Re: Mandatory Security Training in Higher Education

[Tracy Mitrano <tbm3 () CORNELL EDU>]

Do you guys have policies that would prompt people to training in
order to accomplish compliance?  I always think of policy first as
education and only as a last resort enforcement, but it does function
nicely as the median point between the two and is often effectuated
by training of custodians and local support providers especially.

Tracy


On Oct 19, 2006, at 8:36 AM, Theresa M Rowe wrote:

> Jim's post is on target considering our position here - right on
> the nose.  I had a meeting just this week with the VPs and
> President on the "state of security" at our university.  Our last
> data security training drew 3 people (and it was the first time we
> offered the class).  The cabinet declined to make training
> mandatory.  Instead, they want me to send the training program and
> announcements to them, and they will push the people in their
> division to attend.  We'll see how that works.
>
> ---- Original message ----
> > Date: Wed, 18 Oct 2006 17:06:01 -0600
> > From: Jim Dillon <Jim.Dillon () CUSYS EDU>
> > Subject: Re: [SECURITY] Mandatory Security Training in Higher
> > Education
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> >
> >   Connie,
> >
> >
> >
> >   Ironic that the value of training would be lost by
> >   faculty and institutions of Higher Education, eh?
> >   Being from a similar background where there was some
> >   sort of corporate policy training every few weeks I
> >   completely understand your frustrations here.  I
> >   value my corporate training nearly as much, and in
> >   some cases more than my academic, as it was more
> >   practical for actually producing a valued product.
> >
> >
> >
> >   We've had grumblings from the masses, very similar
> >   to those you are expressing, related to required
> >   HIPAA and fiscal responsibility training that have
> >   gone out, how everyone's just going to quit and go
> >   elsewhere if System continues to heap this indignity
> >   and time-wasting stuff on them.  Unfortunately for
> >   them, it is very clear that privacy and security
> >   training are your primary line of defense in privacy
> >   and identity theft cases - not only must you have
> >   policy but you must point out how you've
> >   communicated that policy to the masses.  We will be
> >   having at least two levels of rudimentary security
> >   training going out with our new policy suite, or so
> >   I've been told by our ISO, one for the masses, the
> >   other for known custodians of sensitive and higher
> >   value data.
> >
> >
> >
> >   The training is typically executed through
> >   Blackboard or some online training system that is
> >   tied to the employee records in PeopleSoft(R), where
> >   attendance is recorded automatically based on quiz
> >   results at the end of the training.  Employees will
> >   peruse through 30 minutes of slides and policy
> >   instruction, take a quiz, and if successful in
> >   passing the minimum acceptable grade, be recorded in
> >   the database, else they have to repeat.  This is the
> >   common approach.
> >
> >
> >
> >   The barriers are simply childish and immature banter
> >   from a class that has for much too long thought too
> >   much of itself I'm afraid, and thus we are at
> >   extreme risk for hurting our customers and
> >   constituents through lax protection of their
> >   interests.  It irritates me to know end that there
> >   is such a resistance to what the rest of the world
> >   sees as purely the necessary minimum needed to
> >   protect assets and customers interests.   Oh excuse
> >   me, we aren't a business we're an institution, they
> >   are students not customers, and the rules don't
> >   apply to us we have academic freedoms.  Hogwash.
> >   (Sorry, you pushed my main hot-spot button on this
> >   one, especially after the FTP/SFTP arguments and
> >   woes about how the world was coming to the end by us
> >   forcing this more than sensible change.)
> >
> >
> >
> >   In some defense of the masses, there are many job
> >   classes out there that are overworked, underfunded,
> >   and so far away from being able to meet their
> >   unfunded mandate responsibilities that I do
> >   understand their desire to avoid further time
> >   requirements.  I think the Institution has lived
> >   much too long without being called to task by its
> >   customers, and the shift in culture (compliance and
> >   other TQM type mandates) is a difficult one.  If the
> >   consequences of failure were truly understood, then
> >   I think there'd be softening of the rumbles, but it
> >   will take a few real failures (total institutional
> >   failures I'm suggesting, not just compliance
> >   failures) before the cultures will change radically.
> >
> >
> >
> >   Best regards,
> >
> >
> >
> >   Jim
> >
> >
> >
> >   *****************************************
> >
> >   Jim Dillon, CISA, CISSP
> >
> >   IT Audit Manager, CU Internal Audit
> >
> >   jim.dillon () cusys edu
> >
> >   303-492-9734
> >
> >   *****************************************
> >
> >
> >
> >
> >
> >   ----------------------------------------------------
> >
> >   From: Sadler, Connie
> >   [mailto:Connie_Sadler () BROWN EDU]
> >   Sent: Wednesday, October 18, 2006 3:57 PM
> >   To: SECURITY () LISTSERV EDUCAUSE EDU
> >   Subject: [SECURITY] Mandatory Security Training in
> >   Higher Education
> >
> >
> >
> >
> >
> >   Having come from a background in the Corporate
> >   world, where security training is *mandatory*, I'm
> >   wondering how many institutions of higher ed require
> >   security training for staff and/or faculty. We are
> >   planning to require it for our ERP system users (and
> >   all staff soon), but the question always comes up -
> >   "What are others doing"? So I'd appreciate
> >   information about how you folks have approached your
> >   senior administration in terms of why mandatory
> >   training is so important. If you are not yet
> >   requiring training, I'd be interested in the
> >   barriers you still face. It seems particularly
> >   challenging for faculty.
> >
> >   Thanks much!
> >
> >   Connie
> >
> >   Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> >   IT Security Officer
> >   Brown University Box 1885, Providence, RI 02912
> >   Connie_Sadler () Brown edu
> >   Office: 401-863-7266
> >   PGP Key:
> >   http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
> >   PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07
> >   80BA 91E3 8EFB
> Theresa Rowe
> Assistant Vice President
> University Technology Services
> www.oakland.edu/uts - the latest news from University Technology
> Services