Re: Enforcement of Security Training for Faculty/Staff

["Patria, Patricia" <PPatria () BENTLEY EDU>]

We are still in the process of rolling out our training, but our plans are as follows:


1.       Training will be required for all staff members. We plan to roll-out on-line training through MOAT which 
tracks whether someone has performed the training in the proper time frame. Managers will be responsible for ensuring 
compliance. If staff do not complete the training in the appropriate time frame, managers will take that into 
consideration in the yearly performance review process.

2.       We will not require or track training for faculty, but we include faculty in our security awareness bulletins 
which are sent quarterly, and we will provide security awareness sessions on a yearly basis at a General Faculty 
Meeting (where most of the faculty are in attendance).

3.       We have also performed some additional targeted training to targeted groups including our Senior Managers, IT, 
HR, Faculty Senate and Key Users (technical users in the business units).

4.       Human resources also provides a general security awareness training to all new hires.

Hope that helps.

Patty


Patty Patria
Chief Information Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Giannetto
Sent: Sunday, February 28, 2010 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Enforcement of Security Training for Faculty/Staff


Folks,



We're currently planning IT Security Training & Awareness at our college, and are struggling with some of the same 
challenges I'm sure most of you have faced.  We're currently debating if we can require IT Security Training for 
faculty, and if so, how do we enforce it.



I've gone through much of the previous discussion regarding training and awareness and how to gain faculty acceptance.  
In general, it seems that the majority of institutions can't convince upper management to buy-in to a mandate 
(primarily due to culture or contractual limitations), and thus are left to find creative ways to design and market 
their training to encourage participation.



But, much of the earlier conversation doesn't address how institutions that require IT security training enforce the 
requirement?  Do you turn off network accounts if they don't complete training by a certain date?  Do you make a note 
in their personnel file?  Do you just keep pestering them until they do it?



Any feedback you may have is greatly appreciated.




Thanks,

Matt Giannetto
Manager of IT Security
Montgomery County Community College
mgiannetto () mc3 edu | (215) 619-7442









________________________________
Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge magazine.