Keeping ahead of hackers, ID thieves and malware just became easier at UC Davis, now that the campus has bought access to a set of short, engaging and updated security videos from the SANS Institute, a company known for its high-quality IT security training. The videos help meet campus requests for improved security training, and are the first step of a larger security awareness program now in its planning stages.
The training is meant for everyone at UC Davis. Watching the core videos takes about 45 minutes, and can greatly reduce your odds of getting mugged online. In this Q&A, Dewight Kramer--information security consultant and coordinator of the Security Awareness Training Program--and Information Security Manager Tye Stallard lay out the details.
What's the training about?
It is training for the campus, and for individuals, on cyber-security.
There's such broad and deep anxiety about information security. Training is one of the most effective ways we can get the word out about what's reasonable, and what isn't. The threat is changing, the technologies are changing, the vulnerabilities are novel--this is our way of reaching as many people as possible.
Why do you like these particular videos?
SANS updates the video training routinely, and bases it on the 20 Critical Security Controls. This list, a security industry standard, identifies the 20 threats and vulnerabilities that are currently the most critical.
The videos are more engaging, more fun, and more frequently updated than what we used to do.
We've previously used UC video training that was created five years ago, and hasn't been updated. It's more than an hour long. To update it would take a lot of money and time, whereas SANS updates theirs twice a year. The training ha s high production values, is easy to use, and is broken down into small digestible chunks of 2 to 5 minutes. The entire core training takes about 45 minutes.
What will the training cost me?
It won't cost you or your department anything. The campus is providing this service at no charge, for all of campus.
Where do I find the training, and how do I take it?
Go to the IT Service Catalog. Under "Information Security Awareness Training," you\031ll find a link to the trainings. The training resides in the campus learning management system, and Staff Development and Professional Services will host a website that presents the curriculum; that page will list the trainings, and who they're for.
When will the training be available?
By Oct. 1.
How do I know which parts to watch?
The web page with information about the training has links and a list of segments to watch as your core awareness. There are also three subcategories for people who deal with PCI [payment card industry] and HIPA [Health Insurance Portability and Accountability Act], and we're looking at one for IT administrators. The core will be for everyone, and then there will be different segments depending on your role or responsibilities.
Is this training voluntary?
At the campus level, it's voluntary, currently. Some departments have said they're going to make it mandatory for their department.
It won't be voluntary for people in departments where a high risk needs to be addressed, but when it is mandatory, the requirement will make sense--because there's a lot of money involved, or sensitive information, or maybe grades. It'll depend on the department.
This training benefits the individual, as much as it does the campus?
Yes. The campus gets a more aware cyber-citizenship. Everyone becomes just a bit more aware of phishing, of connecting to the web, and becoming better cyber-neighbors.
The end users learn about what the hackers do. The information applies to what you do at the office and at home. We think people will want to learn about the modern threats that are targeting them personally, as well as professionally. It's all the same stuff.
Will you mix in material specific to UC Davis?
Yes. SANS recommends supplementing their videos with small trainings, in PDF or video or some form, that are individualized for the organization. We'll do that too, but not this round. This round is just putting out the generic videos, and getting the word out. We will continue to improve the process, and add UC policy or UC Davis policy things into that training.
This leads into the larger security awareness program that you're working on, Dewight. The larger project will be more comprehensive, and will go beyond videos.
Yes. There will be multiple facets--one will be for staff and faculty, one will target students. At some point we\031ll put up SANS posters that connect to the trainings. And I'll go out to the different departments and talk to people.
Once I've taken the training and do what it says, then what? What's next?
Provide us feedback--was it good, or not? And tell your friends. You can send feedback to Dewight Kramer at firstname.lastname@example.org.
And presumably take it again down the road somewhere.
Yes. You'll need to stay current, and SANS will update the videos. They will be a continuing benefit for all of us.
Test your knowledge: Can you name the most common cyber-security errors on campus? Find the answer in "Biggest mistake? 'People don't consider themselves a target' "