Educause Security Discussion mailing list archives
Enforcement of Security Training for Faculty/Staff
From: "Conlee, Keith" <Conlee () COD EDU>
Date: Tue, 9 Mar 2010 17:01:40 -0600
Hi Matt, On behalf of our IT dept. I designed/developed an online Security Management Training product for all staff that is required. As you might expect it defines acceptable use, the definition of and the protection of sensitive data among other things. The training defines the College's Security Management position and the required/expected behavior for each staff member to support it. After the audio/video/power-pt presentation the employee is asked to answer 6 easy questions to demonstrate they understand the College's SM position and what they have to do to support it. At the end of the questions, each staff member is required to print a certificate of completion and submit it to a centralized record-keeper where it becomes part of their personal record that they completed it (or not).
From an audit perspective for PCI, FERPA, GLBA, HEOA, HIPAA, etc. that require training as part of complying with each regulation/standard this explicit type of training makes it easy to demonstrate that you have complied with the training requirement of each.
Keith Conlee, CISSP, CBCP Chief Security Officer, IT College of DuPage 425 Fawell Blvd. Glen Ellyn, IL 60137-6599 Ph. - 630.942.3055 Fax. - 630.790.0325 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Sunday, February 28, 2010 11:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 26 Feb 2010 to 28 Feb 2010 (#2010-47) There is 1 message totalling 157 lines in this issue. Topics of the day: 1. Enforcement of Security Training for Faculty/Staff ---------------------------------------------------------------------- Date: Sun, 28 Feb 2010 12:01:51 -0500 From: Matthew Giannetto <MGiannetto () MC3 EDU> Subject: Enforcement of Security Training for Faculty/Staff --_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Folks, We're currently planning IT Security Training & Awareness at our college, a= nd are struggling with some of the same challenges I'm sure most of you hav= e faced. We're currently debating if we can require IT Security Training f= or faculty, and if so, how do we enforce it. I've gone through much of the previous discussion regarding training and aw= areness and how to gain faculty acceptance. In general, it seems that the = majority of institutions can't convince upper management to buy-in to a man= date (primarily due to culture or contractual limitations), and thus are le= ft to find creative ways to design and market their training to encourage p= articipation. But, much of the earlier conversation doesn't address how institutions that= require IT security training enforce the requirement? Do you turn off net= work accounts if they don't complete training by a certain date? Do you ma= ke a note in their personnel file? Do you just keep pestering them until t= hey do it? Any feedback you may have is greatly appreciated. Thanks, Matt Giannetto Manager of IT Security Montgomery County Community College mgiannetto () mc3 edu | (215) 619-7442 ________________________________ Montgomery County Community College is proud to be the #1 ranked technology-savvy community college in the nation, as determined by the Center for Digital Education and Converge magazine. --_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html dir=3D"ltr"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css">BODY { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE= : 13px } TD { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE= : 13px } P { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #000000; FONT-SIZE= : 13px } A { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #3366cc; FONT-SIZE= : 13px; FONT-WEIGHT: bold; TEXT-DECORATION: none } H2 { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #cc0033; FONT-SIZE= : 18px; FONT-WEIGHT: bold } H3 { FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; COLOR: #3366cc; FONT-SIZE= : 17px; FONT-WEIGHT: bold } </style> <meta name=3D"GENERATOR" content=3D"MSHTML 8.00.7600.16490"> <style title=3D"owaParaStyle"><!--P { MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px } --></style> </head> <body ocsi=3D"x"> <p>Folks,</p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana">We're currently planning IT Security T= raining & Awareness at our college, and are struggling with some of the= same challenges I'm sure most of you have faced. We're currently deb= ating if we can require IT Security Training for faculty, and if so, how do we enforce it.</font></p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana">I've gone through much of the previous= discussion regarding training and awareness and how to gain faculty a= cceptance. In general, it seems that the majority of institution= s can't convince upper management to buy-in to a mandate (primarily due to culture or contractual limitations), and thus are left t= o find creative ways to design and market their training to encourage parti= cipation. </font></p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana"><font face=3D"verdana">But, much of th= e earlier conversation doesn't address how institutions that </font>require IT security training enforce the requirement? Do you t= urn off network accounts if they don't complete training by a certain date?= Do you make a note in their personnel file? Do you just keep p= estering them until they do it?</font></p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana">Any feedback you may have is grea= tly appreciated.</font></p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p class=3D"MsoNormal">Thanks,</p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal"><b><span style=3D"FONT-SIZE: 14pt">Matt Giannetto </= span></b></p> <p class=3D"MsoNormal">Manager of IT Security</p> <p class=3D"MsoNormal">Montgomery County Community College</p> <p class=3D"MsoNormal">mgiannetto () mc3 edu | (215) 619-7442</p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana"></font> </p> <p><font size=3D"2" face=3D"verdana"></font> </p> <br> <hr> <font face=3D"Arial" color=3D"Maroon" size=3D"1">Montgomery County Communit= y College is proud to be<br> the #1 ranked technology-savvy community college in the nation,<br> as determined by the Center for Digital Education and Converge magazine.<br=
</font> </body> </html> --_000_82958B4B7A5ACD4087B4D071085B2B5021008A089BSRVEXMBVSmccc_-- ------------------------------ End of SECURITY Digest - 26 Feb 2010 to 28 Feb 2010 (#2010-47) **************************************************************
Current thread:
- Enforcement of Security Training for Faculty/Staff Matthew Giannetto (Feb 28)
- <Possible follow-ups>
- Re: Enforcement of Security Training for Faculty/Staff Jansen, Morgan R. (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Anand S Malwade (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff David Escalante (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Patria, Patricia (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Chris Kidd (Mar 01)
- Re: Enforcement of Security Training for Faculty/Staff Sherry Callahan (Mar 01)
- Enforcement of Security Training for Faculty/Staff Conlee, Keith (Mar 09)
- Re: Enforcement of Security Training for Faculty/Staff Steve Werby (Mar 11)
- Re: Enforcement of Security Training for Faculty/Staff Kimberly Heimbrock (Mar 11)