Educause Security Discussion mailing list archives

Re: Mandatory IT Security training


From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Tue, 24 Jul 2018 21:48:51 +0000

A little off course, but related.  Does FERPA require training (I'm getting a little static from those who don't want 
to do it)?  I can't seem to find where (if) the act specifically requires training.  It talks about using best 
practices, and required for enforcement procedures, but I can't seem to find "do this...".  If anybody knows where (if) 
that is, let me know.

From web site - https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33
ยง99.62   What information must an educational agency or institution or other recipient of Department funds submit to 
the Office?
The Office may require an educational agency or institution, other recipient of Department funds under any program 
administered by the Secretary to which personally identifiable information from education records is non-consensually 
disclosed, or any third party outside of an educational agency or institution to which personally identifiable 
information from education records is non-consensually disclosed to submit reports, information on policies and 
procedures, annual notifications, training materials, or other information necessary to carry out the Office's 
enforcement responsibilities under the Act or this part.
(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gomez, Joshua
Sent: Tuesday, July 24, 2018 10:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Mandatory IT Security training

Hi Brent,

We recently just passed this into policy. To create urgency and buy-in, we related the policy to Gramm-Leech Bliley Act 
(GLBA), GDPR, and the Red Flag Rule. As a Financial Aid institution, we have to comply with GLBA.  I would also 
research state privacy laws specifically where your institution is headquartered and/or where your students are taking 
courses from (if you are online).

I used these resources from SANS that calls out training requirements for compliances - 
https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf

Our training covers basic cybersecurity (phishing, spear phishing, anatomy of a phishing email) cloud computing (what 
to store what not to store, etc) and Password Policy.  There are more specific trainings for PCI data stewards.

I attached a unbranded draft of the policy.

Josh


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Haselhoff, Brent
Sent: Tuesday, July 24, 2018 11:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Mandatory IT Security training

Hi Everyone,

We are currently evaluating our mandatory IT security training policies and procedures.  Does your university require 
IT security training for all employees?  If so, what topics are covered?  Do you require this training in order to stay 
compliant with some sort of regulation, or are you doing it because it is best practice? Do you require this training 
annually or just upon hire?
Thanks
Brent


Brent Haselhoff
Manager, IT Security and Identity Management
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012



Please consider the environment before printing this e-mail.

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

Current thread: