Educause Security Discussion mailing list archives
Re: Mandatory Awareness Training Enforcement
From: Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>
Date: Wed, 6 Jan 2021 18:31:07 +0000
I started our program by creating an email for all data training and questions to be focused back to. Sadly but luckily, it wasn’t a few months later that we had a data breach. That breach got the attention of the C-Suite and allowed us to slowly bring more functions online to help with training. I also used every opportunity I could to get before Staff and Faculty to stress the need of data security. Another thing that help our implementation is the Federal financial audits and their requirement on us to meet NIST standards. Good Luck with the program, Curt From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S Sent: Wednesday, January 6, 2021 10:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement Thank you Curt. The culture at the University here is to be extremely gun shy about mandating anything. I’m not opposed to any of the things that you’ve listed below and hope to implement a data security training program. We are required to do annual fire and safety training, so why not data security? Anything we can do to raise awareness of data security issues is a good thing IMO. If anything is going to be mandated, I have to have a solid argument or solid statistics that show we would see a reduction in risk. Anecdotally, I can guarantee we would see at least some reduction in risk. The previous person in my position discussed doing test phishing campaigns, but was ultimately shot down. I wasn’t involved in the conversations, so I don’t know what the conversation was or how it was proposed. If it was proposed or perceived as a corrective action rather than an educational one, that conversation would have been DOA. Thank you, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 Cell: (507) 405-0717 https://mankato.mnsu.edu/cyberaware [signature_1650849788] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU<mailto:ckappenman () ANDERSONUNIVERSITY EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, January 6, 2021 at 9:07 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement While I understand the need to be able to have a concrete proof that a process (data security training) is accomplishing a goal, I am not sure that a trackable metric tells the whole story. In my mind, the goal of our data security training is to get people to think differently when they are working with data and other digital processes. This thought process will be inherently flawed at times because it will be influenced by many external factors (which are usually outside of our control). These flawed judgments can cause a metric to look like the process is not working. With the goal being to get the users to change their thinking, I feel we have succeeded if I see the following from our users: 1. If they click on something they are not supposed to, they are not afraid to reach out and tell me about it so that we can work to resolve it. 2. The majority of the time, they are reliable at doing the right thing when it comes to what we have taught them. (this shows by the results of our Phish testing and their daily usage of our “Phishy” email program) 3. Conversations with users show that they are becoming comfortable with talking about data security and their comprehension of data security principles is growing. I think the best way to verify (at least from a C-Suite perspective) that the data training is effective, the C-Suite needs to seek out the users and query them on what they think about Data Security and how the users opinion of data security has changed. This will also require the C-Suite individuals to become more understanding of data security so that they can correctly interpret the users responses (which I see as a good thing). Curt Kappenman Anderson University Anderson, SC From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Menne, Michael S Sent: Wednesday, January 6, 2021 9:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement How do you measure the mandated training to a reduction of risk in user behavior? Is the training effective at improving user behavior? Thank you, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 Cell: (507) 405-0717 https://mankato.mnsu.edu/cyberaware<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.mnsu.edu%2Fcyberaware&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611121544%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o1VDqGBBkZH46NQCUs3Q4q5F9cfVIq04DAIRja31GqE%3D&reserved=0> [signature_217893240] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU<mailto:ckappenman () ANDERSONUNIVERSITY EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, January 5, 2021 at 10:26 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Mandatory Awareness Training Enforcement We disable the user account at the beginning of the next quarter if they fail to complete the training. They must contact the security department to have their account enabled and take the required training. Curt Kappenman From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Pardonek, Jim Sent: Tuesday, January 5, 2021 11:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Mandatory Awareness Training Enforcement Happy New Year everyone! I know this has been rehashed a few times but it appears that some of the archival information that used to be on the educause site is no longer there. I’m looking for information from schools that mandate annual information security awareness training. My question is what enforcement means are you using to get compliance? This is much appreciated. Thanks! James Pardonek, MS, CISSP, CEH, GSNA Associate Director Chief Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 •: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the latest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611131539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SUO5LWRpIYoN1nG%2BVdEgd%2BtikEu89DZchQCc1VNYGxo%3D&reserved=0> Our Blog http://blogs.luc.edu/uiso/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611131539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=edG25zALhCjczRil%2BY1EqfhC%2FpixfkOjaPzdN7YrK%2B8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611143108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VYdVgJ7uB9Loj0WIzL8Odljx4ei5S193jMEVyPdrkKE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611151530%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tQK2LIDvAFuE3IpasPl2SfEBYN0Ok%2FI2b5VqGYYAWP4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611161522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QaOFEeF92pGyp9eOOzwpuLxQtirn%2BPcG1HW9MiPJaaY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cd2d91b76b7c949c494c508d8b254cee0%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637455424611161522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QaOFEeF92pGyp9eOOzwpuLxQtirn%2BPcG1HW9MiPJaaY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 05)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 05)
- <Possible follow-ups>
- Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
- Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
- Re: Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 06)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
- Re: Mandatory Awareness Training Enforcement Alan Andersen (Jan 06)
- Re: Mandatory Awareness Training Enforcement Tanner, Andrea (Jan 07)