Re: Enforcement of Security Training for Faculty/Staff

[David Escalante <david.escalante () BC EDU>]

Matthew Giannetto wrote:
> But, much of the earlier conversation doesn't address how institutions
> that require IT security training enforce the requirement?  Do you
> turn off network accounts if they don't complete training by a certain
> date?  Do you make a note in their personnel file?  Do you just keep
> pestering them until they do it?

At BC we have not made enforcement an IT issue.  Department managers and
deans are responsible for monitoring completion of training via tool(s)
provided by IT, and university upper management regularly asks them for
status reports.  Most faculty/staff seem to do what their immediate
manager/department chair mandates, whereas they might not hurry to
follow an IT mandate.

Of course as you note, this requires upper management buy-in.  But I
suspect that if, to cite one of your examples, you shut off peoples'
network accounts for failing to attend training for which there is not
upper management buy-in, you're engaged in what used to be called
"career-limiting activities."
--
David Escalante
Boston College

Attachment: david_escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature