Main Nav

Suffolk has recently implemented mandatory Information Security Training and we are reviewing our enforcement for faculty and staff. We have discussed the use of warnings and removal of network access for non-compliance. I like the idea with which Longwood enforces; thru reminder of non-compliance and after a period of time if they are still not compliant their Supervisor/Dean is notified and network access is terminated.

 

I would like to take a poll and see how others are enforcing mandatory training.

 

How do you enforce? (i.e. warning, take away network access, suspension…)

Who and how do you notify?

How long do you give the end user to meet compliance?

Any lessons learned?

 

Any feedback would be appreciated.

 

Thanks in advance,

Paul

 

 

-----------------------------------------------------------------

Paul Guarino

Information Security Officer and  Network Security

Suffolk University

pguarino@suffolk.edu | 617-573-8523

 

This E-mail message is confidential, intended only for the recipient(s) named above and may contain information that is privileged, exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender by return email or by calling (617) 573-8523, and delete this message from your computer. Thank you.

 

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Comments

A timely question, indeed.  We just licensed the SANS Securing the Human training and enrolled a couple thousand employees back on Oct 4, with a 2 month deadline under pain of losing access to our enterprise databases (Banner, here).

When the deadline came, compliance was incomplete of course.  Our enterprise database managers chickened out on disabling all those users for fear of disrupting business processes.  So, we are now in the process of notifying unit directors of the training completion status of their employees.  We hope that supervisors will allow and encourage the employees to complete the training.  In some cases the supervisors (up to the level of Dean) have neglected their assigned training, too.

While we figured that a 2 month deadline would allow most people the flexibility to complete the training  at a convenient time, it looks more like everyone either got it done quickly or forgot about it.  I felt I was hampered somewhat by an administrative decision to NOT send out periodic reminders.

One thing we discovered was that we had lots of "dead wood" in our list of people with access to our databases.  The training welcome message elicited numerous replies of the form "Do I have to do this?  I retired two years ago."  So a side benefit is reducing unused access rights into the data.

Another thing we discovered was that the welcome message from the cloud-based training system was sometimes filed into the Junk folder by ever-helpful Outlook.  So we now have a campaign to turn off client-side filtering and let our Ironports do the spam filtering (where we can whitelist the training system).

I hope that going from step to step as we get new employees will go a lot smoother than getting on the ladder with our backlog of existing (and former, as it turns out) employees.

[This sure is a low volume list.  Maybe Paul's message will change that.]

Bob Bayn          (435)797-2396            IT Security Team
Office of Information Technology, Utah State University


We have just made the training available and are hoping to make it mandatory at some point in the future. However, to have any chance of success, you should make sure it is an institutional policy, not an IT policy, with the senior administration fully on board. The notification to a faculty member that his or her network access is being taken away should come from the Dean, not IT.

 

________________________

Richard Nelson

Director of Information Technology Services

The Citadel

171 Moultrie Street

Charleston, SC 29409

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

We implemented mandatory annual training over 7 years ago but have only been enforcing compliance for 3 or 4 years.  This year is the first year that we also have required our students to complete the training. 
 
Our annual training window is from July 1 through September 30.  If someone doesn't complete the training by the Sept. 30 deadline, our Department of Compliance sends several warning emails to the account owner and their department chair is copied.  I feel we have been very lenient in that several months go by after the deadline before their access is ultimately turned off (basically at the end of the year).   Additionally, I should note that all compliance and communication where students are involved is handled separately by our Student Services.
 
Each year, the number of recalcitrants is smaller than the previous year.  So the fact that there is now a consequence for not completing the mandatory training is fueling better compliance.  The one thing we are struggling with right now is whether or not emeritus faculty or retirees have to complete the training if they have access only to email.  I'd be interested in hearing how other organizations are approaching that particular issue.
 
Thanks for posting such an interesting question,
 
Sherry Callahan
Information Security Officer
University of Kansas Medical Center
(913) 588-0966

>>> Paul Guarino <pguarino@SUFFOLK.EDU> 1/5/2012 1:12 PM >>>

Suffolk has recently implemented mandatory Information Security Training and we are reviewing our enforcement for faculty and staff. We have discussed the use of warnings and removal of network access for non-compliance. I like the idea with which Longwood enforces; thru reminder of non-compliance and after a period of time if they are still not compliant their Supervisor/Dean is notified and network access is terminated.

 

I would like to take a poll and see how others are enforcing mandatory training.

 

How do you enforce? (i.e. warning, take away network access, suspension.)

Who and how do you notify?

How long do you give the end user to meet compliance?

Any lessons learned?

 

Any feedback would be appreciated.

 

Thanks in advance,

Paul

 

 

-----------------------------------------------------------------

Paul Guarino

Information Security Officer and  Network Security

Suffolk University

pguarino@suffolk.edu | 617-573-8523

 

This E-mail message is confidential, intended only for the recipient(s) named above and may contain information that is privileged, exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender by return email or by calling (617) 573-8523, and delete this message from your computer. Thank you.

 

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Sherri Callahan concluded her response with:  "The one thing we are struggling with right now is whether or not emeritus faculty or retirees have to complete the training if they have access only to email.  I'd be interested in hearing how other organizations are approaching that particular issue."

We have an institutional policy that requires employees who deal with "private sensitive data" or "critical institutional data" to take computer security/safety training.  We licensed SANS Securing the Human training and realized parts of it would be useful for employees in our PCI scope as well as for our Banner users. When we assigned the irrevocable training seats and discovered that some went to retirees, I encouraged those folks to at least start the training for its personal value to them.  I'd love to extend the training to all employees and even students, but the funding available just didn't stretch that far.

Bob Bayn          (435)797-2396            IT Security Team
Office of Information Technology, Utah State University


********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

We require all university community members who access or use university restricted data (as defined by our Institutional Data Policy) to take training. And we define "university community member" broadly. From the policy, "This policy applies to all university community members, whether students, faculty, staff, or agents, who have access to university institutional data. It also applies to all university units and their agents and contractors. In addition, to the extent possible, it applies to any person or organization, whether affiliated with the university or not, in possession of university institutional data". So it would cover emeritus faculty, retirees, and even volunteers with no previous formal affiliation who handle restricted data. From our point of view, access technologies such as email are immaterial. It is relatively easy to send or receive restricted data in email, just as in snail mail. The content of the data accessed or used trumps the technology. Admittedly there might well be enforcement issues in specific cases, but until proven wrong we expect university community members to follow the spirit of the policies.

Bob Kalal
Director (Retired), Information Technology Policy
Office of the Chief Information Officer
The Ohio State University


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.