Re: key topics to include in security awareness training materials

[Leon DuPree <duprleo () GMAIL COM>]

Marianne,

This sounds like the right approach.  Very proactive.  I really like the
part about embracing the new technology as a means of discussion and
education with your user population.
We will definitely try to emulate this. With Twitter, Facebook, and Linkled
being so new... I guess no one would have written a policy on  advisement on
how to use or not to use these "Social networking tools"   Perhaps proper
use is inferred and can be developed through discussion and training.   If
anyone has anymore input let me know


Thanks

Leon DuPree

University of Michigan
LSA- IT  Security




On Tue, Feb 10, 2009 at 9:25 AM, mcoyle <mcoyle () rci rutgers edu> wrote:

>   Our target audiences are faculty/staff, and students.   We're
> currently concentrating on phishing, however, we have a variety of posters
> on
> laptop security
> trojans and malware
> telecommuting safely
> privacy
> best practices, etc.
>
> We also have pocket cards (business card sized 4-fold) with a few best
> practices for students (distributed by campus reps to gathering places), and
> a different one for fac/staff highlighting PII and privacy (distributed with
> our token cards, by department tech people).
> We've also done colorful postcards delivered to student post office boxes,
> an fac/staff campus addresses, and a public service announcement (PSA) on
> the RU TV station.  We're currently working on a 15-20 min video which can
> be broken-up into smaller bits to be seen over TV and on our website for
> students. Our website has an RSS feed news site for interesting "not too
> technical" articles (http://rusecure.rutgers.edu) which I update almost
> daily with trends, newsletters and new scams.
>
> We look for opportunities to talk to the public at any opportunity with
> resource tables offering advice, publications and some give-aways at events.
> We've had little response to presentations, surveys and quizzes, but when we
> can talk to people individually , usually at resource tables, they really
> appreciate it. We really have to keep ourselves with the mainstream and try
> to show-up everywhere, so collaboration with other departments is important.
>
> We're also working on CBT for PCI and GLBA departments.
>
>  Marianne Coyle
> Project Manager
> Office of Information Technology
> Information Protection and Security
> Rutgers, The State University of New Jersey
> 96 Davidson Road
> Piscataway, NJ  08854
>  732-445-7629On Feb 9, 2009, at 3:00 PM, Leon DuPree wrote:
>
>  Marty,
>
> How do you guys address the social networking websites with staff, faculty
> and students.
> In corporate and government security these thing are pretty much blocked.
>
> How do you manage it?  Policy? Advisement?
>
>
> Thanks
>
> Leon DuPree
> LSA-IT Intern University of Michigan Ann Arbor
>
> On Mon, Feb 9, 2009 at 2:50 PM, Peterman, Martin (mdp4s) <
> mdp4s () virginia edu> wrote:
>
> > We have a few efforts that are on-going such as
> >
> > -an online tutorial (facts about IT security and then questions)
> > -yearly assessment of strategy for our various populations
> > -a community outreach program (www.whoswatchingcharlottesville.org)
> > -a big push for October (National Cyber Security Awareness Month)
> > -our IT security web site (www.itc.virginia.edu)
> >
> > We periodically reassess our awareness needs and also cast an eye towards
> > popular media to see what is holding the attention of people.
> >
> > Of late, we have been raising awareness around sensitive data (employees),
> > phishing (everyone), and social online networks (mostly students).
> >
> > Please contact me offlist if you have any questions.
> >
> > Thanks,
> > Marty
> >
> > Marty Peterman, CISSP
> > peterman () virginia edu
> > Information Security Analyst
> > Information Security, Policy, and Records Office (ISPRO)
> > Office of the Vice President/CIO
> > University of Virginia, 2400 Old Ivy Rd.                 Phone
> >  434.243.4909
> > Box 400898, Charlottesville, VA 22904-4898               Fax
> >  434.243.9197
> > http://www.itc.virginia.edu/security/
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> > SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
> > Sent: Friday, February 06, 2009 8:20 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] key topics to include in security awareness
> > training materials
> >
> > Tim Cline wrote:
> > > Greetings,
> > >
> > > I wanted to send a very general email message to start a conversation on
> > > security awareness. For those of you who have something that you
> > > currently use for security awareness training and dissemination of
> > > information, whether developed in-house or third-party courseware
> > > management platform, could you send a reply and let me know what are the
> > > key topics that you are covering?
> >
> > * Choosing a good password, and not sharing it.
> >
> > * Recognizing and avoiding phishing scams.
> >
> > * IT will never ask for your password over the phone or in an email.
> > Honest.
> >
> > That covers the vast, vast majority of potential problems. One of the
> > issues with doing security training is scope creep -- you feel that with
> > the campus community listening, you should tell them about _everything_
> > they need to know in information security. Don't. Instead, focus on a
> > few simple things, because bombarding end users with information just
> > guarantees that they won't retain any of it.
> >
> > --Matt
> >
> > --
> > Matt Gracie                         (716) 888-8378
> > Information Security Administrator  graciem () canisius edu
> > Canisius College ITS                Buffalo, NY
> > http://www2.canisius.edu/~graciem/graciem_public_key.gpg
>
>
>
> --
> Leon & Lisa DuPree
> 1327 Chissom Trail
> Flint Township, MI 48532
> 810-471-3872 Phone
> 270- 447-3872 Fax


--
Leon & Lisa DuPree
1327 Chissom Trail
Flint Township, MI 48532
810-471-3872 Phone
270- 447-3872 Fax