Educause Security Discussion mailing list archives
Re: Security Awareness specifically for Higher Ed?
From: "Lazarus, Carolann" <lazarus () BUFFALO EDU>
Date: Fri, 23 Aug 2019 18:58:48 +0000
Hi Cathy. For those who don't know me, I've been an IT Auditor at the same public institution for 25 years. Before that I worked at a banking entity. The main differences I've seen that might impact training are: * A sense of urgency. At the bank you knew you were protecting $ for customers. In higher Ed (at least my institution) it's not as clear what and who you are protecting and what the consequences are. * Open - there was an interesting security thread recently on Higher Ed allowing porn sites. Higher Ed is usually much more open. Both faculty and staff probably have access to lots of iffy and scary sites. Private corporations can lock down a lot more. So there needs to be more training on the risks of going to those sites. * Research dollars - I've run into many researchers that do whatever they want to do. Some have been very concerned with security others not so much. And of course they want full administrative privileges on their systems. Frequently they are able to hire their own IT staff. Making sure they are well versed in security should be a focus. * Compliance - In general a lot of the compliance security issues are solved by having non-specific good security, but corporations don't have FERPA and Financial Aide GLBA. I'm sure there are others I'm either forgetting or have missed. Carolann Lazarus 716-829-6947 lazarus () buffalo edu<mailto:lazarus () buffalo edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Friday, August 23, 2019 2:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security Awareness specifically for Higher Ed? Cathy, I just became part of higher ed this year when I joined Stevenson. Before that I spend more than 15 years in private industry doing infosec, including leading a security awareness program for an international company with 20K employees. Now I'm preparing Stevenson's cybersecurity awareness program for October. I think the messages/content/priorities for higher ed are similar, perhaps nearly identical, to those for other orgs/industries. The threats are typically the same. For me, the key to a successful awareness campaign is creating engaging content that clearly communicates simple behaviors we want our users to do. Posters, videos, branding, social media, events, gamification, etc. are great tools. There might be some small differences in content and use of those tools between a university audience than a corporate audience, but nothing significant. At least that's my experience so far. Happy to discuss further. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ullman, Catherine Sent: Thursday, August 22, 2019 11:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Security Awareness specifically for Higher Ed? Good morning! I've been in some interesting conversations with some companies that create security awareness online training and those conversations ultimately lead to this question: What would security awareness training specifically designed for higher ed look like? What would be different about it from what is created for corporate environments? I'd really like to gather a list of thoughts from this community to bring back to these folks at some point. Feel free to reply off-list if you'd prefer. Thanks, Cathy Dr. Catherine J Ullman Senior Information Security Analyst Information Security Office University at Buffalo cende () buffalo edu<mailto:cende () buffalo edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Security Awareness specifically for Higher Ed? Ullman, Catherine (Aug 22)
- Re: Security Awareness specifically for Higher Ed? Jim A. Bole (Aug 23)
- Re: Security Awareness specifically for Higher Ed? Lazarus, Carolann (Aug 23)
- Re: Security Awareness specifically for Higher Ed? Jim A. Bole (Aug 23)