Skip to end of metadata
Go to start of metadata

Draft Version 2.0: June 2010

Handy Hint
If your campus already has an established Security Awareness Program and you're able to dedicate more time and resources to developing your own materials, check out the more advanced Detailed Instruction Manual (Beta version). Other resources of interest might include the Cybersecurity Awareness Resource Library and the National Cyber Security Awareness Month Resource Kit.

Quick Start Guide (Basic)

This guide is for campuses just getting started with a Security Awareness Program. It may also serve as a checklist to assess an institution's existing program.

1) Establish an Information Security Program

EDUCAUSE provides a number of resources to help institutions develop and improve their information security programs. While larger institutions may have resources dedicated to information security, many schools may "handle" information security issues as part of their operational information technology services.

Both models depend heavily on encouraging users to use best practices Without an effective security awareness program, you'll find it difficult to help users understand the risks they face and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. Review the presentation below and consider how you can move things forward.

2) Develop a Security Awareness Plan

Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determined how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.

The materials in this section provide the tools needed to develop your awareness plan and also provide examples of techniques used by other schools. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year over year. But don't forget to "think outside the box" as you develop your plan!

Resources

Creating a Communications Strategy: Planning Tools

Alert/Advisory Templates (Consider using these templates when preparing electronic email or web portal communications regarding information security issues.)

Integrating Social Networking (To reach students, you need to be where the students are--social networking sites. We've found that many students rely on these sites for up-to-date information. They don't always read their email. They do check to see what's on Facebook and other sites.)

3) Adopt and Modify "Key Messages"

The Higher Education Information Security Council (HEISC) is creating resources that address most facets of information security. Consult these resources for help in determining critical issues to communicate to your users.

4) Establish a Security Awareness Website

Establishing a security awareness website allows you to communicate effectively and efficiently with members of your university community. It can quickly become a trusted resource to:

  • provide a trusted go-to resource for timely and updated information
  • compile external repositories of accurate information for more in-depth reading
  • act as your communication hub, promoting additional resources, such as Facebook pages, Twitter profiles, and RSS feeds

On the page linked below are some tips and suggestions for how to compile a website. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic; leverage the work of other EDUCAUSE peers and that of external organizations, like the National Cyber Security Alliance. Instead, focus on building a comprehensive list of key groups and constituencies within your college/university. After all, a great web site that no one visits won't be very helpful.

Additional ideas for web site components:

5) Use HEISC Awareness Posters and Videos in Campus Settings

EDUCAUSE sponsors a student awareness poster and video contest. These materials are designed by students, for students, and are designed to catch their attention. Consider using these materials in your campus awareness campaigns. If you have a campus cable channel, incorporate the videos into your programming.

6) Present "Key Messages" and Campus Resources in Existing Training Venues

7) Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications

Publishing campus newsletters allows you to target specifically the awareness issues that confront your campus or your audience of staff, faculty and/or students. Messages can be delivered at appropriate cycles, in the campus newspaper, to remind the university community of times of vulnerability to scams such as April and IRS emails or Valentines day viruses. Whatever means your campus may have to allow you to recycle the message of personal responsibility in careful use of the internet, use it. Use your television network if you have one to run short security awareness videos. Link from your website to the issues of the newsletter so anyone can view it and read it.

8) Participate in National Cyber Security Awareness Month (NCSAM)

National Cyber Security Awareness Month (NCSAM), conducted every October since 2004, is a national public awareness campaign to encourage everyone to protect their computers and our nation's critical cyber infrastructure. Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary drivers of NCSAM, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data. The success of National Cyber Security Awareness Month rests on all of us doing what we can do to engage those around us to be safe and secure online. There are opportunities for everyone, including college students, college administrators, and libraries, to get involved.http://www.staysafeonline.org/content/get-involved-1

  • Conduct campus or regional awareness events (and share what you're doing with NCSA)
  • Share these tip sheets, which provide in-depth information on how to stay safe in a variety of online settings: on social networking sites, on gaming sites, and on your mobile device.
  • Visit NCSA's YouTube channel where you'll find many cybersecurity-related videos.
  • Additional awareness resources are also available. Here you'll find other organizations' valuable materials that will prepare you for National Cyber Security Awareness Month.

9) Measure the Effectiveness of your Program Annually

One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that one would collect over time. Consider retaining yearly data for the following:

  • User awareness surveys
  • Number of incidents, and helpdesk incident reports
  • Computers meeting baseline guidelines
  • Number of stolen mobile devices
  • Participation at security events
  • Awareness quiz scores

Comparing the data over time, one would hope to see better answers on surveys, less incidents, etc.

Sample Surveys

Other Resources

10) Automate Services

Information Security has the daunting task of staying abreast with the latest threats and zero day outbreaks. Threats evolve and surface daily and the ability to understand and distribute the information is a challenging task. As part of information security awareness both the management and the user communities use of automated services (e.g., RSS feeds, blogs, etc.), can be an integral part of the awareness approach. Information security RSS feeds like the SANS Security Awareness Tip of The Day and US-CERT's Security Alerts allow for recommended tips and critical breaking news pertaining to the latest threats in an automated manner. Leveraging such automated services can reduce workload on information security staff while providing valuable awareness to end users (students, faculty and staff). You can share these alerts with your community by embedding RSS feeds on your campus website.

Example RSS Security News Feeds

Tutorial: RSS Feeds into Twitter and Facebook using Twitterfeed

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Labels:
information information Delete
security security Delete
awareness awareness Delete
training training Delete
education education Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.