Main Nav


Our information security steering committee is currently discussing the topic of security awareness training, and a number of questions have come up, with the inevitiable "let's see what other schools are doing" response. Some of this has come up on the list in the past, but not all in one place, and unfortunately, although the Core Data Survey has some data about training, it doesn't answer these questions. So... a little survey.

NOTE: For purposes of the questions below, "security awareness training" means some kind of computer-based or in-person training course, typically 15-60 minutes in length, that covers basic computer and information security topics such as passwords, email use, safe browsing, social engineering, mobile devices, data classification, viruses and malware, and so on.

1. Does your school offer security awareness training to administrative staff?
   a. Yes, mandatory only for employees who handle sensitive information (PII, PCI, HIPAA, etc.)
   b. Yes, mandatory for all employees
   c. Yes, optional for all employees
   b. No

2. Is your security awareness training provided to newly hired administrative staff?
   a. Yes, it is a mandatory part of orientation or "first 90 days"
   b. Yes, it is an optional part of orientation or "first 90 days"
   c. No security awareness training provided to new hires

3. Is your security awareness training provided to existing administrative staff?
   a. Yes, training must be completed at least once a year
   b. Yes, training must be completed less than once a year (e.g., every two years)
   c. Yes, training is available but completion is optional
   d. No recurring security awareness training

4. Do you provide security awareness training for administrative staff as:
   a. A single course with the same content for all employees
   b. A single course for each employee, but different jobs get different courses
   c. Multiple courses--a "basic" course for all employees, and special courses for some jobs
   d. Other (please describe)

5. Does your security awareness training for administrative staff cover FERPA?
   a. The security awareness course provides complete coverage of FERPA
   b. The security awareness course provides a FERPA overview only
   c. The security awareness course does not cover FERPA

6. Does your school offer security awareness training to faculty?
   a. Yes, mandatory for all full-time and part-time faculty
   b. Yes, mandatory for full-time faculty only
   c. Yes, optional for all faculty members
   b. No

7. What is the source of your security awareness training material?
   a. SANS Securing the Human training
   b. EDUCAUSE training resources (as-is or customized)
   c. Commercial training (please name vendor if you're willing)
   d. Internally developed (please share URLs if it's public)

To keep clutter on the list down, if you'll send your answers directly to me (david.curry@newschool.edu), I will collect the results and post a summary back to the list in a couple of weeks.

Thanks,
--Dave


--

DAVID A. CURRY, CISSP â€¢ DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL â€¢ 55 W. 13TH STREET â€¢ NEW YORK, NY 10011

+1 212 229-5300 x4728 â€¢ david.curry@newschool.edu