Re: Awareness training and sanctions

[Greg Schaffer <newtnoise () GMAIL COM>]

It appears to me that there are two issues here that are mixed together.
Sanctions as originally asked are not in regard to not complying with
training but for bad behavior.  That isn't directly enforced via training
but rather by policy.  The training that is created must be in line with
whatever the policy states.  That is the enforcement chain.

Regarding policy creation, ISO 27001/27002 offers a rather complete taxonomy
and controls and NIST 800-53 has additional controls and implementation
guidance.  A good roadmap for creating an effective information security
awareness/training strategy/program is NIST 800-50, with specific tactical
guidance in NIST 800-16.  Good stuff, and it's free...

Greg


On Tue, Jun 28, 2011 at 2:19 PM, Sherry Callahan <scallahan () kumc edu> wrote:

>  As of 2010, State of Kansas security policy now requires mandatory annual
> training for anyone that has access to a state agency network.  We've been
> requiring it of faculty and staff for over 6 years now, but this will be the
> first year that we require students to complete the online training.  The
> individual schools are tracking and remediating student progress, but
> everyone else is tracked through our Office of Compliance.  Anyone who does
> not complete the training during the compliance "window" (July 1 through
> September 30) has their network and email access shut off. They must then
> work with HR and Compliance to get the training completed before their
> access is turned back on.
>
> Regarding phished accounts:  we recently got approval to require owners of
> compromised accounts to complete a separate training class on email
> security.  We're currently working on putting that training together and,
> while it is online training, the person will need to complete it while
> physically in the Information Security office.  (I suppose making them come
> to our office is another kind of penalty!)  Once they have completed it
> successfully, we will walk them through changing their password and then
> re-enable their access.  We've been successful thus far in that we have not
> had repeat offenders and the number of compromised accounts has come down
> significantly.
>
> Thanks for bringing up this topic, as I'm interesting in what everyone else
> is doing as well.
>
> *Sherry Callahan*
> Information Security Officer
> University of Kansas Medical Center
> 3901 Rainbow Blvd, MSC3024
> 5014 Eleanor Taylor Bldg.
> Kansas City, KS  66160
> (913) 588-0966
> http://www2.kumc.edu/security
>
> ****
> ** **
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Charles Seitz
> *Sent:* Tuesday, June 28, 2011 11:37 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Awareness training and sanctions****
>
> ** **
>
> I am researching how other institutes of higher learning approach security
> awareness training and what sanctions for bad behavior are available, like
> giving up credentials to phishers more than once. We've put together some
> online training and I'm trying to convince the powers that be to make it
> mandatory with sanctions for bad online behavior after having acknowledged
> that they received and understood the training. The trouble is figuring out
> what other institutions, especially public ones, do for training and
> sanctions. So how do y'all handle it? ****
>
> ** **
>
> Thanks,****
>
> ** **
>
> Charlie****
>  ------------------------------
>
> Charles A. Seitz
> Senior Security Analyst
> *University of Tennessee Information Security Office
> Martin Campus
> *cseitz () tennessee edu
> (731) 881-7966
> Mobile (615) 948-3641****