Re: Enforcement of Security Training for Faculty/Staff

[Steve Werby <smwerby () VCU EDU>]

About 40% of our full-time employees use one of our enterprise financial
systems and the system owner requires all users to complete annual
security awareness training.  Failure to do so results in removal of
their access.  Some even explicitly ask that their access be revoked so
they don't have to complete it, though for that subset access apparently
isn't critical to their jobs.

Immediately prior to my current role, I was ISO at an organization in a
different industry, all 10,000 employees with AD accounts were required
to complete annual security awareness training and AD access was
disabled if they didn't complete it.  I made sure users and their unit
heads were aware of why they were required to complete it, that ample
time was given (3+ months), that unit heads let their employees know
they needed to complete it, that reminders were sent periodically, and
that unit heads had real-time access to completion reports for their
employees.  After accounts were disabled, if a unit head wanted access
re-enabled we'd require a formal request to re-enable the account for 5
days to allow the training to be completed.  On the rare occasion the
employee still didn't complete it, subsequent requests had to come from
a higher level in the organization.  And we had one unit head who told
his employees that they had to complete it by the first deadline because
he would not make any requests to have accounts re-enabled.  He always
had 100% compliance.  ;-)  Of course, this wasn't higher ed.

I've been thinking for some time about incorporating incentives into
mandatory and optional security awareness training.  A stick has its
purpose, but so does a carrot.  I suspect many of us have users who view
information security as something with little perceived personal benefit
to them.  The approach I've taken when speaking with individuals and
departments has been to educate them about the potential direct impact
to them when possible, particularly from a personal standpoint outside
of the workplace, in hopes that the message will get through and it will
impact behavior in both their personal and professional/university
lives.  I don't have ideas for carrots yet, but I'll share the best
practices document since it's an example of educational material
targeting my user base that is equally as applicable from a personal
standpoint as it is from a university standpoint.
http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf

--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf

On 3/1/2010 6:18 PM, Sherry Callahan wrote:
> We've had mandatory annual awareness training for our faculty and
> staff for over 5 years now.  New faculty\staff are required to
> complete the online training within 30 days after their start date and
> then on an annual basis within a set time frame (January through
> March) every year.  We disable network and email access for anyone
> that doesn't meet those requirements.
> HIPAA was a big driver for us, as it requires awareness training, as
> was other regulatory requirements and the establishment of a policy
> at the state level that requires all individuals with network access
> to receive training on an annual basis.  The latter has pushed us to
> extend the training requirement to students, which we will be doing
> for the first time in July.  The consequence for students who do not
> complete the training within the July to September time period will be
> the same as for employees - their network\email access will be cut
> off.  We have buy-in from all of our Schools on this plan.  Those
> students who are also employees will not need to complete the training
> once - if they've taken it in January as part of the employee training
> cycle, then they won't need to do it again in July.
> At the beginning, there was push back from some of the faculty and
> researchers but now it has become routine.  Our Office of Compliance
> tracks who has completed the training and sends out email reminders
> (monthly in January and February and bi-weekly in March).  We always
> have the stragglers that wait until the last minute.  Department
> chairs are notified of those folks who have not completed the training
> at 2 weeks before the March 31st deadline and they are usually dealt
> with. We rarely have accounts that get turned off at this point.
> I'd be happy to answer any other questions you might have about our
> process.
> Sherry Callahan
> Information Security Officer
> University of Kansas Medical Center
> (913) 588-0966
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Matthew Giannetto
> *Sent:* Sunday, February 28, 2010 11:02 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Enforcement of Security Training for Faculty/Staff
>
> Folks,
>
>  We're currently planning IT Security Training & Awareness at our
> college, and are struggling with some of the same challenges I'm sure
> most of you have faced.  We're currently debating if we can require IT
> Security Training for faculty, and if so, how do we enforce it.
>
>  I've gone through much of the previous discussion regarding
> training and awareness and how to gain faculty acceptance.  In
> general, it seems that the majority of institutions can't convince
> upper management to buy-in to a mandate (primarily due to culture or
> contractual limitations), and thus are left to find creative ways to
> design and market their training to encourage participation.
>
>  But, much of the earlier conversation doesn't address how
> institutions that require IT security training enforce the
> requirement?  Do you turn off network accounts if they don't complete
> training by a certain date?  Do you make a note in their personnel
> file?  Do you just keep pestering them until they do it?
>
>  Any feedback you may have is greatly appreciated.
>
> Thanks,
>
> *Matt Giannetto *
>
> Manager of IT Security
>
> Montgomery County Community College
>
> mgiannetto () mc3 edu | (215) 619-7442
>
> Montgomery County Community College is proud to be
> the #1 ranked technology-savvy community college in the nation,
> as determined by the Center for Digital Education and Converge magazine.