Last active
December 7, 2022 20:33
-
-
Save opexxx/ffcbffe94712ded52e9aa2067c5d8119 to your computer and use it in GitHub Desktop.
eLearning
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auf dem Weg zur Arbeit | |
Am Arbeitsplatz | |
Incident Reporting | |
Auf dem Weg nach Hause | |
Geschäftsreise / Bahn / ÖVM | |
Klassifizierung von Daten | |
Verschlüsselung (SMIME/PGP/SecureFileShare) bzw. sicherer Datentransfer | |
Sichere Passwörter | |
Clear Desk Policy | |
AUP /Compliance (copyright, software beschaffung und lizenzen) | |
Privacy bzw umgang mit schützenswerten (klassifizierten) Daten | |
Viren/Trojaner/Malware | |
e-Mail Hygiene / Phishing / spear Phishing | |
Mobile Geräte / Verlust von Firmeneigentum | |
#Informationssicherheit | |
Warum ist Informationssicherheit wichtig? | |
Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA) | |
Allgemeine Anforderungen und Empfehlungen | |
Passwortsicherheit | |
Spam, Phishing, Spear Phishing, Vishing und Social Engineering | |
Richtlinien für einen sauberen Schreibtisch und einen sauberen Bildschirm | |
Schadsoftware | |
Fernarbeit und Geschäftsreisen | |
Sicheres Surfen im Internet | |
Nutzung sozialer Medien | |
Politik der Informationssicherheit | |
Externe und interne Anforderungen | |
Beispiele für Bedrohungen und Vorfälle | |
Rollen und Verantwortlichkeiten, IS-Team | |
Benachrichtigung und Reaktion auf Vorfälle | |
Klassifizierung, Kennzeichnung und Handhabung von Informationen | |
Übertragung von Informationen | |
Passwort- und Authentifizierungspolitik | |
Richtlinie zur akzeptablen Nutzung (AUP) | |
- Ausrüstung (Wechseldatenträger, Drucker und Scanner, BYOD und mobile Geräte, Spezialausrüstung, Authentifizierungshardware und anderes) | |
- Unternehmensdienste (Unternehmensdateispeicher, internes Portal, Unternehmens-E-Mail, Plattformen für die Zusammenarbeit | |
(z. B. MS Teams), Videokonferenzdienste, Fernzugriff und andere) | |
- Online-Dienste (persönliche E-Mails, Cloud-Speicher, Notizen, Dokumente, Planer und Kalender, Übersetzer, soziale Medien und Messenger usw.) | |
- Schatten-IT | |
Änderungsmanagement (Zugriffsrechte, neue Software und Hardware) | |
Datensicherung und -wiederherstellung | |
Geschäftskontinuität | |
Physische Sicherheit (Ausweise, Zugangskontrolle, Sicherheitsbereiche, Schlüsselverwaltung, Besucher, Evakuierungsplan, E und andere) | |
Arbeiten in Sicherheitsbereichen | |
Fotografieren, Audio- und Videoaufnahmen und Live-Streaming am Arbeitsplatz | |
Medienpolitik und Öffentlichkeitsarbeit | |
"Awareness policy" / Sensibilisierungspolitik | |
Sonstige Strategien und Verfahren | |
#Datenschutz | |
Warum ist Datenschutz / Privatsphäre wichtig? | |
Schlüsselbegriffe (personenbezogene Daten, Verarbeitung, für die Verarbeitung Verantwortlicher, Auftragsverarbeiter, gemeinsam für die Verarbeitung Verantwortliche, PIMS, Privatsphäre) | |
Allgemeine Anforderungen | |
Grundsätze in Bezug auf die Verarbeitung von personenbezogenen Daten | |
Rechtmäßigkeit der Verarbeitung | |
Rechte der betroffenen Person | |
Datenschutzpolitik / Privacy Policy | |
Gesetzgebung, Regulierung und Aufsichtsbehörden | |
Geldbußen (weltweit, länder- und branchenbezogen) | |
Rollen und Verantwortlichkeiten, Rolle des DSB/DPM | |
Meldung von Datenschutzverletzungen | |
Überwachung der Mitarbeiter / Privatsphäre im Arbeitsleben | |
Datenschutzhinweise und Einwilligungen | |
Aufzeichnungen über Verarbeitungstätigkeiten | |
Aufbewahrungsfrist | |
Beantwortung von Anfragen | |
Datenschutz-Folgenabschätzung (DPIA) | |
Datenübermittlung | |
Übermittlung personenbezogener Daten in Drittländer | |
Sicherheit der personenbezogenen Daten | |
Datenschutz durch Technik und datenschutzfreundliche Voreinstellungen | |
Sonstige Strategien und Verfahren: | |
- ISO 27001 (7.3 Bewusstsein, A.7.2.2 Bewusstsein für Informationssicherheit, Ausbildung und Schulung) | |
- CIS-Kontrolle 14: Schulung des Sicherheitsbewusstseins und der Fertigkeiten | |
- PCI DSS (12.6) / Best Practices für die Implementierung eines Programms zur Förderung des Sicherheitsbewusstseins | |
- ISF SoGP (PM2 Security Awareness/Education) | |
- NIST SP 800-50 / NIST SP 800-16 | |
- NIST Cybersecurity Framework (PR.AT Bewusstseinsbildung und Schulung) | |
