Educause Security Discussion mailing list archives

Re: Faculty and Staff IT Security Awareness

From: John Kristoff <jtk () DEPAUL EDU>
Date: Mon, 3 Mar 2008 15:04:52 -0600

On Mon, 3 Mar 2008 15:00:11 -0500
Nicolas Pachis <npachis () VT EDU> wrote:

I was hoping to spark a discussion / feedback on the methods that
other Colleges and Universities are using to promote awareness within
faculty and staff.  Currently we use new employee orientation, our
Faculty Development Institute, and various newsletters, printable
materials, etc.


Some time ago I was fortunate enough to have been involved in an award
of some funds to develop just this sort of thing.  The security team
undertook a number of tasks to accomplish this.  We began an annual
security forum, which was an all day seminar format program.  We
solicited 1/2 to 1 hour talks by various colleagues, mostly within the
institution.  Some were technical presentations, but we also had some
more fun ones such as when we had a rep from legal counsel join us.  We
also bribed local 3rd party experts who always had something useful to
say. Students were welcome.

We brought in CERT/CC to give some classes.  One was directly
aimed at managers, directors and C*O types.  This was the high-level
concepts and risk management style class that got them thinking
and talking about issues from a business perspective.  We also
had a 5-day technical training for IT staff by CERT/CC.  I think we
had about 25 attend the former and 20 the latter.

We also solicited someone from computer science to come in and teach
"secure coding" concepts to IT development staff, but I don't recall
this ever happening unfortunately.

We then did monthly lunch sessions on various topics.

I think we sent a few people away to more specific training for things
that weren't applicable to big groups.

Two things really helped drive participation.  Free food at all the
events and at least a couple really good sponsors.  We had wonderful
support from an executive of our library services group who helped
do all the promotion and bring in all the key folks from around the
university.

With money we had left over we gave away some books, mousepads with
key websites/info on it, etc.  Even though the initial funding was a
one-time event, the yearly seminar and monthly lunch events continued
for awhile.

Hard to measure the overall outcome, but in my experience I've seen
places that don't seem to do better with a lot more overall resources
and much bigger security budgets.

Hopefully that sparked some ideas.

John

Current thread:

Faculty and Staff IT Security Awareness Nicolas Pachis (Mar 03)
- <Possible follow-ups>
- Re: Faculty and Staff IT Security Awareness John Kristoff (Mar 03)
- Re: Faculty and Staff IT Security Awareness Allison Dolan (Mar 04)
- Re: Faculty and Staff IT Security Awareness Marty Manjak (Mar 04)
- Re: Faculty and Staff IT Security Awareness Theresa Rowe (Mar 10)
- Re: Faculty and Staff IT Security Awareness Martin Manjak (Mar 12)
- Re: Faculty and Staff IT Security Awareness Randy Marchany (Mar 12)