You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Version 3.0: December 2015

Handy Hint

If your campus already has an established Information Security Awareness Program and you're able to dedicate more time and resources to developing your own materials, check out the more advanced Security Awareness Detailed Instruction Manual. Other resources of interest might include the Cybersecurity Awareness Resource Library, the NCSAM Resource Kit, and the new Annual Campus Security Awareness Campaign (2016).

Quick Start Guide

This guide is for campuses just getting started with a Information Security Awareness Program. It may also serve as a checklist to assess an institution's existing program.

What is an Information Security Awareness Program?

An Information Security Awareness Program is an organized effort to make employees and customers aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks. While the program can be focused on one specific group (e.g., leadership), to be effective in its maturity the program should address all stakeholders, including leadership, employees, customers (i.e., students), and partners (i.e., external service providers). As explained in the CSO article “Seven Elements of a Successful Security Awareness Program,” the program should include C-Level support, partnering with key departments, creativity, metrics, ‘how-to’ information, and multiple methods of delivery.

Why an Information Security Awareness Program?

Community members must understand security and privacy compliance requirements.

  •  Breaches can have serious legal and financial implications.
  •  Certain breaches must be investigated and reported promptly.

 Community members have a critical role in risk mitigation.

  •  Attackers are focusing on community members; it is important that they understand the risks to their credentials, and other dangers.
  •  Community members need to understand how to work with security solutions.

1) Establish an Information Security Program

Without an effective security awareness program, you'll find it difficult to help community members understand the risks they face, the secure methods they should use, and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. It is important to develop support from senior management for the information security program in order to ensure appropriate human resource allocation and financial support.

2) Develop a Security Awareness Plan

Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determined how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.

The materials in this section provide the tools needed to develop your awareness plan and also provide examples of techniques used by other schools. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year after year. But don't forget to "think outside the box" as you develop your plan!

Resources

EDUCAUSE provides a number of resources to help institutions develop and improve their information security programs. While larger institutions may have resources dedicated to information security, many schools may handle information security issues as part of their operational information technology services.

Before getting started, we encourage you to check out the following resources. A few minutes of reading now may save you hours of work later by increasing your chances of getting started down the right path on the first try.

Creating a Communications Strategy: Planning Tools

Alert/Advisory Templates (Consider using these templates when preparing e-mail or web portal/intranet communications regarding information security issues.)

Integrating Social Networking (Survey community members to learn which social media sites are visited frequently and utilize these communication channels for security messages. To reach students, you must be where the students are (e.g., Facebook, Twitter, Instagram, Tumblr). We've found that many students rely on these sites for up-to-date information.)

3) Adopt and Modify "Key Messages"

Your audience will only have so much time and patience to hear your messages. Select your messages carefully, present them in an easily digestible format, and try to limit the number of concepts or topics introduced to your audience in each message. Remember, the typical attention span of an audience is 5-10 minutes. If your materials or presentation require more time than that, think about how to break up the content and how to re-ignite audience interest throughout the presentation. Here is a list of sample key messages that are common to most institutions of higher education:

  • Unexpected e-mail messages that have you click on links, open attachments, or disclose sensitive information can be seriously malicious…learn about phishing now!
  •  Passwords that are simple, short, based on dictionary words, or lack upper & lower case letters, numbers, and symbols, are easily guessed by hackers. Change your password now!
  •  Consider using passwords that are at least fifteen characters, pass phrases, and/or two factor authentication.
  •  Security is everyone’s responsibility. Ask about your role in protecting sensitive information today.
  •  Information security is a shared interest. Things you do to protect institutional data may very well help to protect your personal information as well.
  •  Information security breaches are serious, expensive, and can cause life-long impacts on victims.
  •  Institutions that think they have not been hacked probably just do not know that they have been hacked. Be humble; learn today what you can do to prevent a breach.

After you develop your key messages, back them up with “how to” resources. In other words, do not just tell people to avoid phishing, show them how.

