Educause Security Discussion mailing list archives
Re: Who are you training
From: "Hagan, Sean" <sean.hagan () YC EDU>
Date: Tue, 6 Mar 2018 17:22:18 +0000
All of our employees are expected to complete an annual "Information Security Awareness" training that is, as the title perhaps implies, broad in scope. We classify employees based on their access to sensitive data. Those that have access to sensitive or higher classifications of data (per our Information Security Data Classification standard) are required to complete an annual "Protecting Information" training/review that addresses GLBA, FERPA, HIPAA, PCI, and relevant state statutes. They must certify annually their understanding of responsibilities associated with access to this data. All of this is automated using a policy acceptance front-end we wrote for our website/web portal. I should also qualify that we conduct a separate "Red Flag" training for a much smaller subset of individuals that routinely handle financial transactions and related data. That is managed entirely within our Business Office, and IIRC only applies to employees within that area. Some of this is a new process for us, but I believe it will satisfy GLBA and FERPA (really both FSA) guidelines and be sufficient for our annual compliance audits. To put some numbers on this: We have approximately 1400 total employees. 15% (~200) would be considered to have access to Sensitive or Restricted data per our classification standard. About 15 of those same individuals receive the separate "Red Flag" training. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hagan Chief Information Security Officer Yavapai College (928) 717-7651 - direct https://www.yc.edu<https://www.yc.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathan A. Stuart Sent: Tuesday, March 6, 2018 8:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Who are you training For security training for things like GLBA compliance, who are you training? Do all employees get it? If so, how do you define all? If not, how do you determine who doesn't need it? Nathan Stuart Associate Director of Information Technology 612.343.4754 | northcentral.edu<https://linkprotect.cudasvc.com/url?a=http://northcentral.edu/&c=E,1,_yJx0DhYKYyCTKbkuk79oADkufCXlUzQianuHcV0H2N3ALQlPuWmJB-QGc9uUIdcAGejKBPPf3mj3FNArMq52tbhQnB9xrwVxEPvNL-29fpXOrDmCrk,&typo=1> 910 Elliot Ave., Mpls, MN 55404
Current thread:
- Who are you training Nathan A. Stuart (Mar 06)
- Re: Who are you training Hagan, Sean (Mar 06)
- Re: Who are you training Harris, Brent (Mar 07)
- Re: Who are you training Jan Buitron (Mar 08)