Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Security awareness training survey - results

From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Fri, 9 Mar 2012 09:28:23 -0500
On February 21, I posted a survey about information security awareness
training to the list. I received information back from a total of 30
schools (29 in the United States, 1 in Canada). The results are summarized
below:

  Pct  Count   Question
               1. Does your school offer security awareness training to
administrative staff?
  30%    9        a. Yes, mandatroy only for employees who handle sensitive
information (PII, PCI, HIPAA, etc.)
* 33%   10        b. Yes, mandatory for all employees
  27%    8        c. Yes, optional for all employees
  10%    3        d. No

               2. Is your security awareness training provided to
newly-hired administrative staff?
* 50%   15        a. Yes, it is a mandatory part of orientation or "first
90 days"
  27%    8        b. Yes, it is an optional part of orientation or "first
90 days"
  23%    7        c. No security awareness training provided to new hires

               3. Is your security awareness provided to existing
administrative staff?
  33%   10        a. Yes, training must be completed at least once a year
   3%    1        b. Yes, training must be completed less than once a year
(e.g., every two years)
* 43%   13        c. Yes, training is available but completion is optional
  20%    6        d. No recurring security awareness training

               4. Do you provide security awareness training for
administrative staff as:
* 40%   12        a. A single course with the same content for all employees
   3%    1        b. A single course for each employee, but different jobs
get different courses
  30%    9        c. Multiple courses - a "basic" course for all employees,
and special courses for some jobs
  27%    8        d. Other

               5. Does your security awareness training for administrative
staff cover FERPA?
  20%    6        a. The security awareness course provides complete
coverage of FERPA
* 53%   16        b. The security awareness course provides a FERPA
overview only
  27%    8        c. The security awareness course does not cover FERPA

               6. Does your school offer security awareness training to
faculty?
  20%    6        a. Yes, mandatory for all full-time and part-time faculty
   3%    1        b. Yes, mandatory for full-time faculty only
* 50%   15        c. Yes, optional for all faculty members
  17%    5        d. No
  10%    3        e. Yes, mandatory for faculty with access to sensitive
information (this choice was not in the survey)

               7. What is the source of your security awareness training
material?
  33%   10        a. SANS Securing the Human training
   7%    2        b. EDUCAUSE training resorces (as-is or customized)
   7%    2        c. Commercial training
* 77%   23        d. Internally developed
                  Note: for this question, multiple answers were allowed,
so totals are more than 30 and more than 100%

Some selected comments/information:

- Our class for employees is about an hour to an hour and a half depending
on questions.  For faculty we go to their already scheduled department
meetings and do a ½ hour version.  It’s the only way to get them.

- Security committee is "on board" for making training mandatory, but they
have not done so yet.

- The Information Security Office (ISO)  offers face-to-face presentation
on Security recommended best practices for staff at various departments.
 Each semester we target 3-4 departments and present to all staff including
administrative staff, faculty and PhD students. Additionally,  we provide
staff with online content covering “basic” security recommended best
practices, with sub-sections to staff members working with health records,
finance and research.   The online training content was developed to cover
our security training requirements and a selection of SANS Securing the
Human material.  It is up to departments such as Human Resources, Students
Health, Payroll and Finance to mandate security training for their staff.

A big thank-you to the schools that provided information:

Brown University, Carnegie Mellon University, City University of New York,
College of the Holy Cross, Columbia University, Dartmouth College, Fordham
University, Harvard University, Hofstra University, Lansing Community
College, New Mexico State University, New York University, Pima Community
College, Princeton University, Purdue University, Rhode Island School of
Design, Rochester Institute of Technology, Samford University, St. Mary's
College of California, Thompson Rivers University, University of Alaska,
University of Kansas Medical Center, University of Pennsylvania, University
of Rochester, University of Virginia, Utah State University, Warner Pacific
College, Weber State University, Williams College, Yale University


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu
Previous By Date Next
Previous By Thread Next

Current thread: