Educause Security Discussion mailing list archives
Re: Mandatory IT Security training
From: Dan Lewis <dlewis () WESTGA EDU>
Date: Tue, 31 Jul 2018 11:07:58 -0400
The University System of Georgia requires IT security training for all employees. At the University of West Georgia, we administer this training as part of our annual compliance training in October. The training was developed by our IT Security Officer along with the Center for Business Excellence. We administer it using our eLearning platform – SkillSoft. Dan Lewis Office: 678-839-4781 Fax: 678-839-6340 NOTE: This email and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return mail, delete this message, and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal or actionable at law. *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Ronald King *Sent:* Tuesday, July 31, 2018 11:00 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Mandatory IT Security training Does your university require IT security training for all employees? Yes If so, what topics are covered? 95% General security awareness using content we pay for. 5% MSU specific content like the AUP. Do you require this training in order to stay compliant with some sort of regulation, or are you doing it because it is best practice? State requirement and best practice. Do you require this training annually or just upon hire? State requires training for new employees, but, we plan to make it mandatory annually. Ron *Ronald A. King, CISSP* Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu Baltimore, MD 21251 URL: http://www.morgan.edu *Growing the future ... Leading the world* <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Tue, Jul 24, 2018 at 5:48 PM, Barton, Robert W. <bartonrt () lewisu edu> wrote: A little off course, but related. Does FERPA *require* training (I’m getting a little static from those who don’t want to do it)? I can’t seem to find where (if) the act specifically requires training. It talks about using best practices, and required for enforcement procedures, but I can’t seem to find “do this…”. If anybody knows where (if) that is, let me know. *From web site - https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33 <https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33>* *§99.62 What information must an educational agency or institution or other recipient of Department funds submit to the Office?* The Office may require an educational agency or institution, other recipient of Department funds under any program administered by the Secretary to which personally identifiable information from education records is non-consensually disclosed, or any third party outside of an educational agency or institution to which personally identifiable information from education records is non-consensually disclosed to submit reports, information on policies and procedures, annual notifications, training materials, or other information necessary to carry out the Office's enforcement responsibilities under the Act or this part. (Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g)) Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Gomez, Joshua *Sent:* Tuesday, July 24, 2018 10:49 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Mandatory IT Security training Hi Brent, We recently just passed this into policy. To create urgency and buy-in, we related the policy to Gramm-Leech Bliley Act (GLBA), GDPR, and the Red Flag Rule. As a Financial Aid institution, we have to comply with GLBA. I would also research state privacy laws specifically where your institution is headquartered and/or where your students are taking courses from (if you are online). I used these resources from SANS that calls out training requirements for compliances - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.sans.org_sites_default_files_2017-2D12_sans-2Dcompliance-2Drequirements.pdf&d=DwMFAw&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=O_4SlbNnznaa0raH2oWpx6ZeTTHOVZeZWYrUAYUxOzo&s=yiSs9Q2pq-H7yfQ1_1i-fMW23PTZRJ5lur0lbTGdTpk&e=> Our training covers basic cybersecurity (phishing, spear phishing, anatomy of a phishing email) cloud computing (what to store what not to store, etc) and Password Policy. There are more specific trainings for PCI data stewards. I attached a unbranded draft of the policy. Josh *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Haselhoff, Brent *Sent:* Tuesday, July 24, 2018 11:09 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Mandatory IT Security training Hi Everyone, We are currently evaluating our mandatory IT security training policies and procedures. Does your university require IT security training for all employees? If so, what topics are covered? Do you require this training in order to stay compliant with some sort of regulation, or are you doing it because it is best practice? Do you require this training annually or just upon hire? Thanks Brent Brent Haselhoff Manager, IT Security and Identity Management brent.haselhoff () wku edu 270-745-2012 Please consider the environment before printing this e-mail. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Current thread:
- Mandatory IT Security training Haselhoff, Brent (Jul 24)
- Re: Mandatory IT Security training WALTER KERNER (Jul 24)
- Re: Mandatory IT Security training Valerie Vogel (Jul 24)
- Re: Mandatory IT Security training John Chapman (Jul 24)
- Re: Mandatory IT Security training Valerie Vogel (Jul 24)
- Re: Mandatory IT Security training Pardonek, Jim (Jul 24)
- Re: Mandatory IT Security training Hiram Wong (Jul 24)
- Re: Mandatory IT Security training Telfer, Will (Jul 24)
- Re: Mandatory IT Security training Gomez, Joshua (Jul 24)
- Re: Mandatory IT Security training Barton, Robert W. (Jul 24)
- Re: Mandatory IT Security training Ronald King (Jul 31)
- Re: Mandatory IT Security training Dan Lewis (Jul 31)
- Re: Mandatory IT Security training Barton, Robert W. (Jul 24)
- Re: Mandatory IT Security training WALTER KERNER (Jul 24)
- Re: Mandatory IT Security training Sharkirah Foote (Jul 24)
- Re: Mandatory IT Security training Andrew Chiarello (Jul 24)
- Re: Mandatory IT Security training Scott Gennari (Jul 24)
- Re: Mandatory IT Security training Penn, Blake C (Jul 24)
- Re: Mandatory IT Security training McClenon, Brady (Jul 24)