Schaffung einer Kultur, in der das erwartete Sicherheitsverhalten in die regulären täglichen Aktivitäten eingebettet ist und in der alle relevanten Personen wirksame risikobasierte Entscheidungen treffen und kritische und sensible Informationen, die in der gesamten Organisation verwendet werden, vor einer Gefährdung schützen. (ISF SoGP) | |
- CISO und IS-Team | |
- Audit und Compliance, Risikomanagement, Recht, IT, HR | |
- DPO/DPM, Datenschutzteam | |
- C-Ebene | |
- Alle Mitarbeiter (Onboarding) | |
- Mitarbeiter, die sensible Informationen verarbeiten | |
- IT | |
- C-Ebene | |
- Warum ist Informationssicherheit wichtig? | |
- Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA) | |
- Politik der Informationssicherheit | |
- Ziele der Informationssicherheit | |
- Grundsätze der Informationssicherheit | |
- Rollen und Verantwortlichkeiten (CISO und IS-Team, IS-Ausschuss und andere) | |
- Politiken und Verfahren | |
- Benachrichtigung und Reaktion auf Vorfälle | |
- Zusätzliche Materialien und Feedback | |
PM2.1.1 | |
A security, education, training and awareness (SETA) programme should be established to promote and embed expected security behaviour throughout the organisation and establish a security-positive culture. | |
PM2.1.2 | |
The SETA programme should be: | |
a) endorsed by executive management (to demonstrate management commitment and lead by example) | |
b) the responsibility of a particular individual, organisational unit, working group or committee | |
c) supported by a documented set of objectives based on realistic expectations | |
d) focused on relevant information risks (e.g. risks that are new, increasing or high) | |
e) delivered in short, easy to consume units and at frequent intervals | |
f) subject to project and change management disciplines | |
g) kept up to date with current practices and requirements | |
h) focused on changing individuals' behaviour (e.g. by engaging with them on a personal level) | |
i) monitored and evaluated to determine the extent of behaviour change and the programme's | |
overall effectiveness. | |
A SETA programme is a multi-layered approach to addressing poor security behaviour; it involves the delivery of: | |
– – – | |
education: imparting in-depth knowledge on a security topic | |
training: imparting skills and competencies that employees can deploy to behave in a secure manner | |
awareness: producing content to communicate security issues and solutions to change, promote and sustain good security behaviour. | |
PM2.1.3 | |
Objectives for the SETA programme should be set, which include: | |
a) ensuring awareness objectives are specific, measurable, achievable, realistic and time-bound (often | |
referred to as SMART objectives) | |
b) raising awareness of information risk and information security | |
c) minimising information risk and reducing the frequency and impact of information security incidents | |
d) embedding expected security behaviour of individuals | |
e) empowering individuals to make effective risk-based decisions (e.g. having a stop and think attitude | |
when confronted with an unfamiliar or complex business situation, identifying risks and evaluating them before acting). | |
PM2.1.4 | |
Creation of the SETA programme should be driven by risk, and include: | |
a) identifying areas of the organisation that have significant human vulnerabilities (e.g. a job role that might be | |
particularly susceptible to social engineering-based attacks) | |
b) aligning the programme with business requirements | |
c) identifying groups of individuals segmented by different risk profiles (e.g. based on their seniority, access to | |
critical or sensitive information or the business unit in which they work) | |
d) assessing the information risks (including trends and patterns) associated with each identified group of | |
individuals | |
e) consideration of different types of inappropriate behaviour (e.g. malicious, negligent or | |
accidental behaviour). | |
Inappropriate behaviour of individuals with authorised access to the organisation's information and systems can introduce significant risk. Based on the intention, risky behaviour can be described as: | |
– malicious behaviour, which involves a combination of motive to cause harm and a conscious decision to act | |
inappropriately (e.g. copying business files before taking employment with a competitor, leaking sensitive | |
information or misusing information for personal gain) | |
– negligent behaviour, which does not involve a motive to cause harm, but does involve a conscious decision to | |
