With the month of August coming to an end, schools, colleges and universities all over the country are starting up again. For IT departments in higher education, it means that the busiest part of the year is over. Because the effect of service degradation is the lowest, the summer break is the time where most large projects are undertaken. For many schools this means infrastructure upgrades, upgrading/restoring labs, getting new faculty equipment ready in time for the new school year, etc.

For us as information security professionals, the summer is a good time to review our IT policies, revise them where necessary and get them approved by management and rolled out to our constituencies.

This year, we put the emphasis on revising our acceptable use policy and developing a new policy which was designed to reduce the amount of rogue networking equipment connected to our network. These two policies will be the topic of another post.

Having developed new and existing policies during the summer, the beginning of the school year is a good time for a security awareness campaign. When students come back after the break, they are a prime target for a campaign that explains proper use of IT infrastructure, or more importantly, improper use.

In our case, we are kicking off with a five-week poster campaign. Each week, we'll be putting up different posters covering different themes. This year's themes are:

  • Protect your data: make backups often and keep them safe
  • Sharing copyrighted files is usually illegal, and your are not anonymous
  • Don't become a victim of phishing. Think before sharing personal information via mail, email, telephone, the web or phone. Always verify who you are sharing it with
  • Before you click, ask yourself: is it safe? Be ware of unexpected email attachments and unknown websites
  • You count on your password to keep your data and identity safe. Return the favor- Don't share your password with anyone

The posters have all been designed in-house, and they look awesome.

Since our primary audience consists predominantly of freshmen, it is near impossible to get a good baseline in place. As such, we'll have to measure the success of the campaign by comparing the number of incidents per constituent compared to last year. Hopefully it will be lower.

Having said that, we'll have to compensate (somehow ) for the fact that by increasing security awareness, the amount of incidents that is actually reported usually goes up too.

After these five weeks, we'll be in the first week of October, which is security awareness month. Throughout October, we will provide education and training in the form of targeted workshops and seminars for students and employees. 

Hopefully this will put us in a position where the people who are using IT resources to handle sensitive information are aware of the fact that they are doing so, and behave accordingly.