IT0123-Security Awareness Training Policy

 

 

 

SECURITY AWARENESS

TRAINING POLICY

 

 

 
 

The information security awareness program ensures that all employees achieve and maintain at least a basic level of understanding

of information security matters, ethics, and acceptable behavior. The overall objective is to establish policy for maintaining the security skills of the University’s Workforce. ITO123

 

 

 

 

 

 

 

 

CATEGORY: INFORMATION SYSTEMS & TECHNOLOGY        POLICY NUMBER:       IT0123

TITLE:  SECURITY AWARENESS TRAINING POLICY              ISSUE DATE:               07/28/2022

AUTHOR: OFFICE OF INFORMATION TECHNOLOGY              REVISION DATE:        

APPROVAL: CHIEF INFORMATION OFFICER                         

 

  1. OVERVIEW

Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all employees, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.

Lacking adequate information security awareness, employees are less likely to recognize or react appropriately to information security threats and incidents and are more likely to place information assets at risk of compromise. In order to protect information assets, all employees must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations as required by UT System Policy IT0123

 

  1. OBJECTIVE

This policy specifies that UT Southern internal information security awareness and training program will inform and assess all employees regarding their information security obligations.

 

  1. SCOPE

This policy applies to all employees including interns and temporary employees. It applies regardless of whether employees use computer systems and networks, since all employees are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience.

 

  1. POLICY

All awareness training must fulfill the requirements for the security awareness program as listed below:

The information security awareness program should ensure that all employees achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.

 

 

Security awareness and training activities should commence as soon as an employee joins the organization. Security awareness training will be assigned to the new employee as part of the onboarding process and awareness activities will be conducted on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness. UT Southern will provide employees with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.

4.1 UT Southern Security Awareness Training

UT Southern requires that each employee upon hire, and at least annually thereafter, successfully complete the assigned security awareness training courses. Certain employees may be required to complete additional training modules depending on their specific job requirements upon hire and at least twice a year. Employees will have 180 days to complete each assigned training course. 

4.2 Simulated Social Engineering Exercises

UT Southern will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. UT Southern will conduct these tests at random throughout the year with no set schedule or frequency. UT Southern may conduct targeted exercises against specific departments or individuals based on a risk determination. The social engineering exercises are not tests; the exercises are individual assessments to help determine the overall security posture of the organization.

4.3 Remedial Training Exercises

From time to time employees may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the Information Security & Office of information technology as part of a risk-based assessment.

4.4 Compliance (Pass)

A pass includes; but is not limited to:

  • Successfully identifying a social engineering or phishing attack
  • Reporting a social engineering or phishing attack to Information Security & Office of information technology
  • Not having a failure during a social engineering or phishing attack (Non-action)

 

4.5 Non-Compliance (Fail)

A failure includes but is not limited to:

  • Failure to complete required training within 60 days
  • Failure of a social engineering or phishing attack

 

Failure of a social engineering exercise includes but is not limited to:

  • Clicking on a URL within a phishing email
  • Replying with any information to a phishing email
  • Opening an attachment that is part of a phishing email
  • Enabling macros that are within an attachment as part of a phishing email
  • Allowing exploit code to run as part of a phishing email
  • Entering any data within a landing page as part of a phishing email
  • Transmitting any information as part of a vishing call
  • Replying with any information to a smishing text message
  • Plugging in an unknown USB stick or removable drive as part of a social engineering attempt
  • Failing to follow policies in the course of a physical social engineering attempt

 

Certain social engineering exercises can result in multiple failures being counted in a single test.

It may also be determined, on a case-by-case basis, that specific failures are a false positive and should be removed from that staff member’s total failure count.

 

4.6 Non-Compliance Remediation Actions

The following table outlines the remediation actions due to non-compliance with this policy. Steps not listed here may be taken by the Information Security & Office of information technology to reduce the risk that an individual may pose to the organization.

Failure Count

Resulting Level of Remediation Action

First Failure

Mandatory completion of one remediation training course within 30 days

Second Failure

Mandatory completion of two remediation training courses within 30 days

Third Failure

Verbal warning and meeting with Information Security & Office of information technology and Employee’s Manager

Fourth Failure

Written Corrective Action

Subsequent Failure

Corrective actions according to the Corrective Discipline Policy
 

 

  1. References
  1. IT0123 – Security Awareness, Training, and Education.

 

 

Print Article

Details

Article ID: 141017
Created
Fri 8/5/22 9:23 AM
Modified
Tue 1/24/23 10:45 AM