Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Security awareness training

From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Tue, 21 Feb 2012 11:25:37 -0500
Our information security steering committee is currently discussing the
topic of security awareness training, and a number of questions have come
up, with the inevitiable "let's see what other schools are doing" response.
Some of this has come up on the list in the past, but not all in one place,
and unfortunately, although the Core Data Survey has some data about
training, it doesn't answer these questions. So... a little survey.

NOTE: For purposes of the questions below, "security awareness training"
means some kind of computer-based or in-person training course, typically
15-60 minutes in length, that covers basic computer and information
security topics such as passwords, email use, safe browsing, social
engineering, mobile devices, data classification, viruses and malware, and
so on.

1. Does your school offer security awareness training to administrative
staff?
   a. Yes, mandatory only for employees who handle sensitive information
(PII, PCI, HIPAA, etc.)
   b. Yes, mandatory for all employees
   c. Yes, optional for all employees
   b. No

2. Is your security awareness training provided to newly hired
administrative staff?
   a. Yes, it is a mandatory part of orientation or "first 90 days"
   b. Yes, it is an optional part of orientation or "first 90 days"
   c. No security awareness training provided to new hires

3. Is your security awareness training provided to existing administrative
staff?
   a. Yes, training must be completed at least once a year
   b. Yes, training must be completed less than once a year (e.g., every
two years)
   c. Yes, training is available but completion is optional
   d. No recurring security awareness training

4. Do you provide security awareness training for administrative staff as:
   a. A single course with the same content for all employees
   b. A single course for each employee, but different jobs get different
courses
   c. Multiple courses--a "basic" course for all employees, and special
courses for some jobs
   d. Other (please describe)

5. Does your security awareness training for administrative staff cover
FERPA?
   a. The security awareness course provides complete coverage of FERPA
   b. The security awareness course provides a FERPA overview only
   c. The security awareness course does not cover FERPA

6. Does your school offer security awareness training to faculty?
   a. Yes, mandatory for all full-time and part-time faculty
   b. Yes, mandatory for full-time faculty only
   c. Yes, optional for all faculty members
   b. No

7. What is the source of your security awareness training material?
   a. SANS Securing the Human training
   b. EDUCAUSE training resources (as-is or customized)
   c. Commercial training (please name vendor if you're willing)
   d. Internally developed (please share URLs if it's public)

To keep clutter on the list down, if you'll send your answers directly to
me (david.curry () newschool edu), I will collect the results and post a
summary back to the list in a couple of weeks.

Thanks,
--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu
Previous By Date Next
Previous By Thread Next

Current thread: