Educause Security Discussion mailing list archives
Re: Mandatory Security Training in Higher Education
From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Thu, 19 Oct 2006 09:49:09 -0400
Do you guys have policies that would prompt people to training in order to accomplish compliance? I always think of policy first as education and only as a last resort enforcement, but it does function nicely as the median point between the two and is often effectuated by training of custodians and local support providers especially. Tracy On Oct 19, 2006, at 8:36 AM, Theresa M Rowe wrote:
Jim's post is on target considering our position here - right on the nose. I had a meeting just this week with the VPs and President on the "state of security" at our university. Our last data security training drew 3 people (and it was the first time we offered the class). The cabinet declined to make training mandatory. Instead, they want me to send the training program and announcements to them, and they will push the people in their division to attend. We'll see how that works. ---- Original message ----Date: Wed, 18 Oct 2006 17:06:01 -0600 From: Jim Dillon <Jim.Dillon () CUSYS EDU> Subject: Re: [SECURITY] Mandatory Security Training in Higher Education To: SECURITY () LISTSERV EDUCAUSE EDU Connie, Ironic that the value of training would be lost by faculty and institutions of Higher Education, eh? Being from a similar background where there was some sort of corporate policy training every few weeks I completely understand your frustrations here. I value my corporate training nearly as much, and in some cases more than my academic, as it was more practical for actually producing a valued product. We've had grumblings from the masses, very similar to those you are expressing, related to required HIPAA and fiscal responsibility training that have gone out, how everyone's just going to quit and go elsewhere if System continues to heap this indignity and time-wasting stuff on them. Unfortunately for them, it is very clear that privacy and security training are your primary line of defense in privacy and identity theft cases - not only must you have policy but you must point out how you've communicated that policy to the masses. We will be having at least two levels of rudimentary security training going out with our new policy suite, or so I've been told by our ISO, one for the masses, the other for known custodians of sensitive and higher value data. The training is typically executed through Blackboard or some online training system that is tied to the employee records in PeopleSoft(R), where attendance is recorded automatically based on quiz results at the end of the training. Employees will peruse through 30 minutes of slides and policy instruction, take a quiz, and if successful in passing the minimum acceptable grade, be recorded in the database, else they have to repeat. This is the common approach. The barriers are simply childish and immature banter from a class that has for much too long thought too much of itself I'm afraid, and thus we are at extreme risk for hurting our customers and constituents through lax protection of their interests. It irritates me to know end that there is such a resistance to what the rest of the world sees as purely the necessary minimum needed to protect assets and customers interests. Oh excuse me, we aren't a business we're an institution, they are students not customers, and the rules don't apply to us we have academic freedoms. Hogwash. (Sorry, you pushed my main hot-spot button on this one, especially after the FTP/SFTP arguments and woes about how the world was coming to the end by us forcing this more than sensible change.) In some defense of the masses, there are many job classes out there that are overworked, underfunded, and so far away from being able to meet their unfunded mandate responsibilities that I do understand their desire to avoid further time requirements. I think the Institution has lived much too long without being called to task by its customers, and the shift in culture (compliance and other TQM type mandates) is a difficult one. If the consequences of failure were truly understood, then I think there'd be softening of the rumbles, but it will take a few real failures (total institutional failures I'm suggesting, not just compliance failures) before the cultures will change radically. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ---------------------------------------------------- From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] Sent: Wednesday, October 18, 2006 3:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Mandatory Security Training in Higher Education Having come from a background in the Corporate world, where security training is *mandatory*, I'm wondering how many institutions of higher ed require security training for staff and/or faculty. We are planning to require it for our ERP system users (and all staff soon), but the question always comes up - "What are others doing"? So I'd appreciate information about how you folks have approached your senior administration in terms of why mandatory training is so important. If you are not yet requiring training, I'd be interested in the barriers you still face. It seems particularly challenging for faculty. Thanks much! Connie Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFBTheresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- Mandatory Security Training in Higher Education Sadler, Connie (Oct 18)
- <Possible follow-ups>
- Re: Mandatory Security Training in Higher Education Jim Dillon (Oct 18)
- Re: Mandatory Security Training in Higher Education Chad McDonald (Oct 18)
- Re: Mandatory Security Training in Higher Education Theresa M Rowe (Oct 19)
- Re: Mandatory Security Training in Higher Education Tracy Mitrano (Oct 19)
- Re: Mandatory Security Training in Higher Education Theresa M Rowe (Oct 19)
- Re: Mandatory Security Training in Higher Education Valdis Kletnieks (Oct 19)
- Re: Mandatory Security Training in Higher Education Jim Dillon (Oct 19)
- Re: Mandatory Security Training in Higher Education Jim Dillon (Oct 19)
- Re: Mandatory Security Training in Higher Education Roger Safian (Oct 19)
- Re: Mandatory Security Training in Higher Education Youngquist, Jason R. (Oct 19)
- Re: Mandatory Security Training in Higher Education Gary Flynn (Oct 19)
- Re: Mandatory Security Training in Higher Education James Moore (Oct 19)
- Re: Mandatory Security Training in Higher Education Jeff McCabe (Nov 06)