Educause Security Discussion mailing list archives
Security awareness training survey - results
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 9 Mar 2012 09:28:23 -0500
On February 21, I posted a survey about information security awareness training to the list. I received information back from a total of 30 schools (29 in the United States, 1 in Canada). The results are summarized below: Pct Count Question 1. Does your school offer security awareness training to administrative staff? 30% 9 a. Yes, mandatroy only for employees who handle sensitive information (PII, PCI, HIPAA, etc.) * 33% 10 b. Yes, mandatory for all employees 27% 8 c. Yes, optional for all employees 10% 3 d. No 2. Is your security awareness training provided to newly-hired administrative staff? * 50% 15 a. Yes, it is a mandatory part of orientation or "first 90 days" 27% 8 b. Yes, it is an optional part of orientation or "first 90 days" 23% 7 c. No security awareness training provided to new hires 3. Is your security awareness provided to existing administrative staff? 33% 10 a. Yes, training must be completed at least once a year 3% 1 b. Yes, training must be completed less than once a year (e.g., every two years) * 43% 13 c. Yes, training is available but completion is optional 20% 6 d. No recurring security awareness training 4. Do you provide security awareness training for administrative staff as: * 40% 12 a. A single course with the same content for all employees 3% 1 b. A single course for each employee, but different jobs get different courses 30% 9 c. Multiple courses - a "basic" course for all employees, and special courses for some jobs 27% 8 d. Other 5. Does your security awareness training for administrative staff cover FERPA? 20% 6 a. The security awareness course provides complete coverage of FERPA * 53% 16 b. The security awareness course provides a FERPA overview only 27% 8 c. The security awareness course does not cover FERPA 6. Does your school offer security awareness training to faculty? 20% 6 a. Yes, mandatory for all full-time and part-time faculty 3% 1 b. Yes, mandatory for full-time faculty only * 50% 15 c. Yes, optional for all faculty members 17% 5 d. No 10% 3 e. Yes, mandatory for faculty with access to sensitive information (this choice was not in the survey) 7. What is the source of your security awareness training material? 33% 10 a. SANS Securing the Human training 7% 2 b. EDUCAUSE training resorces (as-is or customized) 7% 2 c. Commercial training * 77% 23 d. Internally developed Note: for this question, multiple answers were allowed, so totals are more than 30 and more than 100% Some selected comments/information: - Our class for employees is about an hour to an hour and a half depending on questions. For faculty we go to their already scheduled department meetings and do a ½ hour version. It’s the only way to get them. - Security committee is "on board" for making training mandatory, but they have not done so yet. - The Information Security Office (ISO) offers face-to-face presentation on Security recommended best practices for staff at various departments. Each semester we target 3-4 departments and present to all staff including administrative staff, faculty and PhD students. Additionally, we provide staff with online content covering “basic” security recommended best practices, with sub-sections to staff members working with health records, finance and research. The online training content was developed to cover our security training requirements and a selection of SANS Securing the Human material. It is up to departments such as Human Resources, Students Health, Payroll and Finance to mandate security training for their staff. A big thank-you to the schools that provided information: Brown University, Carnegie Mellon University, City University of New York, College of the Holy Cross, Columbia University, Dartmouth College, Fordham University, Harvard University, Hofstra University, Lansing Community College, New Mexico State University, New York University, Pima Community College, Princeton University, Purdue University, Rhode Island School of Design, Rochester Institute of Technology, Samford University, St. Mary's College of California, Thompson Rivers University, University of Alaska, University of Kansas Medical Center, University of Pennsylvania, University of Rochester, University of Virginia, Utah State University, Warner Pacific College, Weber State University, Williams College, Yale University -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu
Current thread:
- Security awareness training survey - results David Curry (Mar 09)