Re: Security Awareness Training Tool(s)

[Meryl Bursic <mb118 () CORNELL EDU>]

Cornell is continuing to expand awareness efforts across campus. Here’s what we’re up to:


  *   Which training program are you using?
     *   After a lengthy RFP process, we have partnered with PhishLine
     *   PhishLine offers the following features:
        *   Phishing simulations
        *   Short, general phishing and security awareness CBTs
        *   Ability to create customized CBTs on demand, for an extra fee (we’ve created our own Cornell-related CBTs 
this way)
        *   Compliance CBTs (PCI, HIPAA)
        *   Voice phishing
        *   Text Message phishing
        *   USB/CD/DVD baiting
        *   “Report Phish” button -- Outlook and OWA add-in, cross-platform support
        *   Dedicated account rep with backup who’s available 24/7/365
  *   Are there additional modules available such as PCI training? HIPAA? FERPA? Etc.
     *   None for FERPA as of yet, but they do have PCI and HIPAA
  *   Is it/can it be integrated with a Learning Management System?
     *   Yes, all modules are SCORM and 508 compliant, available for export into an LMS or hosted within the PhishLine 
platform itself
  *   Do you think it provides great value to the userbase you support?
     *   Currently, we’re halfway through a year-long pilot program involving 8 of our units on campus, where all staff 
are in scope and some faculty are for select units
     *   So far, we’ve received good feedback, and there is a lot of excitement on campus relating to the variety of 
features available in the tool
  *   Are you considering switching to something else? Why?
     *   PhishLine is great; we’re currently quite happy with them and are excited to see how well the solution scales 
across campus.
  *   Anything else you’d like to share (e.g. Do you have regular events promoting awareness? Phishing campaigns? Etc.)
     *   NCSAM activities:
        *   We held our first “Smart Campus” summit last week, inviting folks from the private sector and a few other 
EDUs close by – content related to how facilities and campuses are considering or already implementing IoT devices in 
their environment and their security implications.
        *   Weekly phishing simulations for a few units on campus
        *   Tabling events in key locations on campus – for students, get a free Cornell-branded webcam if they sign up 
for Duo/2FA as well as LastPass
        *   Weekly security tips in the campus newsletter that goes out to the entire community
        *   Social Media posts in line with central NCSAM content, as well as some of our own homegrown content and 
comics
        *   Ads placed on local busses that serve our local community advertising NCSAM
     *   We have other things we do outside of the PhishLine platform and NCSAM
        *   We offer free classes and workshops to anyone on campus relating to various security topics, some of which 
have included:
           *   Deep Dive into Phishing Awareness
           *   How to enroll in multifactor authentication
           *   LastPass how-to workshop (upcoming)
        *   We provide on-demand, in-person security training specific to department or unit needs
        *   There are special interest groups on campus that either we host or attend on a monthly basis
        *   We also attend all major campus events, like Orientation, and table with handouts and other freebies
        *   From time to time we’ve hosted SANS training on campus and opened it to the community and other local EDUs


Great time of year to be discussing!



Best regards,
Meryl


--
Meryl Bursic
Senior Security Engineer
Cornell University IT Security Office
120 Maple Avenue, Suite 160



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Martinez, 
Brian" <brm () MSU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, October 9, 2017 at 7:49 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Security Awareness Training Tool(s)

Good morning all,

With it being National Cyber Security Awareness Month, this inquiry I’ve been sitting on seems particularly relevant:

We presently have some training tools for general security awareness, PCI training, and HIPAA training in our primary 
LMS and have been contemplating moving to a different platform (the tools, not the LMS). I’m curious to know what 
platforms/tools other institutions are using and whether or not they think it provides great value.

Specifically, I guess I’d like to know:


  *   Which training program are you using?
  *   Are there additional modules available such as PCI training? HIPAA? FERPA? Etc.
  *   Is it/can it be integrated with a Learning Management System?
  *   Do you think it provides great value to the userbase you support?
  *   Are you considering switching to something else? Why?
  *   Anything else you’d like to share (e.g. Do you have regular events promoting awareness? Phishing campaigns? Etc.)

Please feel free to contact me off list.

Thank you!

Brian R. Martinez
Information Security
Michigan State University
Office: +1-517-884-8791
brm () msu edu