Re: Mandatory IT Security training

["Gomez, Joshua" <J.Gomez () SNHU EDU>]

Hi Brent,

We recently just passed this into policy. To create urgency and buy-in, we related the policy to Gramm-Leech Bliley Act 
(GLBA), GDPR, and the Red Flag Rule. As a Financial Aid institution, we have to comply with GLBA.  I would also 
research state privacy laws specifically where your institution is headquartered and/or where your students are taking 
courses from (if you are online).

I used these resources from SANS that calls out training requirements for compliances - 
https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf

Our training covers basic cybersecurity (phishing, spear phishing, anatomy of a phishing email) cloud computing (what 
to store what not to store, etc) and Password Policy.  There are more specific trainings for PCI data stewards.

I attached a unbranded draft of the policy.

Josh


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Haselhoff, Brent
Sent: Tuesday, July 24, 2018 11:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mandatory IT Security training

Hi Everyone,

We are currently evaluating our mandatory IT security training policies and procedures.  Does your university require 
IT security training for all employees?  If so, what topics are covered?  Do you require this training in order to stay 
compliant with some sort of regulation, or are you doing it because it is best practice? Do you require this training 
annually or just upon hire?
Thanks
Brent


Brent Haselhoff
Manager, IT Security and Identity Management
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012



Please consider the environment before printing this e-mail.

Attachment: unbranded_ISAT_POLICY.doc
Description: unbranded_ISAT_POLICY.doc