Re: DHS Announces the Release of New Training Course: Workplace Security Awareness

[Greg Schaffer <newtnoise () GMAIL COM>]

A side issue that this thread has exposed is the tendendancy to enter into
FUD.  One of the hardest aspects I have as a security professional is
overcoming the "big bad ogre" security image of always saying no no no.

I took the test, I did a risk assessment on myself and opted to finish the
test.  I felt the risk was minimal (federal site, verified, and a federal
ID) and not worth the hassle of getting another ID which I'd have to
remember whenever I took another type exam.  That would hinder my
accessibility to the information.  Remember, accessibility is also a part of
information security...

I can appreciate the irony of asking for an SSN...I really can.  And I do
see a potential issue if not addressed up front with the user, by, in some
way explaining who is asking for the SSN and why.  We do not want to
encourage users to blindly enter in PII.  But that doesn't mean that always
being asked for an SSN is bad, and don't we have a responsibility to educate
our users about those times as well?  Explain that this is a federal site
asking for what amounts to a federal ID (that is reality) and therefore you
give the users the TOOLS to decide themselves.  Seriously, we as security
professionals need to turn down the "sky is falling" rhetoric and focus on
how security integrates with business processes.  Unfortunately, I see in
this thread less of that and more of the same old "thou MUST NOT do thy
silly stuff because it is bad, bad, bad."

Greg

On Tue, Apr 26, 2011 at 3:34 PM, McClenon, Braden <mcclenbw () oneonta edu>wrote:

