Re: Enforcement of Security Training for Faculty/Staff

[Sherry Callahan <scallahan () KUMC EDU>]

We've had mandatory annual awareness training for our faculty and staff
for over 5 years now.  New faculty\staff are required to complete the
online training within 30 days after their start date and then on an
annual basis within a set time frame (January through March) every year.
 We disable network and email access for anyone that doesn't meet those
requirements.

HIPAA was a big driver for us, as it requires awareness training, as
was other regulatory requirements and the establishment of a policy at
the state level that requires all individuals with network access to
receive training on an annual basis.  The latter has pushed us to extend
the training requirement to students, which we will be doing for the
first time in July.  The consequence for students who do not complete
the training within the July to September time period will be the same
as for employees - their network\email access will be cut off.  We have
buy-in from all of our Schools on this plan.  Those students who are
also employees will not need to complete the training once - if they've
taken it in January as part of the employee training cycle, then they
won't need to do it again in July.

At the beginning, there was push back from some of the faculty and
researchers but now it has become routine.  Our Office of Compliance
tracks who has completed the training and sends out email reminders
(monthly in January and February and bi-weekly in March).  We always
have the stragglers that wait until the last minute.  Department chairs
are notified of those folks who have not completed the training at 2
weeks before the March 31st deadline and they are usually dealt with. We
rarely have accounts that get turned off at this point.

I'd be happy to answer any other questions you might have about our
process.

Sherry Callahan
Information Security Officer
University of Kansas Medical Center
(913) 588-0966



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Giannetto
Sent: Sunday, February 28, 2010 11:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Enforcement of Security Training for Faculty/Staff


Folks,
 We're currently planning IT Security Training & Awareness at our
college, and are struggling with some of the same challenges I'm sure
most of you have faced.  We're currently debating if we can require IT
Security Training for faculty, and if so, how do we enforce it.
 I've gone through much of the previous discussion regarding training
and awareness and how to gain faculty acceptance.  In general, it seems
that the majority of institutions can't convince upper management to
buy-in to a mandate (primarily due to culture or contractual
limitations), and thus are left to find creative ways to design and
market their training to encourage participation.
 But, much of the earlier conversation doesn't address how institutions
that require IT security training enforce the requirement?  Do you turn
off network accounts if they don't complete training by a certain date?
Do you make a note in their personnel file?  Do you just keep pestering
them until they do it?
 Any feedback you may have is greatly appreciated.
 Thanks,
 Matt Giannetto
Manager of IT Security
Montgomery County Community College
mgiannetto () mc3 edu | (215) 619-7442

Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge
magazine.