Educause Security Discussion mailing list archives

Re: Who are you training

From: "Hagan, Sean" <sean.hagan () YC EDU>
Date: Tue, 6 Mar 2018 17:22:18 +0000

All of our employees are expected to complete an annual "Information Security Awareness" training that is, as the title 
perhaps implies, broad in scope.

We classify employees based on their access to sensitive data.  Those that have access to sensitive or higher 
classifications of data (per our Information Security Data Classification standard) are required to complete an annual 
"Protecting Information" training/review that addresses GLBA, FERPA, HIPAA, PCI, and relevant state statutes.  They 
must certify annually their understanding of responsibilities associated with access to this data.  All of this is 
automated using a policy acceptance front-end we wrote for our website/web portal.  I should also qualify that we 
conduct a separate "Red Flag" training for a much smaller subset of individuals that routinely handle financial 
transactions and related data.  That is managed entirely within our Business Office, and IIRC only applies to employees 
within that area.

Some of this is a new process for us, but I believe it will satisfy GLBA and FERPA (really both FSA) guidelines and be 
sufficient for our annual compliance audits.

To put some numbers on this:
We have approximately 1400 total employees.  15% (~200) would be considered to have access to Sensitive or Restricted 
data per our classification standard.  About 15 of those same individuals receive the separate "Red Flag" training.



~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sean Hagan
Chief Information Security Officer
Yavapai College
(928) 717-7651 - direct
https://www.yc.edu<https://www.yc.edu/>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathan 
A. Stuart
Sent: Tuesday, March 6, 2018 8:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Who are you training

For security training for things like GLBA compliance, who are you training?  Do all employees get it? If so, how do 
you define all?  If not, how do you determine who doesn't need it?

Nathan Stuart
Associate Director of Information Technology
612.343.4754 | 
northcentral.edu<https://linkprotect.cudasvc.com/url?a=http://northcentral.edu/&c=E,1,_yJx0DhYKYyCTKbkuk79oADkufCXlUzQianuHcV0H2N3ALQlPuWmJB-QGc9uUIdcAGejKBPPf3mj3FNArMq52tbhQnB9xrwVxEPvNL-29fpXOrDmCrk,&typo=1>
910 Elliot Ave., Mpls, MN 55404

Current thread:

Who are you training Nathan A. Stuart (Mar 06)
- Re: Who are you training Hagan, Sean (Mar 06)
- Re: Who are you training Harris, Brent (Mar 07)
  - Re: Who are you training Jan Buitron (Mar 08)