Re: User's not following the rules

[James Farr '05' <jfarr () UTICA EDU>]

Thank you everyone,
This has been very helpful.  HR is currently involved in the process, but we
are still having a problem getting users to grasp the severity of some of
these issues.  It looks like we are going to stay with the group and keep
out of the disciplinary process.



I am still curious about testing.  At some point during this school year I
will be developing a test that I can give to participants in training
classes, or a pretest so they can test out of the class.  Initially these
tests will be anonymous. Since compliance is our goal we are considering
keeping the results of a test to help show people both read and understood
the policies and procedures.  We can force people to read and sign a
document stating they read the document, but that does not show their actual
level of understanding.



We want to be fair to the users.  Let's face it, I might fail the test on
organic Chemistry the first time.  That subject is not part of my every day
lingo.  If they do not pass the test they are not going to be "in trouble"
but the results would help identify people who might require a different
approach at learning this information.  In the end we hope this will lead to
more educated users and a less vulnerable environment.





Thank you for your time

James Farr

Utica College

Information Security Officer

315-223-2386

Jfarr () utica edu



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mehmedovic, Jenny
Sent: Thursday, September 18, 2008 9:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules



We use the following general language or something like it in most of our
information technology-related policies, so that misbehavior or violation of
policies can be assessed on a case-by-case basis.  Our Information Security
policy gets a bit more in-depth & detailed.  See
https://documents.ku.edu/policies/Information_Services/Information_Technolog
y/Security_Policy/Security_Policy.htm.



Feel free to browse our other IT policies at
http://www.policy.ku.edu/category.shtml?8.



Whatever approach you decide to take, make sure you involve your Human
Resource & General Counsel offices.  We feel strongly here that any
disciplinary action taken should occur within the department & under
advisement of HR & Counsel (i.e., IT is not the one meting out the
disciplinary measure...)



_______________________________

Use of University electronic information resources contrary to this policy,
University or Regents' policies, or applicable federal, state or local law
is prohibited and may subject the user to disciplinary action including, but
not limited to, suspension of the user's access to the electronic
information resources. Users also should be aware of other possible
consequences under University or Regents' policies and federal, state, or
local laws, particularly those related to computer crime and copyright
violation.

______________________

Faculty, staff and student employees who violate this university policy may
be subject to disciplinary action for misconduct and/or performance based on
the administrative process appropriate to their employment.



Students who violate this university policy may be subject to proceedings
for non-academic misconduct based on their student status.



Faculty, staff, student employees and students may also be subject to the
discontinuance of specified information technology services based on the
policy violation.

___________________________________________

Employment actions should be handled by the appropriate department with the
advice and guidance of Human Resources/Equal Opportunity and the Office of
the General Counsel.  Student disciplinary actions should be handled by the
appropriate department in collaboration with Student Success.

___________________________________________

Jenny Mehmedovic
Assistant to the Provost
University of Kansas
(785) 864-4904
jmehmedo () ku edu





  _____

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sachnoff, Neil
Sent: Thursday, September 18, 2008 5:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

Last time we tried to push this concept the institution was unwilling to
place in policy what the penalties would be. We have many unions on campus.



/Neil

Neil S. Sachnoff, Executive Director, Information Technology
Middlesex County College
2600 Woodbridge Avenue, JLC Rm. 209
Edison, NJ 08818-3050

 PThink before you print



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05'
Sent: Wednesday, September 17, 2008 3:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User's not following the rules



We are currently evaluating what to do when a user does not follow the
Information Security Policies adopted by the institution.


Currently our policies are handled on a case by case basis.  There are no
set forth policies that clearly state if you provide your password to
another user x,y,z, will happen.



Does anyone have a guideline they can share on what happens when a user does
not follow the established rules.

Do you test users on their understanding of the security policies?

If so are penalties more sever if the user demonstrated knowledge in the
area?

Do sanction change based on the number of times they do not follow the
policy?



Thank you for your time

James Farr

Utica College

Information Security Officer