Educause Security Discussion mailing list archives
Re: Awareness training and sanctions
From: Sherry Callahan <scallahan () KUMC EDU>
Date: Tue, 28 Jun 2011 14:19:33 -0500
As of 2010, State of Kansas security policy now requires mandatory annual training for anyone that has access to a state agency network. We've been requiring it of faculty and staff for over 6 years now, but this will be the first year that we require students to complete the online training. The individual schools are tracking and remediating student progress, but everyone else is tracked through our Office of Compliance. Anyone who does not complete the training during the compliance "window" (July 1 through September 30) has their network and email access shut off. They must then work with HR and Compliance to get the training completed before their access is turned back on. Regarding phished accounts: we recently got approval to require owners of compromised accounts to complete a separate training class on email security. We're currently working on putting that training together and, while it is online training, the person will need to complete it while physically in the Information Security office. (I suppose making them come to our office is another kind of penalty!) Once they have completed it successfully, we will walk them through changing their password and then re-enable their access. We've been successful thus far in that we have not had repeat offenders and the number of compromised accounts has come down significantly. Thanks for bringing up this topic, as I'm interesting in what everyone else is doing as well. Sherry Callahan Information Security Officer University of Kansas Medical Center 3901 Rainbow Blvd, MSC3024 5014 Eleanor Taylor Bldg. Kansas City, KS 66160 (913) 588-0966 http://www2.kumc.edu/security From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles Seitz Sent: Tuesday, June 28, 2011 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Awareness training and sanctions I am researching how other institutes of higher learning approach security awareness training and what sanctions for bad behavior are available, like giving up credentials to phishers more than once. We've put together some online training and I'm trying to convince the powers that be to make it mandatory with sanctions for bad online behavior after having acknowledged that they received and understood the training. The trouble is figuring out what other institutions, especially public ones, do for training and sanctions. So how do y'all handle it? Thanks, Charlie Charles A. Seitz Senior Security Analyst University of Tennessee Information Security Office Martin Campus cseitz () tennessee edu (731) 881-7966 Mobile (615) 948-3641
Current thread:
- Awareness training and sanctions Charles Seitz (Jun 28)
- Re: Awareness training and sanctions Robert Meyers (Jun 28)
- Re: Awareness training and sanctions Banks, Teresa E - (tbanks) (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)
- Re: Awareness training and sanctions Di Fabio, Andrea (Jun 28)
- Re: Awareness training and sanctions Sherry Callahan (Jun 28)
- Re: Awareness training and sanctions Greg Schaffer (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)