Educause Security Discussion mailing list archives

Re: Security Awareness Programs

From: Eric Weakland <eric () AMERICAN EDU>
Date: Wed, 2 Apr 2014 15:59:59 -0400

When I'm asked those questions, I usually point out that in most of those 
cases, (Banks, Financial industry in general) the amount of $$ that is 
spent on fraud detection (monitoring, profiling behavior, looking for 
suspicious patterns) is staggering/a much larger percentage of the overall 
IT budget of the organization.  We aren't in a businesses where, I 
believe, funding for fraud detection will ever approach that level.  Hence 
I don't agree that it is a fair comparison. 

Interested in other folks thoughts, though.

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology 
American University
eric at american.edu
202.885.2241

________________________________________________________________
Emails from IT asking you to log in via an included link are scams!



From:   Mike Cunningham <mike.cunningham () PCT EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU, 
Date:   04/02/2014 03:51 PM
Subject:        Re: [SECURITY] Security Awareness Programs
Sent by:        The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>



I have a philosophical question for this group... 

My bank never requires me, their customer, to ever change my password
My credit union never requires me, their customer, to ever change my 
password
My health insurance company never requires me, their customer, to ever 
change my password
My investment web site, my credit card bank, my online prescription site, 
my hotel rewards account, my airline rewards account, my daughters school 
district, never requires me to ever change my password

Why does Higher Education make students, their customers, change their 
password? 
Would it be better to not require it and teach them why they should 
instead? 

Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary - flynngn
Sent: Wednesday, April 02, 2014 3:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Awareness Programs

JMU policy requires password changes every 90 days.

Our password change process includes having to click through captive web
pages containing security awareness content.

We do not track progress. People may click through without reading it. We
know based on feedback that some do. OTOH we know based on feedback that
some don't.

It is all custom code and content. Content is based on role and whether it
is the first time through.

new applicants (one page on phishing and AUP)
new/returning student
new/returning employee/affiliate
graduate (one page on phishing and AUP)

Content for new folks is relatively constant. It hasn't changed much over
the years.

Content for returning folks changes about once a semester. 

We've been doing this for around ten years.

People are sent an email message after the password change indicating the
change and providing a link to provide feedback for the security awareness
content. Feedback has been mixed. Sometimes, uh, colorful and often
associated with  the requirement to change passwords. Sometimes quite
positive and/or constructive.

Gary Flynn
Security Engineer
James Madison University
Don't Be A PHISH!
IsItReal?
http://www.jmu.edu/computing/ittraining/SIGUCCS/story.html

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Lundstedt
Sent: Wednesday, April 02, 2014 3:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Awareness Programs

Hi All,



Curious on what others are doing to 'get the word out' on their

campuses.

What approaches seem to work best from both an initial push out on a new
subject or with a new program, to keeping things up to date with
acknowledgements, visibility, &c?



From a product point of view, we've explored the SANS Securing the Human
series among a few others, but the lack of customization and integration

into

HR training modules is steering us away.  Experiences there?



Peter Lundstedt

SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES



oit

Current thread:

Security Awareness Programs Peter Lundstedt (Apr 02)
- Re: Security Awareness Programs Todd Britton (Apr 02)
- Re: Security Awareness Programs Hendra Hendrawan (Apr 02)
- Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
  - Re: Security Awareness Programs Mike Cunningham (Apr 02)
    - Re: Security Awareness Programs Eric Weakland (Apr 02)
    - Re: Security Awareness Programs Von Welch (Apr 02)
    - Re: Security Awareness Programs Roger A Safian (Apr 02)
    - Re: Security Awareness Programs Mike Osterman (Apr 02)
    - Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
    - Re: Security Awareness Programs Cal Frye (Apr 02)
    - Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
    - Re: Security Awareness Programs Flynn, Gary - flynngn (Apr 02)
    - Re: Security Awareness Programs Mike Cunningham (Apr 02)
    - Re: Security Awareness Programs Hall, Rand (Apr 03)
    - Re: Security Awareness Programs Mike Cunningham (Apr 03)

(Thread continues...)