Overview
A strong security program requires staff to be trained on security policies, procedures, and technical security controls. The IT Security Awareness and Training program establishes the education requirements and documents the steps to ensure that university systems and data are appropriately safeguarded for IT security, IT administrators, IT managers, and users of the systems. Our faculty, staff, and student employees are the front line protecting the University’s data assets. This program will assist in providing consistent guidance and overall approach to security awareness.
Scope
All employees and student employees who use, maintain, or handle USI information assets must follow this education program. Program exceptions will be permitted only if approved in advance and in writing by the Chief Information Officer (CIO) and are reviewed annually.
Procedure
The program ensures that employees are provided with regular education, reference materials, support, and reminders that enable them to appropriately protect USI’s data assets. Education shall include but is not limited to:
- Annual Information Security Awareness Education - All employees are required to take the security awareness education upon hire and at least annually. This includes an acknowledgement of the information security (IS) policy.
The basic information security awareness education for all employees or agents will include:
- General information security awareness best practices
- Data confidentiality, integrity, and availability
- University IT Resource appropriate use and information security policies
- Individual employee information security roles and responsibilities
- Data classification and handling requirements, including the need to protect sensitive information
- How to identify suspicious or risky activities
- Cybersecurity threat reporting requirements
- IT security terms and definitions
- Authentication awareness and best practices
Quarterly Phishing Education
Phishing email awareness is the best defense against threat actor phishing email attempts. IT Security provides quarterly education partnered with a simulated phish email tool. It is important that employees participate in these quarterly events to continue to enhance their knowledge of safe email practices. Positive reinforcement is provided when an employee reports a simulated phishing email via the phish alert button. If an employee interacts with a simulated phishing email, information is provided to refresh the employees understanding of safe email practices. If an employee clicks or opens attachment(s) within a simulated phishing email within two consecutive quarters, the employee is required to take the Security Awareness Foundations KB4 training for additional security awareness. Additionally, the employee’s manager is notified. If there is a third failed simulated phish, the employee’s account is locked/disabled until additional training is completed. These ongoing education methods prove to make the employee base more resilient to account takeover and reduce business email compromise.