Educause Security Discussion mailing list archives
Re: Mandatory Security Training in Higher Education - NEWRELATED DISCUSSION
From: Melissa Guenther <mguenther () COX NET>
Date: Fri, 20 Oct 2006 12:24:40 -0700
Thank you Connie ----- Original Message ----- From: "Sadler, Connie" <Connie_Sadler () BROWN EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Friday, October 20, 2006 11:45 AM Subject: Re: [SECURITY] Mandatory Security Training in Higher Education - NEWRELATED DISCUSSION Melissa, I'm talking about basics, mostly, to include the following: Choose good passwords and never share them Use VPN for remote access Encrypt data on laptops and other portable devices Shred! Shred! Shred! Lock up confidential materials at the end of the day (Clean Desk Policy) Keep confidential information to yourself - not for conversation or gossip Document access controls Identify Data Owners and teach them their responsibilities Apply anti-virus and patching and anti-spyware Dispose of equipment (hard drives and PDAs) securely Avoid Phishing attacks Report suspected security "incidents" Think of worst-case scenarios and whether or not you can defend your current practices should a breach occur. There's more, but the primary message is communicated so that every employee and faculty member knows our approach and what their individual contributions should be. The concept of Data Ownership is also key, because we expect Data Owners to know how their data is stored and transmitted. They also need to authorize access (delegating it, but knowing the procedures) to employees, vendors, other departments, etc. I hope this brief summary helps! Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 -----Original Message----- From: Melissa Guenther [mailto:mguenther () COX NET] Sent: Thursday, October 19, 2006 9:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Mandatory Security Training in Higher Education - NEW RELATED DISCUSSION I have beeen reading the messages pertaining to this subject with interest. and I am having to ask the question. what type and depth of security training is everyone referring to? ---- Jim Dillon <Jim.Dillon () CUSYS EDU> wrote:
The source of this problem (the distributed security dilemma) has a lot to do with our election of ERP systems and adoption of highly accessible Web based resources. By empowering the end user to do increasingly powerful things, and by putting more and more responsibility to manage "enterprise administrative" data back to levels closer to the end user, we've really created a monster. Empowerment is a neat sounding concept, and the belief that those closest to the data can make the best use of it so let's allow/help them to do so sells well even today. And boy wasn't it a load off the
central service organizations and a reduction in admin and overhead costs when that work was farmed back close to home. It even allowed
for better controls and improved processes.
The cost of empowerment is increased local responsibility. This includes the knowledge to do all things empowered well, to supply all the necessary resources, and to manage/govern the outcome at an increasing lower level of the organization. We didn't reallocate the assets to ensure this would happen (and by we I mean Higher Ed and Corporate America) and thus we have put firearms in the hands of toddlers in many cases. Not only have we increased the workload, we've changed the job requirement from being a low trained functional paper-pusher to being an educated process owner and manager. The end employees must know more, do more, and be integrated more firmly in the entire process. It sounds good but it is a stretch on resource and I maintain we didn't as a country-wide standard make the kinds of investments necessary to do the job properly. Thus most departments are managing shadow systems on their own, developing their own Web and
E-Commerce tools, and getting in way over their head by not knowing the regulatory environment, not having the IT experience necessary for
quality development and change control, not being able to properly secure things appropriately, and not even being able to use the new glorious ERP tools to great advantage. Thus the current necessity to start pulling in the reins on distributed computing and the present trend towards centralization of more and more resources and services. This will continue until we find that centralized services are failing to meet the needs of the end departments and once again we will be enlightened and think that empowerment of the end user will be the panacea answer. My only reasons for blogging this philosophical banter is to take the sting out of my frustration with end users who won't step up to their responsibilities - we shouldn't require so many to have to - and to hopefully encourage a very thoughtful consideration of moderate reorganization somewhere between the radical ends of centralized and decentralized computing. I don't know the answer, but I've been part of a couple of these swings as technology charges forward, and the only way to right-size for the consequences lies somewhere in the space between the ends. I'm afraid we won't like the cost of the answer when we get there, and I believe it is running from that cost that gets us into trouble. A better TCO (total cost of operations) understanding is needed, and a stronger governance of technology application. What that looks like and how to provide it with sufficient freedom to make a few mistakes and discover better methods
is the challenge ahead.
OK, that's as far as I go with trying to be level headed about security, training, and the constant struggle to get folks to understand their NECESSARY participation in the process. I hope there
are some brilliant someone's out there that can make sense of this tail-chasing and get us headed down a better path. I'll try to shut up for awhile, I've consumed a few too many list electrons for my
quota.
JD ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ________________________________ From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU] Sent: Wednesday, October 18, 2006 6:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Mandatory Security Training in Higher Education Connie, We are traveling down this rock road also. We have managed to work with our human resources department (thanks to an IT Audit - Scott, If
you're reading this - THANKS!) to have a base level training course incorporated into the new employee orientation program right alongside
the mandatory sexual harassment course and benefits information
session.
Where I fear we will hit a stumbling block is with the entrenched faculty who see this as another bureaucratic hoop that they must jump through. As for how we accomplish training, an "introductory" course is offered through our CMS that records the score and other pertinent information. We are working to have more advanced courses developed that focus on specific areas of interest. Chad McDonald, CISSP, CISA Chief Information Security Officer Georgia College & State University Office 478.445.4473 Cell 478.454.8250 Email chad.mcdonald () gcsu edu On Oct 18, 2006, at 5:56 PM, Sadler, Connie wrote: Having come from a background in the Corporate world, where security training is *mandatory*, I'm wondering how many institutions of higher
ed require security training for staff and/or faculty. We are planning
to require it for our ERP system users (and all staff soon), but the question always comes up - "What are others doing"? So I'd appreciate information about how you folks have approached your senior administration in terms of why mandatory training is so important. If you are not yet requiring training, I'd be interested in the barriers you still face. It seems particularly challenging for faculty. Thanks much! Connie Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown
University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu <mailto:Connie_Sadler () Brown edu> Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB
Current thread:
- Re: Mandatory Security Training in Higher Education - NEWRELATED DISCUSSION Melissa Guenther (Oct 20)