Re: DHS Announces the Release of New Training Course: Workplace Security Awareness

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Not using the government sponsored ID for financial items might be a start.

Kevin L. McLaughlin
AVP, Information Security & Special Projects
University of Cincinnati


On Apr 26, 2011, at 4:36 PM, "McClenon, Braden" <mcclenbw () ONEONTA EDU<mailto:mcclenbw () ONEONTA EDU>> wrote:

So we should come up with a different universal ID that in the end will have the same security implication as SSN, sans 
exposure of your SS information and benefits?  Or is the idea for the government to pepper us with different 
identifiers until no one can keep them straight and we carry them around in our wallets or tape them to our monitors.

I guess I agree with Walter too, and would need to hear what the better solution is.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dr. Wole 
Akpose
Sent: Tuesday, April 26, 2011 12:31 PM
To: <mailto:SECURITY () LISTSERV EDUCAUSE EDU> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>
Subject: Re: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness

To Brady:

" That’s the sole purpose for issuing you one."
Actually, no It is NOT.  The SSN is not intended as an Identifier for any purpose beyond Social Security (and thus 
Taxes). True it has been misused by various entities over the years, but most identity theft targeting legislations, 
regulations and policies all address the need to limit its use beyond its intended purposed.

"I’m lost on what the issue is here. "

The issue here is the message being sent, albeit inadvertently, by the DHS. Requesting for people's SSN for an 
awareness course offered by DHS is a signal to others, including all sorts of vendors, that SSN is Kosher as a Unique 
ID. This is a lapse in judgement and expose a flaw in the thinking or execution by those responsible for keeping us 
safe. If the educator can miss a key component in the curriculum!

A careful review of the courses, not just for content, would have revealed the contradiction here. We write policies 
and guidances  advising people to not use  SSN for frivolous purposes. Yet we request it for, perhaps, the most 
frivolous of them all.

If the DHS does require a unique identifier, there are several alternatives that are both convenient and secure.

So yes, I do agree with Walter (Petruska) that we should try to help the DHS, if we believe they bungled this well 
intentioned program. But we should not loose sight of the implications of this lapse as we gear up for the National 
Cyber Security Awareness Month in October. Security takes vigilance!

W. Akpose

--
Visit <http://msusac.morgan.edu/> http://msusac.morgan.edu for up to date discussions on Cyber Security
Wole Akpose. CISSP, CGEIT, D.Eng, SS-BB
Planning & Information Technology
Morgan State University
1700 E. Cold Spring Lane
Baltimore, MD 21251.
p. 443.885.1850 / 443.885.3372
f. 443.885.8304 /443.885.8211
On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden <<mailto:mcclenbw () oneonta edu>mcclenbw () oneonta 
edu<mailto:mcclenbw () oneonta edu>> wrote:
I’m lost on what the issue is here.  Is it the federal government asking for your SSN# to identify you?  That’s the 
sole purpose for issuing you one.

Am I the only one that files my taxes electronically?

Brady McClenon
Senior Server Administrator
SUNY Oneonta
607-436-3203<tel:607-436-3203>

"My pontifications are much too deep to fit inside a fortune cookie." - Confucius' brother




From: The EDUCAUSE Security Constituent Group Listserv [mailto:<mailto:SECURITY () LISTSERV EDUCAUSE EDU>SECURITY () 
LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Jones, Dan
Sent: Friday, April 22, 2011 5:22 PM

To: <mailto:SECURITY () LISTSERV EDUCAUSE EDU> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>
Subject: Re: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness

The only thing better would be to also require users to accept a self-signed certificate.

