Re: User's not following the rules

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

We used testing at my company for two purposes: first, we could keep a
record that showed an individual had taken the test (no scoring, or
pass/fail initially, but eventually for critical policies we implemented
a pass/fail regimen) in case there was ever a disciplinary action
required; second, we reviewed the composite scores to determine if there
were segments of the policy that were unclear. If a large percentage of
folks missed a specific question, we found that in most cases, it was
poor or unclear wording in the policy and we could adjust it to make the
policy easier to understand.

 

Just my two sous' worth...

 

plk

 

========================================

Paul L. Kendall, PhD, CHS-III, CISM, CISSP

PCI Qualified Security Assessor

Senior Security Consultant

Accudata Systems, Inc.

15305 Dallas Parkway, Suite 300
Dallas, TX 75001

(817) 496-6450 Fort Worth Office

(877) 832-6013 Fort Worth FAX
(800) 246-4908 Corporate Office

(281) 897-5001 Corporate FAX

(713) 446-5259 Cell

http//www.accudatasystems.com

 

"What we do in Life echoes in Eternity..."

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05'
Sent: Thursday, September 18, 2008 9:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

 

Thank you everyone,
This has been very helpful.  HR is currently involved in the process,
but we are still having a problem getting users to grasp the severity of
some of these issues.  It looks like we are going to stay with the group
and keep out of the disciplinary process.

 

I am still curious about testing.  At some point during this school year
I will be developing a test that I can give to participants in training
classes, or a pretest so they can test out of the class.  Initially
these tests will be anonymous. Since compliance is our goal we are
considering keeping the results of a test to help show people both read
and understood the policies and procedures.  We can force people to read
and sign a document stating they read the document, but that does not
show their actual level of understanding.

 

We want to be fair to the users.  Let's face it, I might fail the test
on organic Chemistry the first time.  That subject is not part of my
every day lingo.  If they do not pass the test they are not going to be
"in trouble" but the results would help identify people who might
require a different approach at learning this information.  In the end
we hope this will lead to more educated users and a less vulnerable
environment.

 

 

Thank you for your time

James Farr

Utica College

Information Security Officer

315-223-2386

Jfarr () utica edu

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mehmedovic, Jenny
Sent: Thursday, September 18, 2008 9:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

 

We use the following general language or something like it in most of
our information technology-related policies, so that misbehavior or
violation of policies can be assessed on a case-by-case basis.  Our
Information Security policy gets a bit more in-depth & detailed.  See
https://documents.ku.edu/policies/Information_Services/Information_Techn
ology/Security_Policy/Security_Policy.htm. 

 

Feel free to browse our other IT policies at
http://www.policy.ku.edu/category.shtml?8.

 

Whatever approach you decide to take, make sure you involve your Human
Resource & General Counsel offices.  We feel strongly here that any
disciplinary action taken should occur within the department & under
advisement of HR & Counsel (i.e., IT is not the one meting out the
disciplinary measure...) 

 

_______________________________

Use of University electronic information resources contrary to this
policy, University or Regents' policies, or applicable federal, state or
local law is prohibited and may subject the user to disciplinary action
including, but not limited to, suspension of the user's access to the
electronic information resources. Users also should be aware of other
possible consequences under University or Regents' policies and federal,
state, or local laws, particularly those related to computer crime and
copyright violation. 

______________________

Faculty, staff and student employees who violate this university policy
may be subject to disciplinary action for misconduct and/or performance
based on the administrative process appropriate to their employment. 

 

Students who violate this university policy may be subject to
proceedings for non-academic misconduct based on their student status. 

 

Faculty, staff, student employees and students may also be subject to
the discontinuance of specified information technology services based on
the policy violation.

___________________________________________

Employment actions should be handled by the appropriate department with
the advice and guidance of Human Resources/Equal Opportunity and the
Office of the General Counsel.  Student disciplinary actions should be
handled by the appropriate department in collaboration with Student
Success.

___________________________________________

Jenny Mehmedovic 
Assistant to the Provost 
University of Kansas 
(785) 864-4904 
jmehmedo () ku edu 

 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sachnoff, Neil
Sent: Thursday, September 18, 2008 5:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User's not following the rules

Last time we tried to push this concept the institution was unwilling to
place in policy what the penalties would be. We have many unions on
campus.

 

/Neil  

Neil S. Sachnoff, Executive Director, Information Technology
Middlesex County College 
2600 Woodbridge Avenue, JLC Rm. 209 
Edison, NJ 08818-3050 

 PThink before you print

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05'
Sent: Wednesday, September 17, 2008 3:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User's not following the rules

 

We are currently evaluating what to do when a user does not follow the
Information Security Policies adopted by the institution.


Currently our policies are handled on a case by case basis.  There are
no set forth policies that clearly state if you provide your password to
another user x,y,z, will happen.

 

Does anyone have a guideline they can share on what happens when a user
does not follow the established rules.

Do you test users on their understanding of the security policies?

If so are penalties more sever if the user demonstrated knowledge in the
area?

Do sanction change based on the number of times they do not follow the
policy?

 

Thank you for your time

James Farr

Utica College

Information Security Officer