Educause Security Discussion mailing list archives
Re: New Employee Security Training
From: "Johnson, Kyle A" <KAJohnson () INDIANATECH EDU>
Date: Tue, 20 Jun 2017 15:10:54 +0000
We have a 30 min information security training program that is assigned to every new employee. Yes, HR does cover this during their onboarding process, and since we are a fairly small institution, I personally reach out to them with instructions. The training covers everything from how to spot phishing emails, data security practices, etc. We give them 30 days to complete the training, and so far, we have had success with this. We also make them aware of the security policies that we have in place. Thanks, Kyle Johnson, GSEC, CEH Information Security Officer kajohnson () indianatech edu <mailto:kajohnson () indianatech edu> / www.IndianaTech.edu <http://www.indianatech.edu/> O: 260-422-5561 x2107 M: 260-343-1606 1600 E. Washington Blvd. / Fort Wayne, IN 46803 PHISHING? Forward the email to <mailto:abuse () indianatech edu> abuse () indianatech edu for reporting and investigation From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Lewis Sent: Tuesday, June 20, 2017 9:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] New Employee Security Training *CAUTION* This message originated from outside of Indiana Tech. Please analyze the message for phishing before clicking any links and/or opening attachments. At the University of West Georgia, we created a training unit 5 years ago called the Center for Business Excellence <https://www.westga.edu/administration/business-and-finance/cbe/index.php> (CBE) that administers both new employee orientation as well as annual mandated training. CBE uses the SkillSoft platform (contains over 25,000 eBooks and 3,500 classes) to help administer and track training and professional development. CBE also partners with Human Resources, the Controller’s Office, Risk Management/EHS, Information Security, and our PCI DSS committee to develop customized training using Camtasia and campus-produced filming. In 2016, the University System of Georgia mandated that each institution provide annual Information Security training. This training consists of a 10-minute Camtasia-produced training with visual slides and a script from UWG’s Information Security Officer that includes a 5-question assessment. Dan Lewis Executive Director – Center for Business Excellence University of West Georgia 1601 Maple Street, Carrollton GA 30118 Office: 678-839-4781 Fax: 678-839-6340 NOTE: This email and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return mail, delete this message, and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal or actionable at law. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] On Behalf Of Riemer, Stan Sent: Monday, June 19, 2017 10:17 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] New Employee Security Training Thomas, Coming at this from a provider perspective, all new employees should be aware of the security policies and programs in place. Most organizations I work with have a new employee security LMS session which is based on the organization, laws, and regulations. It is mandatory for all new employees to pass an easy test after completing the training. In reality this does little to secure the organization as the vast majority do not adhere to the policies that they just took a course on. It is obstructive in their view and is extra work. The best way to secure the organization is to have pen tests, GRC gap assessments and remediate the findings. Policy must be driven from the top down and employees are the weakest link. Many organizations also do a phishing exercise where they can get data from the exercise and see how many employees are actually being compliant. Most are amazed at the lack of adherence to policy and then real actionable change can take place when the information is revealed. We prefer never to single out employees as they know who did what but the fact that they know they are being non-compliant and it is seen by IT is enough in many cases to begin the cultural change. Hope this helps Stan Riemer | Sr. Director, Security Services stan.riemer () nttdata com <mailto:stan.riemer () nttdata com> | c. +1.978.502.4885 NTT DATA Inc. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lovaas,Steven Sent: Monday, June 19, 2017 9:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] New Employee Security Training Our new employee orientations run a couple times a month, and more often early in the Fall semester. When our training department revamped the new orientation format, everyone else went to videos, but I insisted on retaining my live presence. I get 10-15 minutes, which I spend on the basics (these days, mainly talking about social engineering and general situational awareness). I feel that it's really valuable to have everyone see me face-to-face, so I can answer questions and give up-to-the-moment examples. Lots of people greet me on campus based on their memory of my talk, so I know they were at least awake... Steve =================== Steven Lovaas Information Security Officer Colorado State University steven.lovaas () colostate edu <mailto:steven.lovaas () colostate edu> 970-297-3707 =================== _____ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on behalf of Ludwig, Linda <LUDWIGL () GRINNELL EDU <mailto:LUDWIGL () GRINNELL EDU> > Sent: Monday, June 19, 2017 6:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] New Employee Security Training We finally got a small slice of the new employee orientation. I have just 15 minutes so I do an Icebreaker that goes over a lot of possible problems in a very short time. I pair them up and give them the photo of a desk and they have to identify at least 12 infosec problems in the picture. I have attached the handout I give them with the solutions which we go over as a group. It’s a quick way to cover a lot of little things in a short period of time. Then I give them some local higher ed examples of data breaches and the cost of the breaches. The main focus of the 15 minutes is to protect the data and how to contact InfoSec of anything suspicious. Linda ********************************* Linda L. Ludwig Information Security Awareness Specialist ludwigl () grinnell edu <mailto:ludwigl () grinnell edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Friday, June 16, 2017 2:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] New Employee Security Training Does anyone do IT security training as part of on-boarding new employees? If so, what do you cover? Who does the training (IT, HR, or?)? When is the training done? How well does it seem to work for you? What would you do differently? We would like to implement something like this, but are afraid of overwhelming a new employee during their HR orientation. Something done a week or two later may have a better chance of sticking with the end user, but requires much more time and organization on our part. Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMFAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=3FWhhRZ86wLnJQbceVqVZiaCyjWq2cIkJzKZvEb4Ctw&m=hgI7dvCMFsXgJaBpD0kA4UA_VFuNlZRnxJITwn2-Gog&s=EiqU_FRisfrZEVqqOC81fSK2JjWPl7yC4S5aE3OjzJY&e=> www.austincollege.edu ______________________________________________________________________ Disclaimer: This email and any attachments are sent in strictest confidence for the sole use of the addressee and may contain legally privileged, confidential, and proprietary data. If you are not the intended recipient, please advise the sender by replying promptly to this email and then delete and destroy this email and any attachments without any further use, copying or forwarding.
Attachment:
smime.p7s
Description:
Current thread:
- New Employee Security Training Thomas Carter (Jun 16)
- Re: New Employee Security Training James Valente (Jun 16)
- Re: New Employee Security Training Ullman, Catherine (Jun 16)
- Re: New Employee Security Training Hart, Michael (Jun 16)
- Re: New Employee Security Training Carroll, Tim (Jun 19)
- Re: New Employee Security Training Ludwig, Linda (Jun 19)
- Re: New Employee Security Training Lovaas,Steven (Jun 19)
- Re: New Employee Security Training Telfer, Will (Jun 19)
- Re: New Employee Security Training Riemer, Stan (Jun 19)
- Re: New Employee Security Training Dan Lewis (Jun 20)
- Re: New Employee Security Training Johnson, Kyle A (Jun 20)
- Re: New Employee Security Training Lovaas,Steven (Jun 19)
- <Possible follow-ups>
- Re: New Employee Security Training Hudson, Edward (Jun 16)
- Re: New Employee Security Training Davis, Kevin (Jun 16)