Educause Security Discussion mailing list archives
Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Thu, 19 Oct 2006 17:44:48 -0600
The source of this problem (the distributed security dilemma) has a lot to do with our election of ERP systems and adoption of highly accessible Web based resources. By empowering the end user to do increasingly powerful things, and by putting more and more responsibility to manage "enterprise administrative" data back to levels closer to the end user, we've really created a monster. Empowerment is a neat sounding concept, and the belief that those closest to the data can make the best use of it so let's allow/help them to do so sells well even today. And boy wasn't it a load off the central service organizations and a reduction in admin and overhead costs when that work was farmed back close to home. It even allowed for better controls and improved processes. The cost of empowerment is increased local responsibility. This includes the knowledge to do all things empowered well, to supply all the necessary resources, and to manage/govern the outcome at an increasing lower level of the organization. We didn't reallocate the assets to ensure this would happen (and by we I mean Higher Ed and Corporate America) and thus we have put firearms in the hands of toddlers in many cases. Not only have we increased the workload, we've changed the job requirement from being a low trained functional paper-pusher to being an educated process owner and manager. The end employees must know more, do more, and be integrated more firmly in the entire process. It sounds good but it is a stretch on resource and I maintain we didn't as a country-wide standard make the kinds of investments necessary to do the job properly. Thus most departments are managing shadow systems on their own, developing their own Web and E-Commerce tools, and getting in way over their head by not knowing the regulatory environment, not having the IT experience necessary for quality development and change control, not being able to properly secure things appropriately, and not even being able to use the new glorious ERP tools to great advantage. Thus the current necessity to start pulling in the reins on distributed computing and the present trend towards centralization of more and more resources and services. This will continue until we find that centralized services are failing to meet the needs of the end departments and once again we will be enlightened and think that empowerment of the end user will be the panacea answer. My only reasons for blogging this philosophical banter is to take the sting out of my frustration with end users who won't step up to their responsibilities - we shouldn't require so many to have to - and to hopefully encourage a very thoughtful consideration of moderate reorganization somewhere between the radical ends of centralized and decentralized computing. I don't know the answer, but I've been part of a couple of these swings as technology charges forward, and the only way to right-size for the consequences lies somewhere in the space between the ends. I'm afraid we won't like the cost of the answer when we get there, and I believe it is running from that cost that gets us into trouble. A better TCO (total cost of operations) understanding is needed, and a stronger governance of technology application. What that looks like and how to provide it with sufficient freedom to make a few mistakes and discover better methods is the challenge ahead. OK, that's as far as I go with trying to be level headed about security, training, and the constant struggle to get folks to understand their NECESSARY participation in the process. I hope there are some brilliant someone's out there that can make sense of this tail-chasing and get us headed down a better path. I'll try to shut up for awhile, I've consumed a few too many list electrons for my quota. JD ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ________________________________ From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] Sent: Wednesday, October 18, 2006 6:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Mandatory Security Training in Higher Education Connie, We are traveling down this rock road also. We have managed to work with our human resources department (thanks to an IT Audit - Scott, If you're reading this - THANKS!) to have a base level training course incorporated into the new employee orientation program right alongside the mandatory sexual harassment course and benefits information session. Where I fear we will hit a stumbling block is with the entrenched faculty who see this as another bureaucratic hoop that they must jump through. As for how we accomplish training, an "introductory" course is offered through our CMS that records the score and other pertinent information. We are working to have more advanced courses developed that focus on specific areas of interest. Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Office 478.445.4473 Cell 478.454.8250 Email chad.mcdonald () gcsu edu On Oct 18, 2006, at 5:56 PM, Sadler, Connie wrote: Having come from a background in the Corporate world, where security training is *mandatory*, I'm wondering how many institutions of higher ed require security training for staff and/or faculty. We are planning to require it for our ERP system users (and all staff soon), but the question always comes up - "What are others doing"? So I'd appreciate information about how you folks have approached your senior administration in terms of why mandatory training is so important. If you are not yet requiring training, I'd be interested in the barriers you still face. It seems particularly challenging for faculty. Thanks much! Connie Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu <mailto:Connie_Sadler () Brown edu> Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB
Current thread:
- Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION Jim Dillon (Oct 19)
- <Possible follow-ups>
- Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION Melissa Guenther (Oct 19)
- Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION Sadler, Connie (Oct 20)
- Re: Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION Greg Vickers (Nov 19)