Educause Security Discussion mailing list archives

Re: Mandatory Awareness Training Enforcement

From: Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>
Date: Wed, 6 Jan 2021 18:31:07 +0000
I started our program by creating an email for all data training and questions to be focused back to.  Sadly but 
luckily, it wasn’t a few months later that we had a data breach.  That breach got the attention of the C-Suite and 
allowed us to slowly bring more functions online to help with training.  I also used every opportunity I could to get 
before Staff and Faculty to stress the need of data security.

Another thing that help our implementation is the Federal financial audits and their requirement on us to meet NIST 
standards.

Good Luck with the program, Curt

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S
Sent: Wednesday, January 6, 2021 10:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement

Thank you Curt.  The culture at the University here is to be extremely gun shy about mandating anything.  I’m not 
opposed to any of the things that you’ve listed below and hope to implement a data security training program. We are 
required to do annual fire and safety training, so why not data security?  Anything we can do to raise awareness of 
data security issues is a good thing IMO.  If anything is going to be mandated, I have to have a solid argument or 
solid statistics that show we would see a reduction in risk.  Anecdotally, I can guarantee we would see at least some 
reduction in risk.

The previous person in my position discussed doing test phishing campaigns, but was ultimately shot down.  I wasn’t 
involved in the conversations, so I don’t know what the conversation was or how it was proposed. If it was proposed or 
perceived as a corrective action rather than an educational one, that conversation would have been DOA.

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1650849788]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU<mailto:ckappenman () 
ANDERSONUNIVERSITY EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Wednesday, January 6, 2021 at 9:07 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement

While I understand the need to be able to have a concrete proof that a process (data security training) is 
accomplishing a goal, I am not sure that a trackable metric tells the whole story.  In my mind, the goal of our data 
security training is to get people to think differently when they are working with data and other digital processes.  
This thought process will be inherently flawed at times because it will be influenced by many external factors (which 
are usually outside of our control).  These flawed judgments can cause a metric to look like the process is not working.

With the goal being to get the users to change their thinking, I feel we have succeeded if I see the following from our 
users:

  1.  If they click on something they are not supposed to, they are not afraid to reach out and tell me about it so 
that we can work to resolve it.
  2.  The majority of the time, they are reliable at doing the right thing when it comes to what we have taught them. 
(this shows by the results of our Phish testing and their daily usage of our “Phishy” email program)
  3.  Conversations with users show that they are becoming comfortable with talking about data security and their 
comprehension of data security principles is growing.

I think the best way to verify (at least from a C-Suite perspective) that the data training is effective, the C-Suite 
needs to seek out the users and query them on what they think about Data Security and how the users opinion of data 
security has changed.  This will also require the C-Suite individuals to become more understanding of data security so 
that they can correctly interpret the users responses (which I see as a good thing).

Curt Kappenman
Anderson University
Anderson, SC

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Menne, Michael S
Sent: Wednesday, January 6, 2021 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement

How do you measure the mandated training to a reduction of risk in user behavior?  Is the training effective at 
improving user behavior?

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.mnsu.edu%2Fcyberaware&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611121544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o1VDqGBBkZH46NQCUs3Q4q5F9cfVIq04DAIRja31GqE%3D&reserved=0>

[signature_217893240]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU<mailto:ckappenman () 
ANDERSONUNIVERSITY EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Tuesday, January 5, 2021 at 10:26 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement

We disable the user account at the beginning of the next quarter if they fail to complete the training.  They must 
contact the security department to have their account enabled and take the required training.
Curt Kappenman

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Pardonek, Jim
Sent: Tuesday, January 5, 2021 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Mandatory Awareness Training Enforcement

Happy New Year everyone!

I know this has been rehashed a few times but it appears that some of the archival information that used to be on the 
educause site is no longer there.

I’m looking for information from schools that mandate annual information security awareness training.

My question is what enforcement means are you using to get compliance?

This is much appreciated.

Thanks!

James Pardonek, MS, CISSP, CEH, GSNA
Associate Director
Chief Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

•: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the latest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: 
https://www.facebook.com/lucuiso/<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611131539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SUO5LWRpIYoN1nG%2BVdEgd%2BtikEu89DZchQCc1VNYGxo%3D&reserved=0>
Our Blog 
http://blogs.luc.edu/uiso/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611131539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=edG25zALhCjczRil%2BY1EqfhC%2FpixfkOjaPzdN7YrK%2B8%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611143108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VYdVgJ7uB9Loj0WIzL8Odljx4ei5S193jMEVyPdrkKE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611151530%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tQK2LIDvAFuE3IpasPl2SfEBYN0Ok%2FI2b5VqGYYAWP4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611161522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QaOFEeF92pGyp9eOOzwpuLxQtirn%2BPcG1HW9MiPJaaY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611161522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QaOFEeF92pGyp9eOOzwpuLxQtirn%2BPcG1HW9MiPJaaY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 05)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 05)
- <Possible follow-ups>
- Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Alan Andersen (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Tanner, Andrea (Jan 07)