As you develop resources for your program, consult the following resources that address most facets of information security.

4) Establish a Security Awareness Website

Establishing an information security awareness website allows you to communicate effectively and efficiently with members of your institution's community. It can quickly become a trusted resource to:

  • provide timely and updated information
  • compile external repositories of accurate information for more in-depth reading
  • act as your communication hub, promoting additional resources, such as Facebook pages, Twitter profiles, and RSS feeds

If you creating or revamping your program's website, the toolkit Developing Your Campus Information Security Website provides excellent tips, as well as links to other college and university websites. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic. Leverage the work of other EDUCAUSE peers and that of external organizations, like the National Cyber Security Alliance, and focus on building a comprehensive list of key groups and constituencies on your campus. 

Additional ideas for website components:

5) Use HEISC Awareness Posters and Videos in Campus Settings

Since 2006, EDUCAUSE sponsored a student information security awareness video and poster contest. These materials are designed by students for students to catch their attention. Consider using these videos and posters in your campus awareness campaigns. If you have a campus cable channel, incorporate the videos into your programming.

6) Present "Key Messages" and Campus Resources in Existing Training Venues

7) Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications

Publishing campus newsletters allows you to target specifically the awareness issues that confront your campus or your audience of staff, faculty and/or students. Messages can be delivered at appropriate cycles, in the campus newspaper, to remind the university community of times of vulnerability to scams such as April and IRS emails or Valentines day viruses. Whatever means your campus may have to allow you to recycle the message of personal responsibility in careful use of the internet, use it. Use your television network if you have one to run short security awareness videos. Link from your website to the issues of the newsletter so anyone can view it and read it.

8) Participate in National Cyber Security Awareness Month (NCSAM)

National Cyber Security Awareness Month (NCSAM), conducted every October since 2004, is a national public awareness campaign to encourage everyone to protect their computers and our nation's critical cyber infrastructure. Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary drivers of NCSAM, coordinate to shed a brighter light in October on what home users, schools, businesses, and governments need to do in order to protect their computers, children, and data. The success of National Cyber Security Awareness Month rests on all of us doing what we can do to engage those around us to be safe and secure online. There are opportunities for everyone, including college students, college administrators, and libraries, to get involved.

  • Conduct community-based security awareness events on campus or regionally (and share what you're doing with NCSA)
  • Share these tip sheets, which provide in-depth information on how to stay safe in a variety of online settings: on social networking sites, on gaming sites, and on your mobile device.
  • Visit NCSA's YouTube channel where you'll find many cybersecurity-related videos.
  • Additional awareness resources are also available. Here you'll find other organizations' valuable materials that will prepare you for National Cyber Security Awareness Month.

9) Measure the Effectiveness of your Program Annually

One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that one would collect over time. Consider retaining yearly data for the following:

  • User awareness surveys
  • Number of incidents, and help desk incident reports
  • Computers meeting baseline guidelines
  • Number of stolen mobile devices
  • Participation at security events
  • Awareness quiz scores

Comparing the data over time, one would hope to see better answers on surveys, less incidents, etc.

Sample Surveys

Other Resources

10) Automate Services

Information Security has the daunting task of staying abreast with the latest threats and zero day outbreaks. Threats evolve and surface daily and the ability to understand and distribute the information is a challenging task. As part of information security awareness both the management and the user communities use of automated services (e.g., RSS feeds, blogs, etc.), can be an integral part of the awareness approach. Information security RSS feeds like the SANS Security Awareness Tip of The Day and US-CERT's Security Alerts allow for recommended tips and critical breaking news pertaining to the latest threats in an automated manner. Leveraging such automated services can reduce workload on information security staff while providing valuable awareness to end users (students, faculty and staff). You can share these alerts with your community by embedding RSS feeds on your campus website.

Example RSS Security News Feeds

Tutorial: RSS Feeds into Twitter and Facebook using Twitterfeed

Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels