Re: Mandatory Security Training in Higher Education

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Connie,

 

Ironic that the value of training would be lost by faculty and
institutions of Higher Education, eh?  Being from a similar background
where there was some sort of corporate policy training every few weeks I
completely understand your frustrations here.  I value my corporate
training nearly as much, and in some cases more than my academic, as it
was more practical for actually producing a valued product.

 

We've had grumblings from the masses, very similar to those you are
expressing, related to required HIPAA and fiscal responsibility training
that have gone out, how everyone's just going to quit and go elsewhere
if System continues to heap this indignity and time-wasting stuff on
them.  Unfortunately for them, it is very clear that privacy and
security training are your primary line of defense in privacy and
identity theft cases - not only must you have policy but you must point
out how you've communicated that policy to the masses.  We will be
having at least two levels of rudimentary security training going out
with our new policy suite, or so I've been told by our ISO, one for the
masses, the other for known custodians of sensitive and higher value
data.

 

The training is typically executed through Blackboard or some online
training system that is tied to the employee records in PeopleSoft(r),
where attendance is recorded automatically based on quiz results at the
end of the training.  Employees will peruse through 30 minutes of slides
and policy instruction, take a quiz, and if successful in passing the
minimum acceptable grade, be recorded in the database, else they have to
repeat.  This is the common approach.

 

The barriers are simply childish and immature banter from a class that
has for much too long thought too much of itself I'm afraid, and thus we
are at extreme risk for hurting our customers and constituents through
lax protection of their interests.  It irritates me to know end that
there is such a resistance to what the rest of the world sees as purely
the necessary minimum needed to protect assets and customers interests.
Oh excuse me, we aren't a business we're an institution, they are
students not customers, and the rules don't apply to us we have academic
freedoms.  Hogwash.  (Sorry, you pushed my main hot-spot button on this
one, especially after the FTP/SFTP arguments and woes about how the
world was coming to the end by us forcing this more than sensible
change.)  

 

In some defense of the masses, there are many job classes out there that
are overworked, underfunded, and so far away from being able to meet
their unfunded mandate responsibilities that I do understand their
desire to avoid further time requirements.  I think the Institution has
lived much too long without being called to task by its customers, and
the shift in culture (compliance and other TQM type mandates) is a
difficult one.  If the consequences of failure were truly understood,
then I think there'd be softening of the rumbles, but it will take a few
real failures (total institutional failures I'm suggesting, not just
compliance failures) before the cultures will change radically.

 

Best regards,

 

Jim

 

*****************************************

Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon () cusys edu

303-492-9734

*****************************************

 

 

________________________________

From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] 
Sent: Wednesday, October 18, 2006 3:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mandatory Security Training in Higher Education

 

 

Having come from a background in the Corporate world, where security
training is *mandatory*, I'm wondering how many institutions of higher
ed require security training for staff and/or faculty. We are planning
to require it for our ERP system users (and all staff soon), but the
question always comes up - "What are others doing"? So I'd appreciate
information about how you folks have approached your senior
administration in terms of why mandatory training is so important. If
you are not yet requiring training, I'd be interested in the barriers
you still face. It seems particularly challenging for faculty.

Thanks much! 

Connie 

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC 
IT Security Officer
Brown University Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu <mailto:Connie_Sadler () Brown edu> 
Office: 401-863-7266
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> 
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB