Educause Security Discussion mailing list archives
Re: SECURITY Digest - 21 Aug 2018 to 22 Aug 2018 - Special issue (#2018-156)
From: Marie Carianna <marie.carianna () TOURO EDU>
Date: Wed, 22 Aug 2018 17:38:28 +0000
Touro College and University System uses and likes SANS. Retraining is required every 2 years. Sincerely, Marie Marie Carianna, PMP, CSM Director | Project Management Office for Technology | marie.carianna () touro edu Touro College & University System | 500 7th Avenue, room 510 NY, NY 10018 O/C: 646-565-6340 (direct) | 646-565-6000 ext. 55340 | F: 646-745-8701 IM: touroonenonstop.slack.com Zoom: https://zoom.us/my/mariecarianna -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of SECURITY automatic digest system Sent: Wednesday, August 22, 2018 1:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 21 Aug 2018 to 22 Aug 2018 - Special issue (#2018-156) CAUTION: This email originated from an outside organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. There are 9 messages totalling 11811 lines in this issue. Topics in this special issue: 1. Information Security Training (9) ---------------------------------------------------------------------- Date: Wed, 22 Aug 2018 15:53:13 +0000 From: "Telfer, Will" <Will_Telfer () BAYLOR EDU> Subject: Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware ------------------------------ Date: Wed, 22 Aug 2018 15:59:06 +0000 From: "Gomez, Joshua" <J.Gomez () SNHU EDU> Subject: Re: Information Security Training We paired up with our HR Learning and Development Department and acquired free resources from Cofense (PhishMe). Josh Joshua Gomez | Consultant, Information Security Information Technology Solutions Physical Address: 1230 Elm Street, Manchester, NH 03101 Mailing Address: 2500 North River Road, Manchester, NH 03106 Office Phone: 603-626-9100 x7777 | From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> Please consider the environment before printing this e-mail. ------------------------------ Date: Wed, 22 Aug 2018 15:59:22 +0000 From: Michael Muto <mutom () DUQ EDU> Subject: Re: Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> ------------------------------ Date: Wed, 22 Aug 2018 16:15:49 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU> Subject: Re: Information Security Training A side note...quick reference that I assembled from a few sources.... Although I could not find a specific requirement for FERPA, it is mandatory for accreditation (this may affect what you are doing). If somebody does know where that could be in the FERPA reg, please let me know (I could have missed it). Security Awareness Compliance Requirement Standard/Regulation Location/Item Affecting Penalty General Data Protection Regulation (GDPR, European Union) regulation Function of Data Protection Officer EU citizens and privacy yes Gramm-Leach Bliley Act (GLBA) regulation Safeguard Rule Financial Aid yes Health Insurance Portability and Accountability Act (HIPAA) regulation 164.308.(a).(5) Clinics yes International Organization for Standardization (ISO) 27000 Framework standard 8.2.2 Whole university no National Institute of Standards and Technology 800-171 Framework standard PR.AT-1 Whole university no Payment Card Industry Data Security Standard standard 12.6 Those areas that process credit cards yes One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Michael Muto Sent: Wednesday, August 22, 2018 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Wed, 22 Aug 2018 16:15:24 +0000 From: Ed Jalinske <ed.jalinske () WISC EDU> Subject: Re: Information Security Training Will, Feel free to reach out to me directly with your specific security awareness program requirements and I would happy to provide you with some ideas and input. I have developed a robust security education and awareness program over the past 3-4 years at UW-Madison and there is simply too much for me capture in an email response here. Regards, Ed Jalinske University of Wisconsin-Madison Office of Cybersecurity Cybersecurity Education Lead Cybersecurity Project Manager 608.262.3837 (Office) 917.945.0748 (Cell) <mailto:ed.jalinske () wisc edu> ed.jalinske () wisc edu From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here.but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services Twitter: @BearAware Facebook: www.facebook.com/BearAware <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> ------------------------------ Date: Wed, 22 Aug 2018 17:12:13 +0000 From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU> Subject: Re: Information Security Training For clarification, GDPR applies to all EU residents - that is it doesn't apply to EU citizens outside of the EU and does apply to non-EU citizens within the EU. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W. Sent: Wednesday, 22 August, 2018 12:16 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Training A side note...quick reference that I assembled from a few sources.... Although I could not find a specific requirement for FERPA, it is mandatory for accreditation (this may affect what you are doing). If somebody does know where that could be in the FERPA reg, please let me know (I could have missed it). Security Awareness Compliance Requirement Standard/Regulation Location/Item Affecting Penalty General Data Protection Regulation (GDPR, European Union) regulation Function of Data Protection Officer EU citizens and privacy yes Gramm-Leach Bliley Act (GLBA) regulation Safeguard Rule Financial Aid yes Health Insurance Portability and Accountability Act (HIPAA) regulation 164.308.(a).(5) Clinics yes International Organization for Standardization (ISO) 27000 Framework standard 8.2.2 Whole university no National Institute of Standards and Technology 800-171 Framework standard PR.AT-1 Whole university no Payment Card Industry Data Security Standard standard 12.6 Those areas that process credit cards yes One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Michael Muto Sent: Wednesday, August 22, 2018 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Wed, 22 Aug 2018 17:27:30 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU> Subject: Re: Information Security Training I went with what our legal said, and that was a few months ago. It could have been further clarified. They specifically said EU citizens. They also mentioned that the wording was loose enough to include people without EU citizenship, but residing in the EU. On that point, they were waiting on more guidance. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Penn, Blake C Sent: Wednesday, August 22, 2018 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Training For clarification, GDPR applies to all EU residents - that is it doesn't apply to EU citizens outside of the EU and does apply to non-EU citizens within the EU. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Barton, Robert W. Sent: Wednesday, 22 August, 2018 12:16 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training A side note...quick reference that I assembled from a few sources.... Although I could not find a specific requirement for FERPA, it is mandatory for accreditation (this may affect what you are doing). If somebody does know where that could be in the FERPA reg, please let me know (I could have missed it). Security Awareness Compliance Requirement Standard/Regulation Location/Item Affecting Penalty General Data Protection Regulation (GDPR, European Union) regulation Function of Data Protection Officer EU citizens and privacy yes Gramm-Leach Bliley Act (GLBA) regulation Safeguard Rule Financial Aid yes Health Insurance Portability and Accountability Act (HIPAA) regulation 164.308.(a).(5) Clinics yes International Organization for Standardization (ISO) 27000 Framework standard 8.2.2 Whole university no National Institute of Standards and Technology 800-171 Framework standard PR.AT-1 Whole university no Payment Card Industry Data Security Standard standard 12.6 Those areas that process credit cards yes One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Michael Muto Sent: Wednesday, August 22, 2018 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Wed, 22 Aug 2018 17:32:12 +0000 From: Robert Smith <Robert.Smith () UCOP EDU> Subject: Re: Information Security Training Hi, I would encourage all to look more closely at the regulation and push back on counsel. The regulation applies to "natural persons" in the EEA. Residency or citizenship do not have a bearing on which data subjects enjoy the protections of GDPR. A natural person (breathing human) + feet on the ground in the EEA = in scope for GDPR Hope this helps or adds to the excitement. Have an awesome day, Robert Smith, CISSP, PMP University of California Office of the President (510) 587-6244 (o) (510) 541-8103 (m) robert.smith () ucop edu<mailto:robert.smith () ucop edu> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W. Sent: Wednesday, August 22, 2018 10:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Training I went with what our legal said, and that was a few months ago. It could have been further clarified. They specifically said EU citizens. They also mentioned that the wording was loose enough to include people without EU citizenship, but residing in the EU. On that point, they were waiting on more guidance. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Penn, Blake C Sent: Wednesday, August 22, 2018 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training For clarification, GDPR applies to all EU residents - that is it doesn't apply to EU citizens outside of the EU and does apply to non-EU citizens within the EU. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Barton, Robert W. Sent: Wednesday, 22 August, 2018 12:16 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training A side note...quick reference that I assembled from a few sources.... Although I could not find a specific requirement for FERPA, it is mandatory for accreditation (this may affect what you are doing). If somebody does know where that could be in the FERPA reg, please let me know (I could have missed it). Security Awareness Compliance Requirement Standard/Regulation Location/Item Affecting Penalty General Data Protection Regulation (GDPR, European Union) regulation Function of Data Protection Officer EU citizens and privacy yes Gramm-Leach Bliley Act (GLBA) regulation Safeguard Rule Financial Aid yes Health Insurance Portability and Accountability Act (HIPAA) regulation 164.308.(a).(5) Clinics yes International Organization for Standardization (ISO) 27000 Framework standard 8.2.2 Whole university no National Institute of Standards and Technology 800-171 Framework standard PR.AT-1 Whole university no Payment Card Industry Data Security Standard standard 12.6 Those areas that process credit cards yes One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Michael Muto Sent: Wednesday, August 22, 2018 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Wed, 22 Aug 2018 17:36:55 +0000 From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU> Subject: Re: Information Security Training That's our understanding as well. When we say resident, we mean someone who is literally in the EU at that time regardless of their citizen/legal authorization status. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith Sent: Wednesday, 22 August, 2018 13:32 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Information Security Training Hi, I would encourage all to look more closely at the regulation and push back on counsel. The regulation applies to "natural persons" in the EEA. Residency or citizenship do not have a bearing on which data subjects enjoy the protections of GDPR. A natural person (breathing human) + feet on the ground in the EEA = in scope for GDPR Hope this helps or adds to the excitement. Have an awesome day, Robert Smith, CISSP, PMP University of California Office of the President (510) 587-6244 (o) (510) 541-8103 (m) robert.smith () ucop edu<mailto:robert.smith () ucop edu> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Barton, Robert W. Sent: Wednesday, August 22, 2018 10:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training I went with what our legal said, and that was a few months ago. It could have been further clarified. They specifically said EU citizens. They also mentioned that the wording was loose enough to include people without EU citizenship, but residing in the EU. On that point, they were waiting on more guidance. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Penn, Blake C Sent: Wednesday, August 22, 2018 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training For clarification, GDPR applies to all EU residents - that is it doesn't apply to EU citizens outside of the EU and does apply to non-EU citizens within the EU. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Barton, Robert W. Sent: Wednesday, 22 August, 2018 12:16 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training A side note...quick reference that I assembled from a few sources.... Although I could not find a specific requirement for FERPA, it is mandatory for accreditation (this may affect what you are doing). If somebody does know where that could be in the FERPA reg, please let me know (I could have missed it). Security Awareness Compliance Requirement Standard/Regulation Location/Item Affecting Penalty General Data Protection Regulation (GDPR, European Union) regulation Function of Data Protection Officer EU citizens and privacy yes Gramm-Leach Bliley Act (GLBA) regulation Safeguard Rule Financial Aid yes Health Insurance Portability and Accountability Act (HIPAA) regulation 164.308.(a).(5) Clinics yes International Organization for Standardization (ISO) 27000 Framework standard 8.2.2 Whole university no National Institute of Standards and Technology 800-171 Framework standard PR.AT-1 Whole university no Payment Card Industry Data Security Standard standard 12.6 Those areas that process credit cards yes One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Michael Muto Sent: Wednesday, August 22, 2018 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Information Security Training Hello Will, We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness. The platform allows you to choose different modules to assign out to your users. Feel free to contact me if you want to dig deeper into the SANS option. Thanks, Michael Muto Senior Information Security Engineer Duquesne University | Computing and Technology Services 600 Forbes Avenue, Pittsburgh, PA 15282 Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu> GSEC, MCSE, MCSA, MCTS, MCP, CCNA Help Desk: 412-396-4357 CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Telfer, Will Sent: Wednesday, August 22, 2018 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Information Security Training We are considering requiring some form of information security training for all of our faculty & staff (currently the only required training in this area is for users that touch PCI related systems) which I know was a topic discussed recently on here...but I was hoping to get some more information on what resources you all used for the training - SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any options are good options at this point. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwIFaQ&c=odzYs1kPF7h99M0Vn1uLzg&r=jKMTIfZiBnBYrk_cRkqhrq0vZwXKksqj0lGxPgjosOo&m=fUSDOqQ9ftDt303JS9bhr6aEoXcEzhk2SC6jgD8hz4o&s=BCXj-sffHo5JV6ED-N_YW5XDaAH2wLsVAdM76XETDYQ&e=> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ End of SECURITY Digest - 21 Aug 2018 to 22 Aug 2018 - Special issue (#2018-156) *******************************************************************************
Current thread:
- Re: SECURITY Digest - 21 Aug 2018 to 22 Aug 2018 - Special issue (#2018-156) Marie Carianna (Aug 22)