Educause Security Discussion mailing list archives
Re: Awareness training and sanctions
From: Greg Schaffer <newtnoise () GMAIL COM>
Date: Tue, 28 Jun 2011 16:17:58 -0500
It appears to me that there are two issues here that are mixed together. Sanctions as originally asked are not in regard to not complying with training but for bad behavior. That isn't directly enforced via training but rather by policy. The training that is created must be in line with whatever the policy states. That is the enforcement chain. Regarding policy creation, ISO 27001/27002 offers a rather complete taxonomy and controls and NIST 800-53 has additional controls and implementation guidance. A good roadmap for creating an effective information security awareness/training strategy/program is NIST 800-50, with specific tactical guidance in NIST 800-16. Good stuff, and it's free... Greg On Tue, Jun 28, 2011 at 2:19 PM, Sherry Callahan <scallahan () kumc edu> wrote:
As of 2010, State of Kansas security policy now requires mandatory annual training for anyone that has access to a state agency network. We've been requiring it of faculty and staff for over 6 years now, but this will be the first year that we require students to complete the online training. The individual schools are tracking and remediating student progress, but everyone else is tracked through our Office of Compliance. Anyone who does not complete the training during the compliance "window" (July 1 through September 30) has their network and email access shut off. They must then work with HR and Compliance to get the training completed before their access is turned back on. Regarding phished accounts: we recently got approval to require owners of compromised accounts to complete a separate training class on email security. We're currently working on putting that training together and, while it is online training, the person will need to complete it while physically in the Information Security office. (I suppose making them come to our office is another kind of penalty!) Once they have completed it successfully, we will walk them through changing their password and then re-enable their access. We've been successful thus far in that we have not had repeat offenders and the number of compromised accounts has come down significantly. Thanks for bringing up this topic, as I'm interesting in what everyone else is doing as well. *Sherry Callahan* Information Security Officer University of Kansas Medical Center 3901 Rainbow Blvd, MSC3024 5014 Eleanor Taylor Bldg. Kansas City, KS 66160 (913) 588-0966 http://www2.kumc.edu/security **** ** ** ** ** *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Charles Seitz *Sent:* Tuesday, June 28, 2011 11:37 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Awareness training and sanctions**** ** ** I am researching how other institutes of higher learning approach security awareness training and what sanctions for bad behavior are available, like giving up credentials to phishers more than once. We've put together some online training and I'm trying to convince the powers that be to make it mandatory with sanctions for bad online behavior after having acknowledged that they received and understood the training. The trouble is figuring out what other institutions, especially public ones, do for training and sanctions. So how do y'all handle it? **** ** ** Thanks,**** ** ** Charlie**** ------------------------------ Charles A. Seitz Senior Security Analyst *University of Tennessee Information Security Office Martin Campus *cseitz () tennessee edu (731) 881-7966 Mobile (615) 948-3641****
Current thread:
- Awareness training and sanctions Charles Seitz (Jun 28)
- Re: Awareness training and sanctions Robert Meyers (Jun 28)
- Re: Awareness training and sanctions Banks, Teresa E - (tbanks) (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)
- Re: Awareness training and sanctions Di Fabio, Andrea (Jun 28)
- Re: Awareness training and sanctions Sherry Callahan (Jun 28)
- Re: Awareness training and sanctions Greg Schaffer (Jun 28)
- Re: Awareness training and sanctions Chris Kidd (Jun 28)