Re: Information Security Training

["Barton, Robert W." <bartonrt () LEWISU EDU>]

A side note...quick reference that I assembled from a few sources....  Although I could not find a specific requirement 
for FERPA, it is mandatory for accreditation (this may affect what you are doing).  If somebody does know where that 
could be in the FERPA reg, please let me know (I could have missed it).

Security Awareness Compliance Requirement

Standard/Regulation

Location/Item

Affecting

Penalty

General Data Protection Regulation (GDPR, European Union)

regulation

Function of Data Protection Officer

EU citizens and privacy

yes

Gramm-Leach Bliley Act (GLBA)

regulation

Safeguard Rule

Financial Aid

yes

Health Insurance Portability and Accountability Act (HIPAA)

regulation

164.308.(a).(5)

Clinics

yes

International Organization for Standardization (ISO) 27000 Framework

standard

8.2.2

Whole university

no

National Institute of Standards and Technology 800-171 Framework

standard

PR.AT-1

Whole university

no

Payment Card Industry Data Security Standard

standard

12.6

Those areas that process credit cards

yes

One Source - https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf



Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Michael Muto
Sent: Wednesday, August 22, 2018 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security Training

Hello Will,

We are currently using the SANS Cybersecurity Awareness Platform to train our end users on security awareness.  The 
platform allows you to choose different modules to assign out to your users.  Feel free to contact me if you want to 
dig deeper into the SANS option.

Thanks,

Michael Muto
Senior Information Security Engineer
Duquesne University | Computing and Technology Services
600 Forbes Avenue, Pittsburgh, PA 15282
Phone: 412-396-4621 Email: mutom () duq edu<mailto:mutom () duq edu>
GSEC, MCSE, MCSA, MCTS, MCP, CCNA
Help Desk: 412-396-4357

CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential 
information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. 
If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or 
duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the 
sender by reply email and destroy all copies of the original message

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Telfer, Will
Sent: Wednesday, August 22, 2018 11:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Information Security Training

We are considering requiring some form of information security training for all of our faculty & staff (currently the 
only required training in this area is for users that touch PCI related systems) which I know was a topic discussed 
recently on here...but I was hoping to get some more information on what resources you all used for the training - 
SANS, internally created, other options, etc. We are willing to consider long form or short form trainings so any 
options are good options at this point.

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services
[sig]
Twitter: @BearAware
Facebook: www.facebook.com/BearAware<http://www.facebook.com/BearAware>



This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.