A strong security program requires staff to be trained on security policies, procedures, and technical security controls.聽 The IT Security Awareness and Training program establishes the education requirements for IT Security, IT administrators, IT managers, and users of the systems and documents the steps to ensure that university systems and data are appropriately safeguarded. Our faculty, staff, and student employees are the frontline to protecting the University鈥檚 data assets, and this program will assist in providing consistent guidance and overall approach to security awareness.
Scope
All employees聽and student employees that use, maintain or handle 91社区 information assets must follow this education program. Program exceptions will be permitted only if approved in advance and in writing by the Chief Information Officer (CIO) and are reviewed annually.
Procedure
The program ensures that employees are provided with regular education, reference materials, support, and reminders that enable them to appropriately protect 91社区鈥檚 data assets.聽 Education shall include but is not limited to:
- Annual Information Security Awareness Education - All employees are required to take the security awareness education upon hire and at least annually.聽 This includes an acknowledgement of the IS policy.
The basic information security awareness education for all employees or agents will include:
- General information security awareness best practices
- Data confidentiality, integrity, and availability
- University IT Resource appropriate use and information security policies
- Individual employee information security roles and responsibilities
- Data classification and handling requirements, including the need to protect sensitive information
- How to identify suspicious or risky activities
- Cybersecurity threat reporting requirements
- IT security terms and definitions
- Authentication awareness and best practices聽
Quarterly Phishing Education - Phishing email awareness is the best defense against threat actor phishing email attempts.聽 IT Security provides quarterly education partnered with a simulated phish email tool.聽 It is important that employees participate in these quarterly events to continue to enhance their knowledge of safe email practices.聽 A positive reinforcement is provided when an employee reports a simulated phishing email via the phish alert button.聽 If an employee interacts with a simulated phishing email an education web page is provided to allow the employee an opportunity for a refresher of safe email practices.聽 If in two consecutive quarters an employee engages (clicks聽or opens attachment(s)) with a simulated phishing email the employee is required to take the Security Awareness Foundations KB4 training for additional security awareness.聽 Additionally, the employee鈥檚 manager is notified for additional training/reminder of the importance of safe email practices.聽 If there is a third failed simulated phish then the employee鈥檚 account will be locked/disabled until additional training is completed.聽 These ongoing education methods are proven to make the employee base more resilient and reduce business email compromise.聽