SECURITY AWARENESS
TRAINING POLICY
|
|
The information security awareness program ensures that all employees achieve and maintain at least a basic level of understanding
of information security matters, ethics, and acceptable behavior. The overall objective is to establish policy for maintaining the security skills of the University’s Workforce. ITO123
|
|
CATEGORY: INFORMATION SYSTEMS & TECHNOLOGY POLICY NUMBER: IT0123
TITLE: SECURITY AWARENESS TRAINING POLICY ISSUE DATE: 07/28/2022
AUTHOR: OFFICE OF INFORMATION TECHNOLOGY REVISION DATE:
APPROVAL: CHIEF INFORMATION OFFICER
- OVERVIEW
Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all employees, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.
Lacking adequate information security awareness, employees are less likely to recognize or react appropriately to information security threats and incidents and are more likely to place information assets at risk of compromise. In order to protect information assets, all employees must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations as required by UT System Policy IT0123
- OBJECTIVE
This policy specifies that UT Southern internal information security awareness and training program will inform and assess all employees regarding their information security obligations.
- SCOPE
This policy applies to all employees including interns and temporary employees. It applies regardless of whether employees use computer systems and networks, since all employees are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience.
- POLICY
All awareness training must fulfill the requirements for the security awareness program as listed below:
The information security awareness program should ensure that all employees achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.
Security awareness and training activities should commence as soon as an employee joins the organization. Security awareness training will be assigned to the new employee as part of the onboarding process and awareness activities will be conducted on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness. UT Southern will provide employees with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.
4.1 UT Southern Security Awareness Training
UT Southern requires that each employee upon hire, and at least annually thereafter, successfully complete the assigned security awareness training courses. Certain employees may be required to complete additional training modules depending on their specific job requirements upon hire and at least twice a year. Employees will have 180 days to complete each assigned training course.
4.2 Simulated Social Engineering Exercises
UT Southern will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. UT Southern will conduct these tests at random throughout the year with no set schedule or frequency. UT Southern may conduct targeted exercises against specific departments or individuals based on a risk determination. The social engineering exercises are not tests; the exercises are individual assessments to help determine the overall security posture of the organization.
4.3 Remedial Training Exercises
From time to time employees may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the Information Security & Office of information technology as part of a risk-based assessment.
4.4 Compliance (Pass)
A pass includes; but is not limited to:
- Successfully identifying a social engineering or phishing attack
- Reporting a social engineering or phishing attack to Information Security & Office of information technology
- Not having a failure during a social engineering or phishing attack (Non-action)
4.5 Non-Compliance (Fail)
A failure includes but is not limited to:
- Failure to complete required training within 60 days
- Failure of a social engineering or phishing attack
Failure of a social engineering exercise includes but is not limited to:
- Clicking on a URL within a phishing email
- Replying with any information to a phishing email
- Opening an attachment that is part of a phishing email
- Enabling macros that are within an attachment as part of a phishing email
- Allowing exploit code to run as part of a phishing email
- Entering any data within a landing page as part of a phishing email
- Transmitting any information as part of a vishing call
- Replying with any information to a smishing text message
- Plugging in an unknown USB stick or removable drive as part of a social engineering attempt
- Failing to follow policies in the course of a physical social engineering attempt
Certain social engineering exercises can result in multiple failures being counted in a single test.
It may also be determined, on a case-by-case basis, that specific failures are a false positive and should be removed from that staff member’s total failure count.
4.6 Non-Compliance Remediation Actions
The following table outlines the remediation actions due to non-compliance with this policy. Steps not listed here may be taken by the Information Security & Office of information technology to reduce the risk that an individual may pose to the organization.
Failure Count
|
Resulting Level of Remediation Action
|
First Failure
|
Mandatory completion of one remediation training course within 30 days
|
Second Failure
|
Mandatory completion of two remediation training courses within 30 days
|
Third Failure
|
Verbal warning and meeting with Information Security & Office of information technology and Employee’s Manager
|
Fourth Failure
|
Written Corrective Action
|
Subsequent Failure
|
Corrective actions according to the Corrective Discipline Policy
|
- References
- IT0123 – Security Awareness, Training, and Education.