Re: New Employee Security Training

[Dan Lewis <dlewis () WESTGA EDU>]

At the University of West Georgia, we created a training unit 5 years ago
called the Center for Business Excellence
<https://www.westga.edu/administration/business-and-finance/cbe/index.php>
(CBE) that administers both new employee orientation as well as annual
mandated training.  CBE uses the SkillSoft platform (contains over 25,000
eBooks and 3,500 classes) to help administer and track training and
professional development.  CBE also partners with Human Resources, the
Controller’s Office, Risk Management/EHS, Information Security, and our PCI
DSS committee to develop customized training using Camtasia and
campus-produced filming.



In 2016, the University System of Georgia mandated that each institution
provide annual Information Security training.  This training consists of a
10-minute Camtasia-produced training with visual slides and a script from
UWG’s Information Security Officer that includes a 5-question assessment.

Dan Lewis

Executive Director – Center for Business Excellence

University of West Georgia

1601 Maple Street, Carrollton GA 30118

Office:   678-839-4781

Fax:       678-839-6340



 NOTE:  This email and any attachments may contain confidential and
privileged information.  If you are not the intended recipient, please
notify the sender immediately by return mail, delete this message, and
destroy any copies.  Any dissemination or use of this information by a
person other than the intended recipient is unauthorized and may be illegal
or actionable at law.

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Riemer, Stan
*Sent:* Monday, June 19, 2017 10:17 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] New Employee Security Training



Thomas,



Coming at this from a provider perspective, all new employees should be
aware of the security policies and programs in place. Most organizations I
work with have a new employee security LMS session which is based on the
organization, laws, and regulations. It is mandatory for all new employees
to pass an easy test after completing the training.  In reality this does
little to secure the organization as the vast majority do not adhere to the
policies that they just took a course on. It is obstructive in their view
and is extra work.



The best way to secure the organization is to have pen tests, GRC gap
assessments and remediate the findings. Policy must be driven from the top
down and employees are the weakest link. Many organizations also do a
phishing exercise where they can get data from the exercise and see how
many employees are actually being compliant. Most are amazed at the lack of
adherence to policy and then real actionable change can take place when the
information is revealed. We prefer never to single out employees as they
know who did what but the fact that they know they are being non-compliant
and it is seen by IT is enough in many cases to begin the cultural change.



Hope this helps



*Stan Riemer* | Sr. Director,  Security Services

*stan.riemer () nttdata com <stan.riemer () nttdata com>* | *c.* +1.978.502.4885



NTT DATA Inc.



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Lovaas,Steven
*Sent:* Monday, June 19, 2017 9:59 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] New Employee Security Training



Our new employee orientations run a couple times a month, and more often
early in the Fall semester. When our training department revamped the new
orientation format, everyone else went to videos, but I insisted on
retaining my live presence. I get 10-15 minutes, which I spend on the
basics (these days, mainly talking about social engineering and general
situational awareness). I feel that it's really valuable to have everyone
see me face-to-face, so I can answer questions and give up-to-the-moment
examples. Lots of people greet me on campus based on their memory of my
talk, so I know they were at least awake...



Steve



===================

Steven Lovaas

Information Security Officer

Colorado State University

steven.lovaas () colostate edu

970-297-3707

===================


------------------------------

*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ludwig, Linda <
LUDWIGL () GRINNELL EDU>
*Sent:* Monday, June 19, 2017 6:25 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] New Employee Security Training



We finally got a small slice of the new employee orientation. I have just
15 minutes so I do an Icebreaker that goes over a lot of possible problems
in a very short time. I pair them up and give them the photo of a desk and
they have to identify at least 12 infosec problems in the picture. I have
attached the handout I give them with the solutions which we go over as a
group. It’s a quick way to cover a lot of little things in a short period
of time. Then I give them some local higher ed examples of data breaches
and the cost of the breaches. The main focus of the 15 minutes is to
protect the data and how to contact InfoSec of anything suspicious.



Linda

*********************************
Linda L. Ludwig
Information Security Awareness Specialist
ludwigl () grinnell edu





*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Thomas Carter
*Sent:* Friday, June 16, 2017 2:33 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] New Employee Security Training



Does anyone do IT security training as part of on-boarding new employees?
If so, what do you cover? Who does the training (IT, HR, or?)? When is the
training done? How well does it seem to work for you? What would you do
differently?



We would like to implement something like this, but are afraid of
overwhelming a new employee during their HR orientation. Something done a
week or two later may have a better chance of sticking with the end user,
but requires much more time and organization on our part.



*Thomas Carter*
Network & Operations Manager / IT

*Austin College*
900 North Grand Avenue
Sherman, TX 75090

Phone: 903-813-2564
www.austincollege.edu
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMFAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=3FWhhRZ86wLnJQbceVqVZiaCyjWq2cIkJzKZvEb4Ctw&m=hgI7dvCMFsXgJaBpD0kA4UA_VFuNlZRnxJITwn2-Gog&s=EiqU_FRisfrZEVqqOC81fSK2JjWPl7yC4S5aE3OjzJY&e=>




______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.