Re: Awareness training and sanctions

[Sherry Callahan <scallahan () KUMC EDU>]

As of 2010, State of Kansas security policy now requires mandatory annual training for anyone that has access to a 
state agency network.  We've been requiring it of faculty and staff for over 6 years now, but this will be the first 
year that we require students to complete the online training.  The individual schools are tracking and remediating 
student progress, but everyone else is tracked through our Office of Compliance.  Anyone who does not complete the 
training during the compliance "window" (July 1 through September 30) has their network and email access shut off. They 
must then work with HR and Compliance to get the training completed before their access is turned back on.
 
Regarding phished accounts:  we recently got approval to require owners of compromised accounts to complete a separate 
training class on email security.  We're currently working on putting that training together and, while it is online 
training, the person will need to complete it while physically in the Information Security office.  (I suppose making 
them come to our office is another kind of penalty!)  Once they have completed it successfully, we will walk them 
through changing their password and then re-enable their access.  We've been successful thus far in that we have not 
had repeat offenders and the number of compromised accounts has come down significantly.  
 
Thanks for bringing up this topic, as I'm interesting in what everyone else is doing as well.
 
Sherry Callahan
Information Security Officer
University of Kansas Medical Center
3901 Rainbow Blvd, MSC3024
5014 Eleanor Taylor Bldg.
Kansas City, KS  66160
(913) 588-0966
http://www2.kumc.edu/security

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles 
Seitz
Sent: Tuesday, June 28, 2011 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Awareness training and sanctions

 

I am researching how other institutes of higher learning approach security awareness training and what sanctions for 
bad behavior are available, like giving up credentials to phishers more than once. We've put together some online 
training and I'm trying to convince the powers that be to make it mandatory with sanctions for bad online behavior 
after having acknowledged that they received and understood the training. The trouble is figuring out what other 
institutions, especially public ones, do for training and sanctions. So how do y'all handle it? 

 

Thanks,

 

Charlie

Charles A. Seitz
Senior Security Analyst
University of Tennessee Information Security Office
Martin Campus
cseitz () tennessee edu
(731) 881-7966
Mobile (615) 948-3641