Re: Enforcement of Security Training for Faculty/Staff

[Kimberly Heimbrock <heimbrockk () NKU EDU>]

We too are currently developing an Awareness campaign for Faculty, Staff
(and eventually students).  The current plan is to have bi-monthly
non-mandatory quizzes,  then an annual (October) mandatory quiz to be
kept on file.  The non-mandatory quizzes will be easy, fun, hopefully
engaging with activities like crosswords, and other 'fun' items to get
people involved throughout the year.  The annual quiz will be a
culmination of the previous quiz questions, perhaps not quite as easy,
but hopefully just as 'fun'.     

 

As for enforcement by disabling AD accounts, I don't see that happening
just yet.  But something would need to enforce it or it would be
worthless.  Staff wouldn't be a challenge, but faculty may resist.  Our
Faculty Senate carries a lot of power (surprise, surprise), so the
president of that organization would have to support it.  

 

Plans are being developed, and are only in theory at the present time,
but we will be piloting our first quiz (via Blackboard) within the next
few weeks.  Any ideas are welcome!  

 

Finally - how about Policy - is that an IT policy or an HR policy??
Anyone have good content on a sample and who 'owns' the policy?  Also -
do student employees take the same quiz? 

 

...and, we are trying to think of marketing slogans and 'branding' ideas
so it is recognized across campus.

 

Thanks to all!! 

 

Kim Heimbrock

Director, Information Technology

Policy and Compliance

Northern Kentucky University

(859)572-5139

heimbrockk () nku edu

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Werby
Sent: Thursday, March 11, 2010 1:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Enforcement of Security Training for
Faculty/Staff

 

About 40% of our full-time employees use one of our enterprise financial
systems and the system owner requires all users to complete annual
security awareness training.  Failure to do so results in removal of
their access.  Some even explicitly ask that their access be revoked so
they don't have to complete it, though for that subset access apparently
isn't critical to their jobs.

Immediately prior to my current role, I was ISO at an organization in a
different industry, all 10,000 employees with AD accounts were required
to complete annual security awareness training and AD access was
disabled if they didn't complete it.  I made sure users and their unit
heads were aware of why they were required to complete it, that ample
time was given (3+ months), that unit heads let their employees know
they needed to complete it, that reminders were sent periodically, and
that unit heads had real-time access to completion reports for their
employees.  After accounts were disabled, if a unit head wanted access
re-enabled we'd require a formal request to re-enable the account for 5
days to allow the training to be completed.  On the rare occasion the
employee still didn't complete it, subsequent requests had to come from
a higher level in the organization.  And we had one unit head who told
his employees that they had to complete it by the first deadline because
he would not make any requests to have accounts re-enabled.  He always
had 100% compliance.  ;-)  Of course, this wasn't higher ed.

I've been thinking for some time about incorporating incentives into
mandatory and optional security awareness training.  A stick has its
purpose, but so does a carrot.  I suspect many of us have users who view
information security as something with little perceived personal benefit
to them.  The approach I've taken when speaking with individuals and
departments has been to educate them about the potential direct impact
to them when possible, particularly from a personal standpoint outside
of the workplace, in hopes that the message will get through and it will
impact behavior in both their personal and professional/university
lives.  I don't have ideas for carrots yet, but I'll share the best
practices document since it's an example of educational material
targeting my user base that is equally as applicable from a personal
standpoint as it is from a university standpoint.
http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf

-- 
Steve Werby 
Information Security Officer 
Virginia Commonwealth University 
VCU Information Security - http://infosecurity.vcu.edu/ 
News, Tips & More - http://www.twitter.com/vcuinfosec 
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf 


On 3/1/2010 6:18 PM, Sherry Callahan wrote: 

We've had mandatory annual awareness training for our faculty and staff
for over 5 years now.  New faculty\staff are required to complete the
online training within 30 days after their start date and then on an
annual basis within a set time frame (January through March) every year.
We disable network and email access for anyone that doesn't meet those
requirements.

 

HIPAA was a big driver for us, as it requires awareness training, as was
other regulatory requirements and the establishment of a policy at the
state level that requires all individuals with network access to receive
training on an annual basis.  The latter has pushed us to extend the
training requirement to students, which we will be doing for the first
time in July.  The consequence for students who do not complete the
training within the July to September time period will be the same as
for employees - their network\email access will be cut off.  We have
buy-in from all of our Schools on this plan.  Those students who are
also employees will not need to complete the training once - if they've
taken it in January as part of the employee training cycle, then they
won't need to do it again in July.

 

At the beginning, there was push back from some of the faculty and
researchers but now it has become routine.  Our Office of Compliance
tracks who has completed the training and sends out email reminders
(monthly in January and February and bi-weekly in March).  We always
have the stragglers that wait until the last minute.  Department chairs
are notified of those folks who have not completed the training at 2
weeks before the March 31st deadline and they are usually dealt with. We
rarely have accounts that get turned off at this point.

 

I'd be happy to answer any other questions you might have about our
process.

 

Sherry Callahan

Information Security Officer

University of Kansas Medical Center

(913) 588-0966


 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Giannetto
Sent: Sunday, February 28, 2010 11:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Enforcement of Security Training for Faculty/Staff

 

Folks,

 We're currently planning IT Security Training & Awareness at our
college, and are struggling with some of the same challenges I'm sure
most of you have faced.  We're currently debating if we can require IT
Security Training for faculty, and if so, how do we enforce it.

 I've gone through much of the previous discussion regarding training
and awareness and how to gain faculty acceptance.  In general, it seems
that the majority of institutions can't convince upper management to
buy-in to a mandate (primarily due to culture or contractual
limitations), and thus are left to find creative ways to design and
market their training to encourage participation. 

 But, much of the earlier conversation doesn't address how institutions
that require IT security training enforce the requirement?  Do you turn
off network accounts if they don't complete training by a certain date?
Do you make a note in their personnel file?  Do you just keep pestering
them until they do it?

 Any feedback you may have is greatly appreciated.

 Thanks,

 Matt Giannetto 

Manager of IT Security

Montgomery County Community College

mgiannetto () mc3 edu | (215) 619-7442

 

Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and Converge magazine.