act inappropriately (e.g. using unauthorised services or devices to save time, increase productivity or enable | |
remote working) | |
– accidental behaviour, which does not involve a motive to harm or a conscious decision to act inappropriately (e.g. | |
emailing sensitive information to the wrong (unauthorised) recipients, opening malicious email attachments or publishing personal information on publicly available servers). | |
PM2.1.5 | |
The SETA programme should target expected security behaviour by: | |
a) promoting the programme to individuals throughout the organisation, including executive management, | |
business representatives, IT specialists and external individuals | |
b) identifying and empowering role models in the organisation as 'information security champions' (i.e. | |
individuals who exhibit expected security behaviours and lead by example on a regular basis) | |
c) promoting the use of mentoring schemes to reduce risky behaviour by providing multiple perspectives on a | |
problem or task | |
d) tailoring the programme to address the risk profile of different groups (e.g. raising awareness of whaling | |
campaigns with senior executives or 419 scams with financial assistants) | |
e) considering the effect cognitive biases may have on individual decision making (e.g. clicking on a malicious | |
link in a phishing email due to lack of concentration brought on by stress) | |
f) delivering the programme using different types of intervention for the different groups of individuals | |
g) paying particular attention to high-risk individuals (e.g. senior executives and individuals with special | |
access privileges) who might be targeted by sophisticated threats, such as hacking groups, nation states or investigative journalists. | |
Weaknesses in the capacity of the subconscious mind mean that humans make use of cognitive shortcuts to reduce effort required in decision making, which are known as heuristics. These heuristics can result in cognitive bias (e.g. anchoring, herd behaviour, decision fatigue or affect heuristic), which lead to poor judgement or errors in decision making. | |
Cognitive bias affects information security as it increases vulnerability to a variety of social engineering attacks, such as spear phishing, whaling, baiting, tailgating, smishing or vishing, and heightens the likelihood of human error. | |
PM2.1.6 | |
A behavioural baseline should be established, so that minimum required security behaviours can be identified, which includes: | |
a) collecting evidence of positive security behaviour from relevant sources (e.g. alerts from tools such as DLP, | |
results of phishing campaigns and feedback from awareness initiatives) | |
b) interacting with employees to ascertain their attitude towards information security (e.g. through focus | |
groups or personal interviews). | |
Internal factors that influence security behaviour include: | |
– attitude: the feelings towards a particular topic, including what an individual feels is right or wrong | |
– motivation: the reason to act in a certain way | |
– proficiency: the degree of practical awareness, knowledge and skills to manage key risks. | |
External factors that influence security behaviour include: | |
– – – | |
communication: internal branding and marketing for information security, style of messaging and language used capabilities: accessibility and usability of security-related tools, technologies, policies and procedures | |
leadership: senior leaders' impact, support and example setting. | |
PM2.1.7 | |
The SETA programme should be designed and delivered by dedicated, specialist learning and development professionals, supported by: | |
a) information security specialists | |
b) subject matter experts (e.g. sales and marketing who can design innovative and engaging campaigns) | |
c) communications and design specialists who can provide ideas for styles and methods for conveying messages | |
d) human resource specialists who have knowledge of who is influential within various groups | |
e) psychologists who have experience of how people work and what motivates them. | |
PM2.1.8 | |
The SETA programme should be designed and delivered by: | |
a) testing the current employee awareness and understanding to better design and tailor the programme | |
b) providing targeted information security education/training that reflects the needs of individuals (e.g. using | |
presentations, structured workshops, virtual environments, websites, videos and e-learning) | |
c) supplying specialised security awareness material on an ongoing basis (e.g. brochures, newsletters, | |
booklets, posters and intranet-based digital content) | |
d) using key messages, tone and approaches that are relevant and meaningful to each group of individuals | |
e) providing individuals with tools and techniques to help embed behavioural change, such as online tutorials | |
and self-evaluation material | |
f) designating individuals in each business unit or department (e.g. one or more business owners, local | |
security coordinators or information security champions) to promote awareness messages and support behavioural change. | |
PM2.1.9 | |
Expected security behaviour should be encouraged by: | |
a) defining expected security-related behaviour (e.g. considering risks before acting, consulting others for | |
help, protecting critical and sensitive information, and maintaining a clear desk) | |
b) incorporating information security into regular day-to-day activities (e.g. by considering security | |
requirements in planning decisions and budgeting activities, and including the consideration of | |
information risk in business decisions, meetings and audits) | |
c) making security awareness messages personal (e.g. by helping individuals protect their computers at | |
home, highlighting how threats can impact individuals as well as the organisation and emphasising how | |
individuals can make a difference in managing information risk) | |
d) involving users in protecting important information (e.g. as part of a specific exercise or during meetings, | |
asking them what the risks are to information, why they are considered to be risks and what suggestions | |
they have to reduce the risks) | |
e) delivering SETA content in an engaging manner (e.g. using gamification, running roadshows or staging an | |
annual security awareness day) | |
f) reinforcing good security behaviours with acknowledgements (e.g. recognition in internal communications, | |
payment of a commensurate financial reward or positive reflections in annual appraisals). | |
PM2.1.10 | |
As part of their participation in the SETA programme, individuals should: | |
a) be updated regularly with information security messages using a broad range of communication methods | |
(e.g. email, collaboration platforms, text messages, e-book readers, media players and intranets) | |
b) confirm their adherence to the information security policy (and other related policies) on a regular basis | |
(e.g. by selecting a confirmation dialogue box as part of the login process for their computer, when starting | |
business applications or upon accessing the organisation's intranet) | |
c) be tested on their knowledge of information security throughout the year (e.g. using questionnaires, e-learning tools and interviews). | |
PM2.1.11 | |
The effectiveness of the SETA programme should be monitored and evaluated by: | |
a) developing and gathering metrics for each SETA initiative (i.e. percentage of online e-learning modules | |
completed, number of attendees at training workshops or percentage of individuals that comply with | |
security guidelines) | |
b) analysing the outputs of SETA initiatives and evaluating them against the behavioural baseline to determine | |
their level of influence over security behaviour | |
c) reviewing the level of information security awareness on a regular basis (e.g. quarterly) | |
d) assessing the levels of security awareness and changes in employee behaviour (e.g. by performing spot | |
checks, determining the strength of user passwords/passphrases, testing willingness to open unknown | |
attachments and identifying unusual activity) | |
e) obtaining feedback from users (e.g. what worked well and what needs to be improved). | |
f) demonstrating return on investment (e.g. using expected reductions in losses due to inappropriate human | |
behaviour and the cost of the SETA programme annually). | |
PM2.1.12 | |
The SETA programme should be evaluated to identify: | |
a) the extent to which the objectives of the programme have been met b) opportunities to improve skills and behaviour of individuals | |
c) recommendations for improving the security awareness programme. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment