Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Enforcement of Security Training for Faculty/Staff

From: "Conlee, Keith" <Conlee () COD EDU>
Date: Tue, 9 Mar 2010 17:01:40 -0600
Hi Matt,

On behalf of our IT dept. I designed/developed an online Security Management Training product for all staff that is 
required.  As you might expect it defines acceptable use, the definition of and the protection of sensitive data among 
other things.  The training defines the College's Security Management position and the required/expected behavior for 
each staff member to support it.  After the audio/video/power-pt presentation the employee is asked to answer 6 easy 
questions to demonstrate they understand the College's SM position and what they have to do to support it.  At the end 
of the  questions, each staff member is required to print a certificate of completion and submit it to a centralized 
record-keeper where it becomes part of their personal record that they completed it (or not).


From an audit perspective for PCI, FERPA, GLBA, HEOA, HIPAA, etc. that require training as part of complying with each 
regulation/standard this explicit type of training makes it easy to demonstrate that you have complied with the 
training requirement of each.



Keith Conlee, CISSP, CBCP
Chief Security Officer, IT
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599

Ph. - 630.942.3055
Fax. - 630.790.0325 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY 
automatic digest system
Sent: Sunday, February 28, 2010 11:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: SECURITY Digest - 26 Feb 2010 to 28 Feb 2010 (#2010-47)

There is 1 message totalling 157 lines in this issue.

Topics of the day:

  1. Enforcement of Security Training for Faculty/Staff

----------------------------------------------------------------------

Date:    Sun, 28 Feb 2010 12:01:51 -0500
From:    Matthew Giannetto <MGiannetto () MC3 EDU>
Subject: Enforcement of Security Training for Faculty/Staff

--_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Folks,



We're currently planning IT Security Training & Awareness at our college, a=
nd are struggling with some of the same challenges I'm sure most of you hav=
e faced.  We're currently debating if we can require IT Security Training f=
or faculty, and if so, how do we enforce it.



I've gone through much of the previous discussion regarding training and aw=
areness and how to gain faculty acceptance.  In general, it seems that the =
majority of institutions can't convince upper management to buy-in to a man=
date (primarily due to culture or contractual limitations), and thus are le=
ft to find creative ways to design and market their training to encourage p=
articipation.



But, much of the earlier conversation doesn't address how institutions that=
 require IT security training enforce the requirement?  Do you turn off net=
work accounts if they don't complete training by a certain date?  Do you ma=
ke a note in their personnel file?  Do you just keep pestering them until t=
hey do it?



Any feedback you may have is greatly appreciated.




Thanks,

Matt Giannetto
Manager of IT Security
Montgomery County Community College
mgiannetto () mc3 edu | (215) 619-7442









________________________________
Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge magazine.

--_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css">BODY {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE=
: 13px
}
TD {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE=
: 13px
}
P {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE=
: 13px
}
A {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #3366cc; FONT-SIZE=
: 13px; FONT-WEIGHT: bold; TEXT-DECORATION: none
}
H2 {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #cc0033; FONT-SIZE=
: 18px; FONT-WEIGHT: bold
}
H3 {
        FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #3366cc; FONT-SIZE=
: 17px; FONT-WEIGHT: bold
}
</style>
<meta name=3D"GENERATOR" content=3D"MSHTML 8.00.7600.16490">
<style title=3D"owaParaStyle"><!--P {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi=3D"x">
<p>Folks,</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana">We're currently planning IT Security T=
raining &amp; Awareness at our college, and are struggling with some of the=
 same challenges I'm sure most of you have faced.&nbsp; We're currently deb=
ating if we can require IT Security Training
 for faculty, and if so, how do&nbsp;we enforce it.</font></p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana">I've gone through much of the previous=
 discussion regarding training&nbsp;and awareness and how to gain faculty a=
cceptance.&nbsp; In general, it seems that the&nbsp;majority of institution=
s can't convince upper management to buy-in to a mandate
 (primarily due to culture or contractual limitations), and thus are left t=
o find creative ways to design and market their training to encourage parti=
cipation.
</font></p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana"><font face=3D"verdana">But, much of th=
e earlier conversation doesn't address how institutions that
</font>require IT security training enforce the requirement?&nbsp; Do you t=
urn off network accounts if they don't complete training by a certain date?=
&nbsp; Do you make a note in their personnel file?&nbsp; Do you just keep p=
estering them until they do it?</font></p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana">Any feedback you may have&nbsp;is grea=
tly appreciated.</font></p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p class=3D"MsoNormal">Thanks,</p>
<p class=3D"MsoNormal">&nbsp;</p>
<p class=3D"MsoNormal"><b><span style=3D"FONT-SIZE: 14pt">Matt Giannetto </=
span></b></p>
<p class=3D"MsoNormal">Manager of IT Security</p>
<p class=3D"MsoNormal">Montgomery County Community College</p>
<p class=3D"MsoNormal">mgiannetto () mc3 edu | (215) 619-7442</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<p><font size=3D"2" face=3D"verdana"></font>&nbsp;</p>
<br>
<hr>
<font face=3D"Arial" color=3D"Maroon" size=3D"1">Montgomery County Communit=
y College is proud to be<br>
the #1 ranked technology-savvy community college in the nation,<br>
as determined by the Center for Digital Education and Converge magazine.<br=



</font>
</body>
</html>

--_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_--

------------------------------

End of SECURITY Digest - 26 Feb 2010 to 28 Feb 2010 (#2010-47)
**************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: