Re: Mandatory Security Training in Higher Education - NEWRELATED DISCUSSION

[Melissa Guenther <mguenther () COX NET>]

Thank you Connie
----- Original Message -----
From: "Sadler, Connie" <Connie_Sadler () BROWN EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Friday, October 20, 2006 11:45 AM
Subject: Re: [SECURITY] Mandatory Security Training in Higher Education -
NEWRELATED DISCUSSION



Melissa, I'm talking about basics, mostly, to include the following:

Choose good passwords and never share them
Use VPN for remote access
Encrypt data on laptops and other portable devices
Shred! Shred! Shred!
Lock up confidential materials at the end of the day (Clean Desk Policy)
Keep confidential information to yourself - not for conversation or
gossip
Document access controls
Identify Data Owners and teach them their responsibilities
Apply anti-virus and patching and anti-spyware
Dispose of equipment (hard drives and PDAs) securely
Avoid Phishing attacks
Report suspected security "incidents"
Think of worst-case scenarios and whether or not you can defend your
current practices should a breach occur.

There's more, but the primary message is communicated so that every
employee and faculty member knows our approach and what their individual
contributions should be. The concept of Data Ownership is also key,
because we expect Data Owners to know how their data is stored and
transmitted. They also need to authorize access (delegating it, but
knowing the procedures) to employees, vendors, other departments, etc.

I hope this brief summary helps!

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu
Office: 401-863-7266


-----Original Message-----
From: Melissa Guenther [mailto:mguenther () COX NET]
Sent: Thursday, October 19, 2006 9:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mandatory Security Training in Higher Education
- NEW RELATED DISCUSSION

I have beeen reading the messages pertaining to this subject with
interest.
and I am having to ask the question.

what type and depth of security training is everyone referring to?
---- Jim Dillon <Jim.Dillon () CUSYS EDU> wrote:
> The source of this problem (the distributed security dilemma) has a
> lot to do with our election of ERP systems and adoption of highly
> accessible Web based resources.  By empowering the end user to do
> increasingly powerful things, and by putting more and more
> responsibility to manage "enterprise administrative" data back to
> levels closer to the end user, we've really created a monster.
> Empowerment is a neat sounding concept, and the belief that those
> closest to the data can make the best use of it so let's allow/help
> them to do so sells well even today.  And boy wasn't it a load off the

> central service organizations and a reduction in admin and overhead
> costs when that work was farmed back close to home.  It even allowed
for better controls and improved processes.
> The cost of empowerment is increased local responsibility.  This
> includes the knowledge to do all things empowered well, to supply all
> the necessary resources, and to manage/govern the outcome at an
> increasing lower level of the organization.  We didn't reallocate the
> assets to ensure this would happen (and by we I mean Higher Ed and
> Corporate America) and thus we have put firearms in the hands of
> toddlers in many cases.  Not only have we increased the workload,
> we've changed the job requirement from being a low trained functional
> paper-pusher to being an educated process owner and manager.  The end
> employees must know more, do more, and be integrated more firmly in
> the entire process.  It sounds good but it is a stretch on resource
> and I maintain we didn't as a country-wide standard make the kinds of
> investments necessary to do the job properly.  Thus most departments
> are managing shadow systems on their own, developing their own Web and

> E-Commerce tools, and getting in way over their head by not knowing
> the regulatory environment, not having the IT experience necessary for

> quality development and change control, not being able to properly
> secure things appropriately, and not even being able to use the new
> glorious ERP tools to great advantage.
>
>
>
> Thus the current necessity to start pulling in the reins on
> distributed computing and the present trend towards centralization of
> more and more resources and services.  This will continue until we
> find that centralized services are failing to meet the needs of the
> end departments and once again we will be enlightened and think that
> empowerment of the end user will be the panacea answer.
>
>
>
> My only reasons for blogging this philosophical banter is to take the
> sting out of my frustration with end users who won't step up to their
> responsibilities - we shouldn't require so many to have to - and to
> hopefully encourage a very thoughtful consideration of moderate
> reorganization somewhere between the radical ends of centralized and
> decentralized computing.  I don't know the answer, but I've been part
> of a couple of these swings as technology charges forward, and the
> only way to right-size for the consequences lies somewhere in the
> space between the ends.  I'm afraid we won't like the cost of the
> answer when we get there, and I believe it is running from that cost
> that gets us into trouble.  A better TCO (total cost of operations)
> understanding is needed, and a stronger governance of technology
> application.  What that looks like and how to provide it with
> sufficient freedom to make a few mistakes and discover better methods
is the challenge ahead.
> OK, that's as far as I go with trying to be level headed about
> security, training, and the constant struggle to get folks to
> understand their NECESSARY participation in the process.  I hope there

> are some brilliant someone's out there that can make sense of this
> tail-chasing and get us headed down a better path.  I'll try to shut
> up for awhile, I've consumed a few too many list electrons for my
quota.
> JD
>
>
>
> *****************************************
>
> Jim Dillon, CISA, CISSP
>
> IT Audit Manager, CU Internal Audit
>
> jim.dillon () cusys edu
>
> 303-492-9734
>
> *****************************************
>
>
>
>
>
> ________________________________
>
> From: Chad McDonald [mailto:chad.mcdonald () GCSU EDU]
> Sent: Wednesday, October 18, 2006 6:27 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Mandatory Security Training in Higher
> Education
>
>
>
> Connie,
>
> We are traveling down this rock road also.  We have managed to work
> with our human resources department (thanks to an IT Audit - Scott, If

> you're reading this - THANKS!) to have a base level training course
> incorporated into the new employee orientation program right alongside

> the mandatory sexual harassment course and benefits information
session.
> Where I fear we will hit a stumbling block is with the entrenched
> faculty who see this as another bureaucratic hoop that they must jump
> through.  As for how we accomplish training, an "introductory" course
> is offered through our CMS that records the score and other pertinent
> information.  We are working to have more advanced courses developed
> that focus on specific areas of interest.
>
>
>
> Chad McDonald, CISSP, CISA
>
> Chief Information Security Officer
>
> Georgia College & State University
>
> Office  478.445.4473
>
> Cell                  478.454.8250
>
> Email   chad.mcdonald () gcsu edu
>
>
>
> On Oct 18, 2006, at 5:56 PM, Sadler, Connie wrote:
>
>
>
>
>
>
>
> Having come from a background in the Corporate world, where security
> training is *mandatory*, I'm wondering how many institutions of higher

> ed require security training for staff and/or faculty. We are planning

> to require it for our ERP system users (and all staff soon), but the
> question always comes up - "What are others doing"? So I'd appreciate
> information about how you folks have approached your senior
> administration in terms of why mandatory training is so important. If
> you are not yet requiring training, I'd be interested in the barriers
> you still face. It seems particularly challenging for faculty.
>
> Thanks much!
>
> Connie
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown

> University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu
> <mailto:Connie_Sadler () Brown edu>
> Office: 401-863-7266
> PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB>
> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB