Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Employee Security Training

From: "Riemer, Stan" <Stan.Riemer () NTTDATA COM>
Date: Mon, 19 Jun 2017 14:16:32 +0000
Thomas,

Coming at this from a provider perspective, all new employees should be aware of the security policies and programs in 
place. Most organizations I work with have a new employee security LMS session which is based on the organization, 
laws, and regulations. It is mandatory for all new employees to pass an easy test after completing the training.  In 
reality this does little to secure the organization as the vast majority do not adhere to the policies that they just 
took a course on. It is obstructive in their view and is extra work.

The best way to secure the organization is to have pen tests, GRC gap assessments and remediate the findings. Policy 
must be driven from the top down and employees are the weakest link. Many organizations also do a phishing exercise 
where they can get data from the exercise and see how many employees are actually being compliant. Most are amazed at 
the lack of adherence to policy and then real actionable change can take place when the information is revealed. We 
prefer never to single out employees as they know who did what but the fact that they know they are being non-compliant 
and it is seen by IT is enough in many cases to begin the cultural change.

Hope this helps

Stan Riemer | Sr. Director,  Security Services
stan.riemer () nttdata com | c. +1.978.502.4885

NTT DATA Inc.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Lovaas,Steven
Sent: Monday, June 19, 2017 9:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Employee Security Training


Our new employee orientations run a couple times a month, and more often early in the Fall semester. When our training 
department revamped the new orientation format, everyone else went to videos, but I insisted on retaining my live 
presence. I get 10-15 minutes, which I spend on the basics (these days, mainly talking about social engineering and 
general situational awareness). I feel that it's really valuable to have everyone see me face-to-face, so I can answer 
questions and give up-to-the-moment examples. Lots of people greet me on campus based on their memory of my talk, so I 
know they were at least awake...



Steve


===================
Steven Lovaas
Information Security Officer
Colorado State University
steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu>
970-297-3707
===================

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Ludwig, Linda <LUDWIGL () GRINNELL EDU<mailto:LUDWIGL () GRINNELL EDU>>
Sent: Monday, June 19, 2017 6:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] New Employee Security Training


We finally got a small slice of the new employee orientation. I have just 15 minutes so I do an Icebreaker that goes 
over a lot of possible problems in a very short time. I pair them up and give them the photo of a desk and they have to 
identify at least 12 infosec problems in the picture. I have attached the handout I give them with the solutions which 
we go over as a group. It's a quick way to cover a lot of little things in a short period of time. Then I give them 
some local higher ed examples of data breaches and the cost of the breaches. The main focus of the 15 minutes is to 
protect the data and how to contact InfoSec of anything suspicious.



Linda

*********************************
Linda L. Ludwig
Information Security Awareness Specialist
ludwigl () grinnell edu<mailto:ludwigl () grinnell edu>





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Friday, June 16, 2017 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] New Employee Security Training



Does anyone do IT security training as part of on-boarding new employees? If so, what do you cover? Who does the 
training (IT, HR, or?)? When is the training done? How well does it seem to work for you? What would you do differently?



We would like to implement something like this, but are afraid of overwhelming a new employee during their HR 
orientation. Something done a week or two later may have a better chance of sticking with the end user, but requires 
much more time and organization on our part.



Thomas Carter
Network & Operations Manager / IT

Austin College
900 North Grand Avenue
Sherman, TX 75090

Phone: 903-813-2564
www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMFAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=3FWhhRZ86wLnJQbceVqVZiaCyjWq2cIkJzKZvEb4Ctw&m=hgI7dvCMFsXgJaBpD0kA4UA_VFuNlZRnxJITwn2-Gog&s=EiqU_FRisfrZEVqqOC81fSK2JjWPl7yC4S5aE3OjzJY&e=>



______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.
Previous By Date Next
Previous By Thread Next

Current thread: