Security Awareness Training and Testing

Document Owner Title
Jason Dudley  Vice President, Information TechnologyCIO
Mohammad Rahaman Chief Information Security Officer

 

Rev# Name Date Description Signature
1.0 Jason Dudley 11/14/18 Initial draft Electronically signed
1.1 Jason Dudley 1/16/19 Initial release Owner Signature

 

Table of Contents

1. Introduction

1.1 Objective

1.2 Scope

1.3 Audience

1.4 Document Changes and Feedback

1.5 Referenced Documents

2. Policy Requirements

2.1 FSW Information Security Awareness Training

2.2 Simulated Social Engineering Exercises

2.3 Remedial Training Exercises

3. Compliance & Non-Compliance with Policy

3.1 Non-Compliance Actions

3.2 Compliance Actions

3.3 Removing Failure Events through Passes

4. Responsibilities and Accountabilities

Appendix A - Schedule of Non-Compliance Penalties

Appendix B - Methods for Determining Staff Risk Ratings


1. Introduction


Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all staff, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.


Lacking adequate information security awareness, staff is less likely to recognize or react appropriately to information security threats and incidents, and are more likely to place information assets at risk of compromise. In order to protect information assets, all workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.

1.1 Objective

This policy specifies the FSW internal information security awareness and training program to inform and assess all staff regarding their information security obligations.

1.2 Scope

This policy applies throughout the organization as part of the college governance framework. It applies regardless of whether staff use computer systems and networks, since all staff are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.

1.3 Audience

In general, this policy applies to all FSW employees and contractors with access to FSW systems, networks, FSW information, nonpublic personal information, personally identifiable information, and/or customer data. 

1.4 Document Changes and Feedback

This policy will be updated and re-issued at least annually to reflect, among other things, changes to applicable law, update or changes to FSW requirements, technology, and the results or findings of any audit. 

1.5 Referenced Documents

Documents that are relevant to this policy include the following:

Policy Policy Owner Link
Acceptable Use Policy Information Technology https://www.fsw.edu/generalcounsel/cop
HR/Employee Handbook Human Resources https://www.fsw.edu/humanresources

Back to the top


2. Policy Requirements


All awareness training must fulfill the requirements for the security awareness program as listed below:

  • The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.
  • Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness, for example Information Risk and Security Management, Security Administration, Site Security and IT/Network Operations personnel. Such training requirements must be identified in departmental/personal training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.
  • Security awareness and training activities should commence as soon as practicable after staff joins the organization, generally through attending information security induction/orientation as part of the onboarding process. The awareness activities should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.
  • Where necessary and practicable, security awareness and training materials and exercises should suit their intended audiences in terms of styles, formats, complexity, technical content, etc. Everyone needs to know why information security is so important, but the motivators may be different for workers focused on their own personal situations or managers with broader responsibilities to the organization and their staff.
  • The Office of Information Technology will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.

2.1 FSW Information Security Awareness Training

The FSW Information Technology department requires that each employee upon hire and at least annually thereafter successfully complete FSW Security Awareness Training video.  Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually. Staff will be given a reasonable amount time to complete each course so as to not disrupt business operations.

2.2 Simulated Social Engineering Exercises

The FSW IT department will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. The FSW IT department will conduct these tests at random throughout the year with no set schedule or frequency. The FSW IT department may conduct targeted exercises against specific departments or individuals based on a risk determination.

2.3 Remedial Training Exercises

From time to time FSW staff may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the FSW IT department as part of a risk-based assessment.

Back to the top


3. Compliance & Non-Compliance with Policy


Compliance with this policy is mandatory for all staff, including contractors and executives. The FSW IT department will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises. The penalties for non-compliance are described in Appendix A of this policy.

3.1 Non-Compliance Actions

Certain actions or non-actions by FSW personnel may result in a non-compliance event (Failure).

A Failure includes but is not limited to:

  • Failure to complete required training within the time allotted
  • Failure of a social engineering exercise

Failure of a social engineering exercise includes but is not limited to:

  • Clicking on a URL within a phishing test
  • Replying with any information to a phishing test
  • Opening an attachment that is part of a phishing test
  • Enabling macros that are within an attachment as part of a phishing test
  • Allowing exploit code to run as part of a phishing test
  • Entering any data within a landing page as part of a phishing test
  • Transmitting any information as part of a vishing test
  • Replying with any information to a smishing test
  • Plugging in a USB stick or removable drive as part of a social engineering exercise
  • Failing to follow FSW policies in the course of a physical social engineering exercise

Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.
The FSW IT department may also determine, on a case by case basis, that specific Failures are a false positive and should be removed from that staff member’s total Failure count.

3.2 Compliance Actions

Certain actions or non-actions by FSW personnel may result in a compliance event (Pass). 

A Pass includes but is not limited to:

  • Successfully identifying a simulated social engineering exercises
  • Not having a Failure during a social engineering exercise (Non-action)
  • Reporting real social engineering attacks to the IT department

3.3 Removing Failure Events through Passes

Each Failure will result in a Remedial training or coaching event as described in Appendix A of this document. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.

Back to the top


4. Responsibilities and Accountabilities


Listed below is an overview of the responsibilities and accountabilities for managing and complying with this policy program.

The Information Security Officer is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization’s and the organization’s customer’s information assets.

Information Technology Management is responsible for developing and maintaining a comprehensive suite of information security policies (including this one), standards, procedures and guidelines that are to be mandated and/or endorsed by management where applicable. Working in conjunction with other corporate functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understanding of staff’s responsibilities identified in applicable policies, laws, regulations, contracts, etc.

All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.

All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.

Back to the top


Appendix A - Schedule of Failure Penalties


The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by the FSW IT team to reduce the risk that an individual may pose to the FSW.

Failure Count Resulting Level of Remediation Action
First Failure Mandatory completion of Failure Video 1 (not to exceed 10 minutes)
Second Failure Mandatory completion of Failure Video 2 (not to exceed 20 minutes)
Third Failure Mandatory completion of Failure Video 3 (not to exceed 30 minutes)
Fourth Failure Face to face meeting with their ISO
Fifth Failure Face to face meeting with their manager and ISO
Sixth Failure

Face to face meeting with the ISO, manager and respective VP

  • Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
Seventh Failure

Meeting with ISO, respective VP and Head of Human Resources

  • Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
Eighth Failure

Formal review of employment with Head of Human Resources

  • Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
Ninth and Subsequent Failures Potential for Termination of Employment or Employment Contract

Back to the top


Appendix B - Methods for Determining Staff Risk Ratings


The following is a list of situations that may increase a risk rating of a FSW staff member. Higher risk ratings may result in an increased sophistication of social engineering tests and an increase in frequency and/or type of training and testing.

  • Staff member email resides within a recent Email Exposure Check report
  • Staff member is an executive or VP (High-value target)
  • Staff member possesses access to significant FSW confidential information
  • Staff member is using a Windows or Apple-based operating system
  • Staff member uses their mobile phone for conducting work-related business
  • Staff member possesses access to significant FSW systems
  • Staff member personal information can be found publicly on the internet
  • Staff member maintains a weak password
  • Staff member has repeated FSW policy violations

Back to the top

Print Article

Details

Article ID: 99389
Created
Thu 2/27/20 1:05 PM
Modified
Mon 6/17/24 5:54 PM

Related Services / Offerings (1)

The Learning Technologies department supports non-academic departments, such as Human Resources and the Corporate Training Center, in the development of online employee training courses and CE (Continuing Education) courses. Use this form to request assistance in the design and creation of employee training or CE (Continuing Education) courses for delivery in the Canvas LMS (Learning Management System).