>  So we should come up with a different universal ID that in the end will
> have the same security implication as SSN, sans exposure of your SS
> information and benefits?  Or is the idea for the government to pepper us
> with different identifiers until no one can keep them straight and we carry
> them around in our wallets or tape them to our monitors.
>
>
>
> I guess I agree with Walter too, and would need to hear what the better
> solution is.
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dr. Wole Akpose
> *Sent:* Tuesday, April 26, 2011 12:31 PM
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] DHS Announces the Release of New Training
> Course: Workplace Security Awareness
>
>
>
> To Brady:
>
> " That’s the sole purpose for issuing you one."
> Actually, no It is NOT.  The SSN is not intended as an Identifier for any
> purpose beyond Social Security (and thus Taxes). True it has been misused by
> various entities over the years, but most identity theft targeting
> legislations, regulations and policies all address the need to limit its use
> beyond its intended purposed.
>
> "I’m lost on what the issue is here. "
>
> The issue here is the message being sent, albeit inadvertently, by the DHS.
> Requesting for people's SSN for an awareness course offered by DHS is a
> signal to others, including all sorts of vendors, that SSN is Kosher as a
> Unique ID. This is a lapse in judgement and expose a flaw in the thinking or
> execution by those responsible for keeping us safe. If the educator can miss
> a key component in the curriculum!
>
> A careful review of the courses, not just for content, would have revealed
> the contradiction here. We write policies and guidances  advising people to
> not use  SSN for frivolous purposes. Yet we request it for, perhaps, the
> most frivolous of them all.
>
> If the DHS does require a unique identifier, there are several alternatives
> that are both convenient and secure.
>
> So yes, I do agree with Walter (Petruska) that we should try to help the
> DHS, if we believe they bungled this well intentioned program. But we should
> not loose sight of the implications of this lapse as we gear up for the
> National Cyber Security Awareness Month in October. Security takes
> vigilance!
>
> W. Akpose
>
> --
> *Visit http://msusac.morgan.edu for up to date discussions on Cyber
> Security*
> Wole Akpose. CISSP, CGEIT, D.Eng, SS-BB
> Planning & Information Technology
> Morgan State University
> 1700 E. Cold Spring Lane
> Baltimore, MD 21251.
> p. 443.885.1850 / 443.885.3372
> f. 443.885.8304 /443.885.8211
>
> On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden <mcclenbw () oneonta edu>
> wrote:
>
> I’m lost on what the issue is here.  Is it the federal government asking
> for your SSN# to identify you?  That’s the sole purpose for issuing you
> one.
>
>
>
> Am I the only one that files my taxes electronically?
>
>
>
> Brady McClenon
>
> Senior Server Administrator
>
> SUNY Oneonta
>
> 607-436-3203
>
>
>
> "My pontifications are much too deep to fit inside a fortune cookie." -
> Confucius' brother
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jones, Dan
> *Sent:* Friday, April 22, 2011 5:22 PM
>
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
>
> *Subject:* Re: [SECURITY] DHS Announces the Release of New Training
> Course: Workplace Security Awareness
>
>
>
> The only thing better would be to also require users to accept a
> self-signed certificate.
>
> Dan Jones
>
> ----- Reply message -----
> From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
> Date: Fri, Apr 22, 2011 14:49
> Subject: [SECURITY] DHS Announces the Release of New Training Course:
> Workplace Security Awareness
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
>
> If only we were at a point where we knew an email like this would have to
> be a joke.
>
> Unreal, just unreal.  Maybe this is their way to push for a federal
> identifier, you know- a group of characters that will uniquely identify each
> .... Oh wait a minute - never mind.
>
> :-)
>
>
>
> Have a great weekend everyone.
>
>
>
> Kevin L. McLaughlin
>
> AVP, Information Security & Special Projects
>
> University of Cincinnati
>
>
>
>
> On Apr 22, 2011, at 2:41 PM, "R J Cronk" <rjc06c () GMAIL COM> wrote:
>
>  oh the irony .......
>
> On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <dsarazen () umassp edu>
> wrote:
>
> Hi All,
>
> I took the test and they require your social security number.
>
> "Please note that you will be required to enter your Social Security number
> at the completion of this exam. This website and the testing system meet
> federal guidelines for protecting Personally Identifiable Information.
> However, if you do not wish to submit your Social Security number, you will
> need to request an alternative ID number from the Independent Study program.
> For directions on how to request an alternative ID number, please see our
> Frequently Asked Questions:"
>
> Does this concern anyone besides me?
>
> Thanks
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie Vogel
> Sent: Friday, April 22, 2011 12:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] DHS Announces the Release of New Training Course:
> Workplace Security Awareness
>
> A new (no-cost) training course on Workplace Security Awareness is now
> available from DHS: http://training.fema.gov/EMIWeb/IS/IS906.asp. More
> details are provided below.
>
> Thank you,
> Valerie
> _______________
>
> Valerie M. Vogel
> Program Manager, EDUCAUSE
> office: (202) 331-5374
> e-mail: vvogel () educause edu
>
> ------------------------
>
> Sent on behalf of the Department of Homeland Security Office of
> Infrastructure Protection
>
> DHS Announces the Release of New Training Course Workplace Security
> Awareness No-Cost Critical Infrastructure Workplace Security Training
>
> The Department of Homeland Security announces the availability of IS-906,
> Workplace Security Awareness, a no-cost training course developed by the
> Office of Infrastructure Protection Sector-Specific Agency Executive
> Management Office.
>
> Access IS-906 on the Federal Emergency Management Agency Emergency
> Management Institute Web site:
> http://training.fema.gov/EMIWeb/IS/IS906.asp
>
> The online training provides guidance to individuals and organizations on
> how to improve security in the workplace.  The course is self-paced and
> takes about an hour to complete. This comprehensive cross-sector training is
> appropriate for a broad audience regardless of knowledge and skill level.
> The course promotes workplace security practices applicable across all 18
> critical infrastructure sectors.   The training uses innovative multimedia
> scenarios and modules to illustrate potential security threats.  Threat
> scenarios include:
>
> * Access & Security Control
> * Criminal & Suspicious Activities
> * Workplace Violence
> * Cyber Threats
>
> The course also features interactive knowledge reviews, employee tools, and
> additional resources.
>
> Upon completion of Workplace Security Awareness, employees will be able to:
> * Identify potential risks to workplace security
> * Describe measures for improving workplace security
> * Determine the actions to take in response to a security situation
>
> A certificate is given to participants who complete the entire course.
>
> For more information about Office of Infrastructure Protection training
> courses, contact: IP_Education () hq dhs gov
>
> For more information on the DHS Office of Infrastructure Protection:
> www.dhs.gov/criticalinfrastructure