Educause Security Discussion mailing list archives

Re: Faculty and Staff IT Security Awareness

From: Marty Manjak <mm376 () ALBANY EDU>
Date: Tue, 4 Mar 2008 19:22:40 -0500

One of the methods we use to increase staff awareness is to integrate
information security into our Internal Controls initiative. The ISO
participates in (almost) every Internal Controls review or follow up with
departmental or business unit managers, deans, directors, supervisors.

We make it clear to them that securing information assets is part of the
Internal Controls spectrum of risk management. We review their
environment, talk about the assets they manage, and discuss the controls
they have in place and whether they are adequate.

One of the results of these meetings is that the controls are implemented
by the department/unit, not the ISO, i.e., they are not superimposed from
the top down, but grow organically out of the discussions and the
recognition on the part of the staff that they need to make adjustments
based on best practices and the nature of the information they handle.

These meetings also help to establish personal relationships between
management and the ISO. I make it clear to them that I serve as an
institutional resource and that I'm available should they have any
questions regarding proper procedures for protecting information.

These face-to-face meetings are very valuable in establishing the
authority of the ISO, prioritizing information security, and providing
directors and managers with concrete actions they can take to improve
their policies and procedures (risk management).

Marty Manjak
CISSP
Information Security Officer
University at Albany

Good Afternoon,

I was hoping to spark a discussion / feedback on the methods that
other Colleges and Universities are using to promote awareness within
faculty and staff.  Currently we use new employee orientation, our
Faculty Development Institute, and various newsletters, printable
materials, etc.

We are looking to expand our methods and wondered if anyone out there
had any sure-fire methods they use they would like to share.  Do you
tie it with another group on your campus or run it solo?  How have
you rated its success or failure to promote the awareness concepts
you were trying to impart.  And what ideas have you tried that have
just not succeeded the way you wished?

Thanks,

Nicolas Pachis, GIAC-GCIH
IT Security, 1300 Torgersen Hall
Virginia Polytechnic Institute and State University
npachis () vt edu
http://www.security.vt.edu

Current thread:

Faculty and Staff IT Security Awareness Nicolas Pachis (Mar 03)
- <Possible follow-ups>
- Re: Faculty and Staff IT Security Awareness John Kristoff (Mar 03)
- Re: Faculty and Staff IT Security Awareness Allison Dolan (Mar 04)
- Re: Faculty and Staff IT Security Awareness Marty Manjak (Mar 04)
- Re: Faculty and Staff IT Security Awareness Theresa Rowe (Mar 10)
- Re: Faculty and Staff IT Security Awareness Martin Manjak (Mar 12)
- Re: Faculty and Staff IT Security Awareness Randy Marchany (Mar 12)