User Security Training

I’m working on computing project 403 – Consider User Security Training Materials. The brief is:

Consider what user security training materials we can provide and also what mechanism of delivery to use. This could be used to encourage VPN/Keberos use, provide system management guidelines for when a self managed server has firewall holes. Ideally we would like a single page with bullet points and that when writing documentation we get volunteers from the end user community (rather than computing staff) to proofread.

The University’s Information Security Division has produced good advice and training on digital security. This project aims to complement that. It does not attempt to compete with or replace it.

This project has been difficult to get going because it’s potentially so open-ended: we need to communicate $SECURITY_ADVICE to $COMPUTER_MANAGERS by $METHODS to achieve $AIMS. Just instantiate the variables.

However, there are some specific priorities:

  • We need to ensure that self-managed (that is, managed by users rather than by computing staff) servers with firewall holes (that is, accessible from outside Informatics) are kept reasonably secure by their managers.
  • We also want to ensure that these managers are aware of their legal obligations as service managers (data protection, freedom of information, University computing regulations, JaNET acceptable use policy, and so on).
  • We envisage providing an automatically assessed Learn course, for which the servers’ managers must achieve a good enough pass mark as a condition of getting firewall holes for their servers.
  • We hope to provide a course which would be useful across the University.
  • Promoting network security by encouraging more use of VPNs (for encrypted network traffic) and of Kerberos (to cut down the remote use of login passwords).

There seem to be two ways of tackling this:

  1. Begin by listing all the cases (e.g. security advice, groups of users, training techniques) we should consider; construct a list of meaningful actions to take; sort them into priority order; then tackle the most important first.
  2. Identify an important thing which needs doing; do it; reassess. Repeat until bored done.

Colleagues advise that the second option is easily the more practical approach to take.

Leave a Reply