Educause Security Discussion mailing list archives
Re: Enforcement of Security Training for Faculty/Staff
From: Steve Werby <smwerby () VCU EDU>
Date: Thu, 11 Mar 2010 13:42:07 -0500
About 40% of our full-time employees use one of our enterprise financial systems and the system owner requires all users to complete annual security awareness training. Failure to do so results in removal of their access. Some even explicitly ask that their access be revoked so they don't have to complete it, though for that subset access apparently isn't critical to their jobs. Immediately prior to my current role, I was ISO at an organization in a different industry, all 10,000 employees with AD accounts were required to complete annual security awareness training and AD access was disabled if they didn't complete it. I made sure users and their unit heads were aware of why they were required to complete it, that ample time was given (3+ months), that unit heads let their employees know they needed to complete it, that reminders were sent periodically, and that unit heads had real-time access to completion reports for their employees. After accounts were disabled, if a unit head wanted access re-enabled we'd require a formal request to re-enable the account for 5 days to allow the training to be completed. On the rare occasion the employee still didn't complete it, subsequent requests had to come from a higher level in the organization. And we had one unit head who told his employees that they had to complete it by the first deadline because he would not make any requests to have accounts re-enabled. He always had 100% compliance. ;-) Of course, this wasn't higher ed. I've been thinking for some time about incorporating incentives into mandatory and optional security awareness training. A stick has its purpose, but so does a carrot. I suspect many of us have users who view information security as something with little perceived personal benefit to them. The approach I've taken when speaking with individuals and departments has been to educate them about the potential direct impact to them when possible, particularly from a personal standpoint outside of the workplace, in hopes that the message will get through and it will impact behavior in both their personal and professional/university lives. I don't have ideas for carrots yet, but I'll share the best practices document since it's an example of educational material targeting my user base that is equally as applicable from a personal standpoint as it is from a university standpoint. http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf On 3/1/2010 6:18 PM, Sherry Callahan wrote:
We've had mandatory annual awareness training for our faculty and staff for over 5 years now. New faculty\staff are required to complete the online training within 30 days after their start date and then on an annual basis within a set time frame (January through March) every year. We disable network and email access for anyone that doesn't meet those requirements. HIPAA was a big driver for us, as it requires awareness training, as was other regulatory requirements and the establishment of a policy at the state level that requires all individuals with network access to receive training on an annual basis. The latter has pushed us to extend the training requirement to students, which we will be doing for the first time in July. The consequence for students who do not complete the training within the July to September time period will be the same as for employees - their network\email access will be cut off. We have buy-in from all of our Schools on this plan. Those students who are also employees will not need to complete the training once - if they've taken it in January as part of the employee training cycle, then they won't need to do it again in July. At the beginning, there was push back from some of the faculty and researchers but now it has become routine. Our Office of Compliance tracks who has completed the training and sends out email reminders (monthly in January and February and bi-weekly in March). We always have the stragglers that wait until the last minute. Department chairs are notified of those folks who have not completed the training at 2 weeks before the March 31st deadline and they are usually dealt with. We rarely have accounts that get turned off at this point. I'd be happy to answer any other questions you might have about our process. Sherry Callahan Information Security Officer University of Kansas Medical Center (913) 588-0966 *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Matthew Giannetto *Sent:* Sunday, February 28, 2010 11:02 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Enforcement of Security Training for Faculty/Staff Folks, We're currently planning IT Security Training & Awareness at our college, and are struggling with some of the same challenges I'm sure most of you have faced. We're currently debating if we can require IT Security Training for faculty, and if so, how do we enforce it. I've gone through much of the previous discussion regarding training and awareness and how to gain faculty acceptance. In general, it seems that the majority of institutions can't convince upper management to buy-in to a mandate (primarily due to culture or contractual limitations), and thus are left to find creative ways to design and market their training to encourage participation. But, much of the earlier conversation doesn't address how institutions that require IT security training enforce the requirement? Do you turn off network accounts if they don't complete training by a certain date? Do you make a note in their personnel file? Do you just keep pestering them until they do it? Any feedback you may have is greatly appreciated. Thanks, *Matt Giannetto * Manager of IT Security Montgomery County Community College mgiannetto () mc3 edu | (215) 619-7442 Montgomery County Community College is proud to be the #1 ranked technology-savvy community college in the nation, as determined by the Center for Digital Education and Converge magazine.
Current thread:
- Enforcement of Security Training for Faculty/Staff Matthew Giannetto (Feb 28)
- <Possible follow-ups>
- Re: Enforcement of Security Training for Faculty/Staff Jansen, Morgan R. (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Anand S Malwade (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff David Escalante (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Patria, Patricia (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Chris Kidd (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Sherry Callahan (Mar 01)
- Enforcement of Security Training for Faculty/Staff Conlee, Keith (Mar 09)
- Re: Enforcement of Security Training for Faculty/Staff Steve Werby (Mar 11)
- Re: Enforcement of Security Training for Faculty/Staff Kimberly Heimbrock (Mar 11)