Information Security Awareness Month Activities Peggy Ward Chief

Information Security Awareness Month Activities Peggy Ward Chief Information Security Officer & Internal Audit Officer www. vita. virginia. gov 1 1

Commonwealth Information Security Awareness Activities • Governor Timothy Kaine issued a proclamation designating October as Information Security Awareness Month. – To encourage citizens to learn about information security and to put the knowledge to practice. www. vita. virginia. gov 2

Commonwealth Information Security Awareness Activities • Framed & displayed the proclamation in a prominent location in the office & at Information Security Officer Advisory Group (ISOAG) meetings in September & October. • Provided copies of the proclamation with the seal to agencies & localities. www. vita. virginia. gov 3

Commonwealth Information Security Awareness Activities • Presentations Oct. 17: Commonwealth Security Information Resource Center presentation at the Cyber Security 2008 Conference, hosted jointly by Virginia Commonwealth University & the Federal Bureau of Investigations' Infra. Gard chapter Oct. 21: Commonwealth Information Security Initiatives presentation at the Hampton Roads Cyber Security Awareness Conference www. vita. virginia. gov 4

Commonwealth Information Security Awareness Activities • Presentations Oct. 22: Commonwealth Information Security Collaboration presentation at the Association of Government Accountants Technology & Fraud Conference Oct. 24: Chief Information Officer & Chief Information Security Officer remarks at the Chesterfield County Cyber Security Awareness Event www. vita. virginia. gov 5

Commonwealth Information Security Awareness Activities • Internet Activities The state portal, www. virginia. gov, has displayed a prominent graphic banner promoting Information Security in the "focal point" area, which links to the online guide on the VITA site Online e-government services on the portal now include the citizens' awareness banner provided by Commonwealth Security www. vita. virginia. gov 6

Commonwealth Information Security Awareness Activities • Internet Activities New content has been added to the Information Security Awareness Toolkit, thanks to COV agencies & MS-ISAC. The printing of materials from the toolkit was coordinated through DMV to leverage resources www. vita. virginia. gov 7

Commonwealth Information Security Awareness Activities • Security Awareness Video Produced by VITA Commonwealth Security & VITA Communications Available in early November in the Knowledge Center, the Information Security Resource Center & You. Tube Available in late November on DVD www. vita. virginia. gov 8

VITA Information Security Awareness Activities • VITA Information Security Awareness activities are implemented to promote simple changes in behavior that strengthen the security of Commonwealth information. – Hosted lunch time presentations – Conducted raffle giveaways for presentation attendees • Giveaways items were provided by vendors from conferences. – Provided VITA branded resource materials from MS-ISAC • Brochures, Booklets, Bookmarks, Calendars, Posters – Conducted a fill in the blank puzzle contest www. vita. virginia. gov 9

Lunch Time Presentations • Event 1 -Oct. 1 – “Defending the Castle- How to Secure you Home Network” Bob Baskette, Commonwealth Security Incident Engineer Virginia Information Technologies Agency • Event 2 -Oct 22 – “Protecting Your Money, Our Role and Yours” Chris Saneda, Senior Vice President /Chief Information Officer Virginia Credit Union – “The Tale of Three Hackers” Victor “Jake” Olesen, Special Agent, Federal Bureau of Investigation www. vita. virginia. gov 10

Questions/Discussion www. vita. virginia. gov 11

Information Security Awareness Month at DMV Douglas G. Mack DMV IT Security Director (ISO) Douglas. Mack@dmv. virginia. gov (804) – 367 - 2221 CIO - CAO Meeting October 28, 2008

“Information security is a people, rather than a technical, issue. ” Mark B. Desman The Ten Commandments of Information Security Awareness Training

Three Groups to Address • Everyone – DMV classified, wage, contractors • Executive Staff • Information Technology Services (ITS) Staff

• MSISAC provided 4 security awareness poster designs. • DMV’s Senior Graphic Designer branded the posters and added Mark Desman’s quote to each design. • DMV Printing Services printed the posters.

• One of each design of the poster was sent to DMV’s Customer Service Centers and Weigh Stations at the end of September. • One of each design of the poster was displayed on each floor of DMV Headquarters.

• Throughout the year, once or twice a month the ISO writes and publishes an IT Security Note. – Single Topic – Brief – Diagrams, Screen Prints, Pictures

• DMV has a Cyber Security Awareness Week each October. • DMV’s intensive security awareness activities for October focus on the Cyber Security Awareness Week. • A new IT Security Note was published each day of Cyber Security Awareness Week.

• Topics of the Notes for the Week: – (Monday) Cyber Security Puzzle – (Tuesday) Acceptable Use – (Wednesday) A Bit of Computer Humor – (Thursday) Protecting Sensitive Data – (Friday) Recognizing and Avoiding Email Scams at Home

• MSISAC’s Information Security Executive Brief was sent to each member of the Executive Staff on the first day of the week.

• “It’s important to note that information security is not a technology issue, but rather a management issue requiring leadership, expertise, accountability, due diligence and risk management. Information security needs to be addressed in a coordinated, enterprise approach, and factored into program decisions. ”

• DMV wanted to provide more IT focused awareness training for Information Technology Services (ITS) staff. • A Power. Point Presentation was developed that covered some of the significant changes in SEC 501 -01, specifically: – Data Protection – Application Security

• The Presentation was sent out on October 2 to all ITS staff. • ITS staff have been given until November 14 to review the presentation and return the completion certificate to the ISO. • As of October 22, 44 out of 176 staff members have completed the review.

Final Note

Information Security Awareness : First Line of Defense Against Social Engineering CIO-CAO Meeting October 28, 2008 Rosario Igharas, Information Security Officer

VCSP: Who we are • An independent state agency • Operate Virginia’s Section 529 Programs which provide funds for higher education • Largest 529 plan in the country • Over 1. 8 million account owners • About $25 Billion in assets under management • Recognized by Morningstar, Inc (April 2008) which ranked 2 of VCSP’s programs among the BEST Five college savings plans in the country

Current Savings Programs

Information In Our Custody • Customer Information • • Name, address, birthday Social Security Number Account Numbers Student ID • Employee Information • Agency Information • Partner Information

Investment Managers • • • Capital Guardian Trust Century Capital Management Chase Investment Counsel Donald Smith & Co. , Inc. Dreyfus Franklin Templeton Invesco LSV Investment Management NWQ Investment Management Company • Piedmont Investment Advisors, LLC • • • Pier Capital Rothschild Asset Management Sands Capital Tattersall Advisory (Wachovia) Thompson, Siegel & Walmsley, Inc. Utendahl Capital Management, LP Vanguard Virginia Dept. of Treasury Western Asset (Legg Mason) Westfield Capital Management

Information Security is Important to Us • We respect our customers’ right to privacy and recognize their trust in us to keep information about them secure and confidential. • Comply with laws and regulations • Avoid Embarrassment

Technology Investment

People: KEY to Security “ The security infrastructure is only as good as its weakest link. ” Info ~Tech Research Group

Train the Organization • Technical training • End user awareness training should not fall behind • Awareness training has to be ongoing

Thank You, VITA Security Services!

Thank You, DMV!

Bringing it Close to Home Scary Halloween Stories • Real-life scary security stories • Highlight local incidents http: //www. networkworld. com/podcasts/panorama/2007/102507 pan-scary-security. html

Final Thoughts • Information Security Awareness month is just the beginning • Investment in IT Security Technology is not enough • Train the organization • Develop a culture of security • Tone at the top

Questions ? Virginia College Savings Plan Toll free 1 -888 -567 -0540 www. Virginia 529. com