Re: Faculty and Staff IT Security Awareness

[Martin Manjak <mm376 () ALBANY EDU>]

Theresa,

At the department and business unit level, we try to tie information
security practices into the range of standard internal controls that
assure that institutional resources are used appropriately: are staff
using screen savers that require re-authentication, are they removing
sensitive information from their desks when they go home at night, are
personnel files placed in locked file cabinets? If you can get people to
understand the concepts of confidentiality, integrity, and availability
in the tangible world, in their particular environment,  it's much
easier to make the link to the cyber realm.

We also do what most other institutions do to raise awareness, i.e.,
brochures, posters, mass emails.

This week, we inaugurated a special program for supervisors of areas
that are considered high risk (financial, student, and staff records).
But this program focuses on developing the ability to do effective risk
assessment, rather than instructing people with a list of dos and don'ts.

The idea is to create the impetus for appropriate controls from within
the departments. It's my role to assist them with evaluating and
applying those controls. And, if we discover that a critical mass of
units require similar controls, we have some leverage in advocating for
those at the institutional level.


Theresa Rowe wrote:
> We may have a little funding to make kind of awareness program
> happen.  I'm not inclinded to do this without a formal initiative, set
> of objectives, and program, as our informal efforts typically have not
> yielded the attendance and results we desire.
>
> Tying it into internal controls and risk management might work.  Has
> anyone actually developed a program?  Did you hire someone to help you
> put the program together? To create the materials?  What kind of
> budget did you have?
>
> Theresa

--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN