Educause Security Discussion mailing list archives
Re: Awareness training and sanctions
From: Chris Kidd <chris.kidd () UTAH EDU>
Date: Tue, 28 Jun 2011 12:48:46 -0600
We have implemented and rolled-out mandatory training for about half of campus. Department Chairs, Deans, etc. are responsible for ensuring compliance, but we have published a "tiered sanctions matrix" which outlines potential consequences for non-compliance. Chris Chris Kidd Chief Information Security and Privacy Officer University of Utah Health Care University of Utah 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu<mailto:chris.kidd () utah edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Banks, Teresa E - (tbanks) Sent: Tuesday, June 28, 2011 12:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Awareness training and sanctions The University of Arizona has mandatory all-employee training. We expect department heads to enforce the requirement. While we have not put forward any "sticks" in this regard, we are currently at almost 100% compliance after one year and are getting ready to launch our refresher. We have gotten to this point through a tremendous amount of communication over the past year, monthly interaction with all campus units, and by providing materials that users have found helps them out not only at work, but also in their home security. You can access our materials at http://security.arizona.edu/infosecessentials. I hope this helps. Teresa Teresa E. Banks Senior Program Coordinator University Information Security Office University of Arizona 1077 North Highland Avenue P. O. Box 210073 Tucson, AZ 85721-0073 tbanks () email arizona edu<mailto:tbanks () email arizona edu> http://security.arizona.edu Phone: (520) 621-UISO (8476) From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles Seitz Sent: Tuesday, June 28, 2011 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Awareness training and sanctions I am researching how other institutes of higher learning approach security awareness training and what sanctions for bad behavior are available, like giving up credentials to phishers more than once. We've put together some online training and I'm trying to convince the powers that be to make it mandatory with sanctions for bad online behavior after having acknowledged that they received and understood the training. The trouble is figuring out what other institutions, especially public ones, do for training and sanctions. So how do y'all handle it? Thanks, Charlie ________________________________ Charles A. Seitz Senior Security Analyst University of Tennessee Information Security Office Martin Campus cseitz () tennessee edu (731) 881-7966 Mobile (615) 948-3641
Current thread:
- Awareness training and sanctions Charles Seitz (Jun 28)
- Re: Awareness training and sanctions Robert Meyers (Jun 28)
- Re: Awareness training and sanctions Banks, Teresa E - (tbanks) (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)
- Re: Awareness training and sanctions Di Fabio, Andrea (Jun 28)
- Re: Awareness training and sanctions Sherry Callahan (Jun 28)
- Re: Awareness training and sanctions Greg Schaffer (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)