Dan Jones
----- Reply message -----
From: "Mclaughlin, Kevin (mclaugkl)" <<mailto:mclaugkl () UCMAIL UC EDU>mclaugkl () UCMAIL UC EDU<mailto:mclaugkl () 
UCMAIL UC EDU>>
Date: Fri, Apr 22, 2011 14:49
Subject: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness
To: "<mailto:SECURITY () LISTSERV EDUCAUSE EDU>SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>" <<mailto:SECURITY () LISTSERV EDUCAUSE EDU>SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>>
If only we were at a point where we knew an email like this would have to be a joke.
Unreal, just unreal.  Maybe this is their way to push for a federal identifier, you know- a group of characters that 
will uniquely identify each .... Oh wait a minute - never mind.
:-)

Have a great weekend everyone.


Kevin L. McLaughlin
AVP, Information Security & Special Projects
University of Cincinnati


On Apr 22, 2011, at 2:41 PM, "R J Cronk" <<mailto:rjc06c () GMAIL COM>rjc06c () GMAIL COM<mailto:rjc06c () GMAIL COM>> 
wrote:
oh the irony .......
On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <<mailto:dsarazen () umassp edu>dsarazen () umassp edu<mailto:dsarazen 
() umassp edu>> wrote:
Hi All,

I took the test and they require your social security number.

"Please note that you will be required to enter your Social Security number at the completion of this exam. This 
website and the testing system meet federal guidelines for protecting Personally Identifiable Information. However, if 
you do not wish to submit your Social Security number, you will need to request an alternative ID number from the 
Independent Study program. For directions on how to request an alternative ID number, please see our Frequently Asked 
Questions:"

Does this concern anyone besides me?

Thanks

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:<mailto:SECURITY () LISTSERV EDUCAUSE EDU>SECURITY () 
LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Valerie Vogel
Sent: Friday, April 22, 2011 12:47 PM
To: <mailto:SECURITY () LISTSERV EDUCAUSE EDU> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>
Subject: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness

A new (no-cost) training course on Workplace Security Awareness is now available from DHS: 
<http://training.fema.gov/EMIWeb/IS/IS906.asp> http://training.fema.gov/EMIWeb/IS/IS906.asp. More details are provided 
below.

Thank you,
Valerie
_______________

Valerie M. Vogel
Program Manager, EDUCAUSE
office: (202) 331-5374<tel:%28202%29%20331-5374>
e-mail: <mailto:vvogel () educause edu> vvogel () educause edu<mailto:vvogel () educause edu>

------------------------

Sent on behalf of the Department of Homeland Security Office of Infrastructure Protection

DHS Announces the Release of New Training Course Workplace Security Awareness No-Cost Critical Infrastructure Workplace 
Security Training

The Department of Homeland Security announces the availability of IS-906, Workplace Security Awareness, a no-cost 
training course developed by the Office of Infrastructure Protection Sector-Specific Agency Executive Management Office.

Access IS-906 on the Federal Emergency Management Agency Emergency Management Institute Web site: 
<http://training.fema.gov/EMIWeb/IS/IS906.asp> http://training.fema.gov/EMIWeb/IS/IS906.asp

The online training provides guidance to individuals and organizations on how to improve security in the workplace.  
The course is self-paced and takes about an hour to complete. This comprehensive cross-sector training is appropriate 
for a broad audience regardless of knowledge and skill level.  The course promotes workplace security practices 
applicable across all 18 critical infrastructure sectors.   The training uses innovative multimedia scenarios and 
modules to illustrate potential security threats.  Threat scenarios include:

* Access & Security Control
* Criminal & Suspicious Activities
* Workplace Violence
* Cyber Threats

The course also features interactive knowledge reviews, employee tools, and additional resources.

Upon completion of Workplace Security Awareness, employees will be able to:
* Identify potential risks to workplace security
* Describe measures for improving workplace security
* Determine the actions to take in response to a security situation

A certificate is given to participants who complete the entire course.

For more information about Office of Infrastructure Protection training courses, contact: <mailto:IP_Education () hq 
dhs gov> IP_Education () hq dhs gov<mailto:IP_Education () hq dhs gov>

For more information on the DHS Office of Infrastructure Protection: <http://www.dhs.gov/criticalinfrastructure> 
www.dhs.gov/criticalinfrastructure<http://www.dhs.gov/criticalinfrastructure>