Re: Mandatory IT Security training

[Ronald King <ronald.king () MORGAN EDU>]

Does your university require IT security training for all employees?  Yes

If so, what topics are covered?  95% General security awareness using
content we pay for. 5% MSU specific content like the AUP.

Do you require this training in order to stay compliant with some sort of
regulation, or are you doing it because it is best practice? State
requirement and best practice.

Do you require this training annually or just upon hire? State requires
training for new employees, but, we plan to make it mandatory annually.

Ron


*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Tue, Jul 24, 2018 at 5:48 PM, Barton, Robert W. <bartonrt () lewisu edu>
wrote:

> A little off course, but related.  Does FERPA *require* training (I’m
> getting a little static from those who don’t want to do it)?  I can’t seem
> to find where (if) the act specifically requires training.  It talks about
> using best practices, and required for enforcement procedures, but I can’t
> seem to find “do this…”.  If anybody knows where (if) that is, let me know.
>
>
>
> *From web site -
> https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33
> <https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33>*
>
> *§99.62   What information must an educational agency or institution or
> other recipient of Department funds submit to the Office?*
>
> The Office may require an educational agency or institution, other
> recipient of Department funds under any program administered by the
> Secretary to which personally identifiable information from education
> records is non-consensually disclosed, or any third party outside of an
> educational agency or institution to which personally identifiable
> information from education records is non-consensually disclosed to submit
> reports, information on policies and procedures, annual notifications,
> training materials, or other information necessary to carry out the
> Office's enforcement responsibilities under the Act or this part.
>
> (Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))
>
>
>
> Robert W. Barton
>
> Director of Information Security
>
> Lewis University
>
> One University Parkway
>
> Romeoville, IL  60446-2200
>
> 815-836-5663
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Gomez, Joshua
> *Sent:* Tuesday, July 24, 2018 10:49 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Mandatory IT Security training
>
>
>
> Hi Brent,
>
>
>
> We recently just passed this into policy. To create urgency and buy-in, we
> related the policy to Gramm-Leech Bliley Act (GLBA), GDPR, and the Red Flag
> Rule. As a Financial Aid institution, we have to comply with GLBA.  I would
> also research state privacy laws specifically where your institution is
> headquartered and/or where your students are taking courses from (if you
> are online).
>
>
>
> I used these resources from SANS that calls out training requirements for
> compliances - https://www.sans.org/sites/default/files/2017-12/sans-
> compliance-requirements.pdf
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.sans.org_sites_default_files_2017-2D12_sans-2Dcompliance-2Drequirements.pdf&d=DwMFAw&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=O_4SlbNnznaa0raH2oWpx6ZeTTHOVZeZWYrUAYUxOzo&s=yiSs9Q2pq-H7yfQ1_1i-fMW23PTZRJ5lur0lbTGdTpk&e=>
>
>
>
> Our training covers basic cybersecurity (phishing, spear phishing, anatomy
> of a phishing email) cloud computing (what to store what not to store, etc)
> and Password Policy.  There are more specific trainings for PCI data
> stewards.
>
>
>
> I attached a unbranded draft of the policy.
>
>
>
> Josh
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Haselhoff, Brent
> *Sent:* Tuesday, July 24, 2018 11:09 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Mandatory IT Security training
>
>
>
> Hi Everyone,
>
>
>
> We are currently evaluating our mandatory IT security training policies
> and procedures.  Does your university require IT security training for all
> employees?  If so, what topics are covered?  Do you require this training
> in order to stay compliant with some sort of regulation, or are you doing
> it because it is best practice? Do you require this training annually or
> just upon hire?
>
> Thanks
>
> Brent
>
>
>
>
>
> Brent Haselhoff
>
> Manager, IT Security and Identity Management
>
> brent.haselhoff () wku edu
>
> 270-745-2012
>
>
>
>
>
> Please consider the environment before printing this e-mail.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone at
> (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete
> this message immediately if this is an electronic communication. Thank you.