Educause Security Discussion mailing list archives
Re: User's not following the rules
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 18 Sep 2008 09:51:48 -0500
We used testing at my company for two purposes: first, we could keep a record that showed an individual had taken the test (no scoring, or pass/fail initially, but eventually for critical policies we implemented a pass/fail regimen) in case there was ever a disciplinary action required; second, we reviewed the composite scores to determine if there were segments of the policy that were unclear. If a large percentage of folks missed a specific question, we found that in most cases, it was poor or unclear wording in the policy and we could adjust it to make the policy easier to understand. Just my two sous' worth... plk ======================================== Paul L. Kendall, PhD, CHS-III, CISM, CISSP PCI Qualified Security Assessor Senior Security Consultant Accudata Systems, Inc. 15305 Dallas Parkway, Suite 300 Dallas, TX 75001 (817) 496-6450 Fort Worth Office (877) 832-6013 Fort Worth FAX (800) 246-4908 Corporate Office (281) 897-5001 Corporate FAX (713) 446-5259 Cell http//www.accudatasystems.com "What we do in Life echoes in Eternity..." From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05' Sent: Thursday, September 18, 2008 9:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules Thank you everyone, This has been very helpful. HR is currently involved in the process, but we are still having a problem getting users to grasp the severity of some of these issues. It looks like we are going to stay with the group and keep out of the disciplinary process. I am still curious about testing. At some point during this school year I will be developing a test that I can give to participants in training classes, or a pretest so they can test out of the class. Initially these tests will be anonymous. Since compliance is our goal we are considering keeping the results of a test to help show people both read and understood the policies and procedures. We can force people to read and sign a document stating they read the document, but that does not show their actual level of understanding. We want to be fair to the users. Let's face it, I might fail the test on organic Chemistry the first time. That subject is not part of my every day lingo. If they do not pass the test they are not going to be "in trouble" but the results would help identify people who might require a different approach at learning this information. In the end we hope this will lead to more educated users and a less vulnerable environment. Thank you for your time James Farr Utica College Information Security Officer 315-223-2386 Jfarr () utica edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mehmedovic, Jenny Sent: Thursday, September 18, 2008 9:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules We use the following general language or something like it in most of our information technology-related policies, so that misbehavior or violation of policies can be assessed on a case-by-case basis. Our Information Security policy gets a bit more in-depth & detailed. See https://documents.ku.edu/policies/Information_Services/Information_Techn ology/Security_Policy/Security_Policy.htm. Feel free to browse our other IT policies at http://www.policy.ku.edu/category.shtml?8. Whatever approach you decide to take, make sure you involve your Human Resource & General Counsel offices. We feel strongly here that any disciplinary action taken should occur within the department & under advisement of HR & Counsel (i.e., IT is not the one meting out the disciplinary measure...) _______________________________ Use of University electronic information resources contrary to this policy, University or Regents' policies, or applicable federal, state or local law is prohibited and may subject the user to disciplinary action including, but not limited to, suspension of the user's access to the electronic information resources. Users also should be aware of other possible consequences under University or Regents' policies and federal, state, or local laws, particularly those related to computer crime and copyright violation. ______________________ Faculty, staff and student employees who violate this university policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment. Students who violate this university policy may be subject to proceedings for non-academic misconduct based on their student status. Faculty, staff, student employees and students may also be subject to the discontinuance of specified information technology services based on the policy violation. ___________________________________________ Employment actions should be handled by the appropriate department with the advice and guidance of Human Resources/Equal Opportunity and the Office of the General Counsel. Student disciplinary actions should be handled by the appropriate department in collaboration with Student Success. ___________________________________________ Jenny Mehmedovic Assistant to the Provost University of Kansas (785) 864-4904 jmehmedo () ku edu ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sachnoff, Neil Sent: Thursday, September 18, 2008 5:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User's not following the rules Last time we tried to push this concept the institution was unwilling to place in policy what the penalties would be. We have many unions on campus. /Neil Neil S. Sachnoff, Executive Director, Information Technology Middlesex County College 2600 Woodbridge Avenue, JLC Rm. 209 Edison, NJ 08818-3050 PThink before you print From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Farr '05' Sent: Wednesday, September 17, 2008 3:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] User's not following the rules We are currently evaluating what to do when a user does not follow the Information Security Policies adopted by the institution. Currently our policies are handled on a case by case basis. There are no set forth policies that clearly state if you provide your password to another user x,y,z, will happen. Does anyone have a guideline they can share on what happens when a user does not follow the established rules. Do you test users on their understanding of the security policies? If so are penalties more sever if the user demonstrated knowledge in the area? Do sanction change based on the number of times they do not follow the policy? Thank you for your time James Farr Utica College Information Security Officer
Current thread:
- User's not following the rules James Farr '05' (Sep 17)
- <Possible follow-ups>
- Re: User's not following the rules Gary Dobbins (Sep 17)
- Re: User's not following the rules Theresa Semmens (Sep 17)
- Re: User's not following the rules James Farr '05' (Sep 17)
- Re: User's not following the rules Bob Kalal (Sep 17)
- Re: User's not following the rules Sachnoff, Neil (Sep 18)
- Re: User's not following the rules Mehmedovic, Jenny (Sep 18)
- Re: User's not following the rules Theresa Semmens (Sep 18)
- Re: User's not following the rules James Farr '05' (Sep 18)
- Re: User's not following the rules Paul Kendall (Sep 18)
- Re: User's not following the rules Bill Lantry (Sep 18)
- Re: User's not following the rules Basgen, Brian (Sep 18)