Re: Mandatory IT Security training

[John Chapman <John.Chapman () JISC AC UK>]

It’s a different country, but you may be interested in the latest survey findings from the UK that shows that 57% UK 
universities have mandatory security awareness training for their staff and 29% have optional training available. See 
slide 35 for details:

 

https://community.jisc.ac.uk/groups/security-products-and-services/article/cyber-security-posture-survey-2018-how-secure-are-you
 

 

John

 

–

Dr John Chapman

Head of security operations centre

M 07468 727058

Twitter  <http://twitter.com/chapman_john> http://twitter.com/chapman_john

Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

 

jisc.ac.uk 

 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under 
Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. 
T 0203 697 5800.

 

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in 
England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800. 

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Valerie Vogel
Sent: 24 July 2018 16:51
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mandatory IT Security training

 

Hi Brent, 

 

The 2016 CDS Spotlight: Information Security has some information on the second page about institutions with infosec 
training and whether it’s mandatory for faculty/staff or students. 
https://library.educause.edu/resources/2016/8/cds-spotlight-information-security 

 

The 2018 CDS <https://www.educause.edu/cds>  survey recently launched, so we will have new infosec module data 
available for comparison in early 2019. 

 

Thank you,

Valerie

 

Valerie Vogel 

Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good

direct: 202.331.5374 | twitter: @HEISCouncil |  <mailto:vvogel () educause edu> vvogel () educause edu 

 

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on 
behalf of WALTER KERNER <walter_kerner () FITNYC EDU <mailto:walter_kerner () FITNYC EDU> >
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Date: Tuesday, July 24, 2018 at 8:34 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Subject: Re: [SECURITY] Mandatory IT Security training

 

Hi Brent.  We require some basic IT Sec training:  things like recognizing phishing, good password practices, and a 
general awareness module.  However, there isn’t much enforcement behind the requirement.

 

We also require more specific training for people who handle credit cards, per PCI requirements.

 

 

 

Walter Kerner

AVP and CISO



333 7th Avenue, 13th Floor

New York, NY 10001

Voice: 212-217-3415

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () 
LISTSERV EDUCAUSE EDU> ] On Behalf Of Haselhoff, Brent
Sent: Tuesday, July 24, 2018 11:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Mandatory IT Security training

 

Hi Everyone,

 

We are currently evaluating our mandatory IT security training policies and procedures.  Does your university require 
IT security training for all employees?  If so, what topics are covered?  Do you require this training in order to stay 
compliant with some sort of regulation, or are you doing it because it is best practice? Do you require this training 
annually or just upon hire?

Thanks

Brent 

 

 

Brent Haselhoff

Manager, IT Security and Identity Management

 <mailto:brent.haselhoff () wku edu> brent.haselhoff () wku edu

270-745-2012

Attachment: smime.p7s
Description: