Educause Security Discussion mailing list archives

Re: New Employee Security Training

From: "Johnson, Kyle A" <KAJohnson () INDIANATECH EDU>
Date: Tue, 20 Jun 2017 15:10:54 +0000

We have a 30 min information security training program that is assigned to every new employee. Yes, HR does cover this 
during their onboarding process, and since we are a fairly small institution, I personally reach out to them with 
instructions. The training covers everything from how to spot phishing emails, data security practices, etc. We give 
them 30 days to complete the training, and so far, we have had success with this. We also make them aware of the 
security policies that we have in place.

 

Thanks,

 

Kyle Johnson, GSEC, CEH

Information Security Officer



kajohnson () indianatech edu <mailto:kajohnson () indianatech edu>  / www.IndianaTech.edu <http://www.indianatech.edu/> 

O: 260-422-5561 x2107

M: 260-343-1606

1600 E. Washington Blvd. / Fort Wayne, IN 46803

 

PHISHING? Forward the email to  <mailto:abuse () indianatech edu> abuse () indianatech edu for reporting and 
investigation

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Lewis
Sent: Tuesday, June 20, 2017 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Employee Security Training

 

*CAUTION*

This message originated from outside of Indiana Tech. 
Please analyze the message for phishing before clicking any links and/or opening attachments.

At the University of West Georgia, we created a training unit 5 years ago called the Center for Business Excellence 
<https://www.westga.edu/administration/business-and-finance/cbe/index.php>  (CBE) that administers both new employee 
orientation as well as annual mandated training.  CBE uses the SkillSoft platform (contains over 25,000 eBooks and 
3,500 classes) to help administer and track training and professional development.  CBE also partners with Human 
Resources, the Controller’s Office, Risk Management/EHS, Information Security, and our PCI DSS committee to develop 
customized training using Camtasia and campus-produced filming.

 

In 2016, the University System of Georgia mandated that each institution provide annual Information Security training.  
This training consists of a 10-minute Camtasia-produced training with visual slides and a script from UWG’s Information 
Security Officer that includes a 5-question assessment.

Dan Lewis

Executive Director – Center for Business Excellence

University of West Georgia

1601 Maple Street, Carrollton GA 30118

Office:   678-839-4781

Fax:       678-839-6340

 

 NOTE:  This email and any attachments may contain confidential and privileged information.  If you are not the 
intended recipient, please notify the sender immediately by return mail, delete this message, and destroy any copies.  
Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be 
illegal or actionable at law.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () 
LISTSERV EDUCAUSE EDU> ] On Behalf Of Riemer, Stan
Sent: Monday, June 19, 2017 10:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] New Employee Security Training

 

Thomas, 

 

Coming at this from a provider perspective, all new employees should be aware of the security policies and programs in 
place. Most organizations I work with have a new employee security LMS session which is based on the organization, 
laws, and regulations. It is mandatory for all new employees to pass an easy test after completing the training.  In 
reality this does little to secure the organization as the vast majority do not adhere to the policies that they just 
took a course on. It is obstructive in their view and is extra work. 

 

The best way to secure the organization is to have pen tests, GRC gap assessments and remediate the findings. Policy 
must be driven from the top down and employees are the weakest link. Many organizations also do a phishing exercise 
where they can get data from the exercise and see how many employees are actually being compliant. Most are amazed at 
the lack of adherence to policy and then real actionable change can take place when the information is revealed. We 
prefer never to single out employees as they know who did what but the fact that they know they are being non-compliant 
and it is seen by IT is enough in many cases to begin the cultural change. 

 

Hope this helps 

 

Stan Riemer | Sr. Director,  Security Services

stan.riemer () nttdata com <mailto:stan.riemer () nttdata com>  | c. +1.978.502.4885

 

NTT DATA Inc.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Lovaas,Steven
Sent: Monday, June 19, 2017 9:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] New Employee Security Training

 

Our new employee orientations run a couple times a month, and more often early in the Fall semester. When our training 
department revamped the new orientation format, everyone else went to videos, but I insisted on retaining my live 
presence. I get 10-15 minutes, which I spend on the basics (these days, mainly talking about social engineering and 
general situational awareness). I feel that it's really valuable to have everyone see me face-to-face, so I can answer 
questions and give up-to-the-moment examples. Lots of people greet me on campus based on their memory of my talk, so I 
know they were at least awake...

 

Steve

 

===================

Steven Lovaas

Information Security Officer

Colorado State University

steven.lovaas () colostate edu <mailto:steven.lovaas () colostate edu> 

970-297-3707

===================

 

  _____  

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > on behalf of Ludwig, Linda <LUDWIGL () GRINNELL EDU <mailto:LUDWIGL () GRINNELL EDU> >
Sent: Monday, June 19, 2017 6:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] New Employee Security Training 

 

We finally got a small slice of the new employee orientation. I have just 15 minutes so I do an Icebreaker that goes 
over a lot of possible problems in a very short time. I pair them up and give them the photo of a desk and they have to 
identify at least 12 infosec problems in the picture. I have attached the handout I give them with the solutions which 
we go over as a group. It’s a quick way to cover a lot of little things in a short period of time. Then I give them 
some local higher ed examples of data breaches and the cost of the breaches. The main focus of the 15 minutes is to 
protect the data and how to contact InfoSec of anything suspicious.

 

Linda

********************************* 
Linda L. Ludwig 
Information Security Awareness Specialist
ludwigl () grinnell edu <mailto:ludwigl () grinnell edu> 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Friday, June 16, 2017 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] New Employee Security Training

 

Does anyone do IT security training as part of on-boarding new employees? If so, what do you cover? Who does the 
training (IT, HR, or?)? When is the training done? How well does it seem to work for you? What would you do differently?

 

We would like to implement something like this, but are afraid of overwhelming a new employee during their HR 
orientation. Something done a week or two later may have a better chance of sticking with the end user, but requires 
much more time and organization on our part.

 

Thomas Carter
Network & Operations Manager / IT

Austin College
900 North Grand Avenue 
Sherman, TX 75090

Phone: 903-813-2564
 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMFAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=3FWhhRZ86wLnJQbceVqVZiaCyjWq2cIkJzKZvEb4Ctw&m=hgI7dvCMFsXgJaBpD0kA4UA_VFuNlZRnxJITwn2-Gog&s=EiqU_FRisfrZEVqqOC81fSK2JjWPl7yC4S5aE3OjzJY&e=>
 www.austincollege.edu

 


______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.

Attachment: smime.p7s
Description:

Current thread:

New Employee Security Training Thomas Carter (Jun 16)
- Re: New Employee Security Training James Valente (Jun 16)
- Re: New Employee Security Training Ullman, Catherine (Jun 16)
  - Re: New Employee Security Training Hart, Michael (Jun 16)
- Re: New Employee Security Training Carroll, Tim (Jun 19)
- Re: New Employee Security Training Ludwig, Linda (Jun 19)
  - Re: New Employee Security Training Lovaas,Steven (Jun 19)
    - Re: New Employee Security Training Telfer, Will (Jun 19)
    - Re: New Employee Security Training Riemer, Stan (Jun 19)
    - Re: New Employee Security Training Dan Lewis (Jun 20)
    - Re: New Employee Security Training Johnson, Kyle A (Jun 20)
- <Possible follow-ups>
- Re: New Employee Security Training Hudson, Edward (Jun 16)
- Re: New Employee Security Training Davis, Kevin (Jun 16)