education Initiative: APWG/CMU Phishing Education Landing Page Program
• US-CERT tips for non-technical users Cyber Security Tips
• MS-ISAC Monthly Cyber Security Tips Newsletter can be published under your university's brand/logo or linked from your website

5) Use HEISC Awareness Posters and Videos in Campus Settings

EDUCAUSE sponsors a student awareness poster and video contest. These materials are designed by students, for students, and are designed to catch their attention. Consider using these materials in your campus awareness campaigns. If you have a campus cable channel, incorporate the videos into your programming.

• 2013 contest information
• 2011 videos and posters
• 2009 videos and posters
• 2007 videos
• 2006 videos
• You can also access all of the 2006, 2007, and 2009 winning videos on the new Security Awareness Contest YouTube channel.
• Host student video contests on individual campuses. This could be modeled after the EDUCAUSE Computer Security Awareness Video Contest

6) Present "Key Messages" and Campus Resources in Existing Training Venues

• New Employee Orientation or Faculty/Staff Training
• New Student Orientation
  • Anti Piracy Quiz
  • Security Bookmark placed in student packets
  • Anti-phishing email video
  • Use a Strong Password video

7) Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications

Publishing campus newsletters allows you to target specifically the awareness issues that confront your campus or your audience of staff, faculty and/or students. Messages can be delivered at appropriate cycles, in the campus newspaper, to remind the university community of times of vulnerability to scams such as April and IRS emails or Valentines day viruses. Whatever means your campus may have to allow you to recycle the message of personal responsibility in careful use of the internet, use it. Use your television network if you have one to run short security awareness videos. Link from your website to the issues of the newsletter so anyone can view it and read it.

• Campus Newspaper
• Faculty/Staff Newsletters

8) Participate in National Cyber Security Awareness Month (NCSAM)

National Cyber Security Awareness Month (NCSAM), conducted every October since 2004, is a national public awareness campaign to encourage everyone to protect their computers and our nation's critical cyber infrastructure. Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary drivers of NCSAM, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data. The success of National Cyber Security Awareness Month rests on all of us doing what we can do to engage those around us to be safe and secure online. There are opportunities for everyone, including college students, college administrators, and libraries, to get involved.http://www.staysafeonline.org/content/get-involved-1

• Conduct Community Based Security Awareness events on campus or regionally (and share what you're doing with NCSA)
• Share these tip sheets, which provide in-depth information on how to stay safe in a variety of online settings: on social networking sites, on gaming sites, and on your mobile device.
• Visit NCSA's YouTube channel where you'll find many cybersecurity-related videos.
• Additional awareness resources are also available. Here you'll find other organizations' valuable materials that will prepare you for National Cyber Security Awareness Month.

9) Measure the Effectiveness of your Program Annually

One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that one would collect over time. Consider retaining yearly data for the following:

• User awareness surveys
• Number of incidents, and helpdesk incident reports
• Computers meeting baseline guidelines
• Number of stolen mobile devices
• Participation at security events
• Awareness quiz scores

Comparing the data over time, one would hope to see better answers on surveys, less incidents, etc.

Sample Surveys

• Self Assessment
• Sample Questions

Other Resources

• ECAR Research Bulletin (2013): Measuring the Effectiveness of Security Awareness Programs
• Guide to Security Metrics
• Security Metrics Resource Page

10) Automate Services

Information Security has the daunting task of staying abreast with the latest threats and zero day outbreaks. Threats evolve and surface daily and the ability to understand and distribute the information is a challenging task. As part of information security awareness both the management and the user communities use of automated services (e.g., RSS feeds, blogs, etc.), can be an integral part of the awareness approach. Information security RSS feeds like the SANS Security Awareness Tip of The Day and US-CERT's Security Alerts allow for recommended tips and critical breaking news pertaining to the latest threats in an automated manner. Leveraging such automated services can reduce workload on information security staff while providing valuable awareness to end users (students, faculty and staff). You can share these alerts with your community by embedding RSS feeds on your campus website.

Example RSS Security News Feeds

• Anton Chuvakin Personal Blog: http://feeds.feedburner.com/AntonChuvakinPersonalBlog
• AVG Top Threats: http://feeds.avg.com/avg_top_threats
• CNET Security: http://feeds.feedburner.com/CNETNewsSecurity?tag=txt
• Dancho Danchev: http://feeds.feedburner.com/DanchoDanchevOnSecurityAndNewMedia
• InfoWorld: Security Central: http://www.infoworld.com/taxonomy/term/2535/feed
• Malware Advisor: http://temerc.blogspot.com/atom.xml
• Packet Storm Security headlines: http://packetstormsecurity.org/headlines.xml
• PC Mag security software: http://feeds2.feedburner.com/ziffdavis/pcmag/security
• SANS Institute Security Awareness Tip of the Day: http://feeds.feedburner.com/security-awareness-tip-of-the-day?format=xml
• SANS Internet Storm Center: http://isc.sans.org/rssfeed.xml
• SANS All Feeds: http://www.sans.org/rss.php
• Schneier on Security: http://feeds.feedburner.com/schneier/excerpts
• SecuriTeam: http://www.securiteam.com/securiteam.rss
• Security Adviser: http://www.infoworld.com/blogs/roger-grimes/feed
• SunbeltBLOG: http://feeds.feedburner.com/SunbeltBlog
• TechWorld security: http://rss.feedsportal.com/c/270/f/3551/index.rss
• Tenable Network Security: http://blog.tenablesecurity.com/atom.xml
• TippingPoint DVLabs Published Advisories: http://feeds.feedburner.com/DvlabsPublishedAdvisories
• TrendLabs Malware Blog: http://feeds.trendmicro.com/Anti-MalwareBlog
• US-CERT Security Alerts: http://www.us-cert.gov/channels/alerts.rdf
• US-CERT Security Tips: http://www.us-cert.gov/channels/tips.rdf
• Websense Security Labs Blog: http://community.websense.com/blogs/securitylabs/rss.aspx
• WindowSecurity.com: http://rss.windowsecurity.com/allnews.xml

Tutorial: RSS Feeds into Twitter and Facebook using Twitterfeed

• RSS Feed into Twitter and Facebook Tutorial(PDF)

#Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).