Educause Security Discussion mailing list archives
Re: Faculty and Staff IT Security Awareness
From: Martin Manjak <mm376 () ALBANY EDU>
Date: Wed, 12 Mar 2008 14:24:13 -0400
Theresa, At the department and business unit level, we try to tie information security practices into the range of standard internal controls that assure that institutional resources are used appropriately: are staff using screen savers that require re-authentication, are they removing sensitive information from their desks when they go home at night, are personnel files placed in locked file cabinets? If you can get people to understand the concepts of confidentiality, integrity, and availability in the tangible world, in their particular environment, it's much easier to make the link to the cyber realm. We also do what most other institutions do to raise awareness, i.e., brochures, posters, mass emails. This week, we inaugurated a special program for supervisors of areas that are considered high risk (financial, student, and staff records). But this program focuses on developing the ability to do effective risk assessment, rather than instructing people with a list of dos and don'ts. The idea is to create the impetus for appropriate controls from within the departments. It's my role to assist them with evaluating and applying those controls. And, if we discover that a critical mass of units require similar controls, we have some leverage in advocating for those at the institutional level. Theresa Rowe wrote:
We may have a little funding to make kind of awareness program happen. I'm not inclinded to do this without a formal initiative, set of objectives, and program, as our informal efforts typically have not yielded the attendance and results we desire. Tying it into internal controls and risk management might work. Has anyone actually developed a program? Did you hire someone to help you put the program together? To create the materials? What kind of budget did you have? Theresa
-- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- Faculty and Staff IT Security Awareness Nicolas Pachis (Mar 03)
- <Possible follow-ups>
- Re: Faculty and Staff IT Security Awareness John Kristoff (Mar 03)
- Re: Faculty and Staff IT Security Awareness Allison Dolan (Mar 04)
- Re: Faculty and Staff IT Security Awareness Marty Manjak (Mar 04)
- Re: Faculty and Staff IT Security Awareness Theresa Rowe (Mar 10)
- Re: Faculty and Staff IT Security Awareness Martin Manjak (Mar 12)
- Re: Faculty and Staff IT Security Awareness Randy Marchany (Mar 12)