| Document Owner |
Title |
| Jason Dudley |
Vice President, Information TechnologyCIO |
| Mohammad Rahaman |
Chief Information Security Officer |
| Rev# |
Name |
Date |
Description |
Signature |
| 1.0 |
Jason Dudley |
11/14/18 |
Initial draft |
Electronically signed |
| 1.1 |
Jason Dudley |
1/16/19 |
Initial release |
Owner Signature |
Table of Contents
1. Introduction
1.1 Objective
1.2 Scope
1.3 Audience
1.4 Document Changes and Feedback
1.5 Referenced Documents
2. Policy Requirements
2.1 FSW Information Security Awareness Training
2.2 Simulated Social Engineering Exercises
2.3 Remedial Training Exercises
3. Compliance & Non-Compliance with Policy
3.1 Non-Compliance Actions
3.2 Compliance Actions
3.3 Removing Failure Events through Passes
4. Responsibilities and Accountabilities
Appendix A - Schedule of Non-Compliance Penalties
Appendix B - Methods for Determining Staff Risk Ratings
1. Introduction
Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all staff, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.
Lacking adequate information security awareness, staff is less likely to recognize or react appropriately to information security threats and incidents, and are more likely to place information assets at risk of compromise. In order to protect information assets, all workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.
1.1 Objective
This policy specifies the FSW internal information security awareness and training program to inform and assess all staff regarding their information security obligations.
1.2 Scope
This policy applies throughout the organization as part of the college governance framework. It applies regardless of whether staff use computer systems and networks, since all staff are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.
1.3 Audience
In general, this policy applies to all FSW employees and contractors with access to FSW systems, networks, FSW information, nonpublic personal information, personally identifiable information, and/or customer data.
1.4 Document Changes and Feedback
This policy will be updated and re-issued at least annually to reflect, among other things, changes to applicable law, update or changes to FSW requirements, technology, and the results or findings of any audit.
1.5 Referenced Documents
Documents that are relevant to this policy include the following:
Back to the top
2. Policy Requirements
All awareness training must fulfill the requirements for the security awareness program as listed below:
- The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.
- Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness, for example Information Risk and Security Management, Security Administration, Site Security and IT/Network Operations personnel. Such training requirements must be identified in departmental/personal training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.
- Security awareness and training activities should commence as soon as practicable after staff joins the organization, generally through attending information security induction/orientation as part of the onboarding process. The awareness activities should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.
- Where necessary and practicable, security awareness and training materials and exercises should suit their intended audiences in terms of styles, formats, complexity, technical content, etc. Everyone needs to know why information security is so important, but the motivators may be different for workers focused on their own personal situations or managers with broader responsibilities to the organization and their staff.
- The Office of Information Technology will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.
2.1 FSW Information Security Awareness Training
The FSW Information Technology department requires that each employee upon hire and at least annually thereafter successfully complete FSW Security Awareness Training video. Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually. Staff will be given a reasonable amount time to complete each course so as to not disrupt business operations.
2.2 Simulated Social Engineering Exercises
The FSW IT department will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. The FSW IT department will conduct these tests at random throughout the year with no set schedule or frequency. The FSW IT department may conduct targeted exercises against specific departments or individuals based on a risk determination.
2.3 Remedial Training Exercises
From time to time FSW staff may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the FSW IT department as part of a risk-based assessment.
Back to the top
3. Compliance & Non-Compliance with Policy
Compliance with this policy is mandatory for all staff, including contractors and executives. The FSW IT department will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises. The penalties for non-compliance are described in Appendix A of this policy.
3.1 Non-Compliance Actions
Certain actions or non-actions by FSW personnel may result in a non-compliance event (Failure).
A Failure includes but is not limited to:
- Failure to complete required training within the time allotted
- Failure of a social engineering exercise
Failure of a social engineering exercise includes but is not limited to:
- Clicking on a URL within a phishing test
- Replying with any information to a phishing test
- Opening an attachment that is part of a phishing test
- Enabling macros that are within an attachment as part of a phishing test
- Allowing exploit code to run as part of a phishing test
- Entering any data within a landing page as part of a phishing test
- Transmitting any information as part of a vishing test
- Replying with any information to a smishing test
- Plugging in a USB stick or removable drive as part of a social engineering exercise
- Failing to follow FSW policies in the course of a physical social engineering exercise
Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.
The FSW IT department may also determine, on a case by case basis, that specific Failures are a false positive and should be removed from that staff member’s total Failure count.
3.2 Compliance Actions
Certain actions or non-actions by FSW personnel may result in a compliance event (Pass).
A Pass includes but is not limited to:
- Successfully identifying a simulated social engineering exercises
- Not having a Failure during a social engineering exercise (Non-action)
- Reporting real social engineering attacks to the IT department
3.3 Removing Failure Events through Passes
Each Failure will result in a Remedial training or coaching event as described in Appendix A of this document. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.
Back to the top
4. Responsibilities and Accountabilities
Listed below is an overview of the responsibilities and accountabilities for managing and complying with this policy program.
The Information Security Officer is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization’s and the organization’s customer’s information assets.
Information Technology Management is responsible for developing and maintaining a comprehensive suite of information security policies (including this one), standards, procedures and guidelines that are to be mandated and/or endorsed by management where applicable. Working in conjunction with other corporate functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understanding of staff’s responsibilities identified in applicable policies, laws, regulations, contracts, etc.
All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.
All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.
Back to the top
Appendix A - Schedule of Failure Penalties
The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by the FSW IT team to reduce the risk that an individual may pose to the FSW.
| Failure Count |
Resulting Level of Remediation Action |
| First Failure |
Mandatory completion of Failure Video 1 (not to exceed 10 minutes) |
| Second Failure |
Mandatory completion of Failure Video 2 (not to exceed 20 minutes) |
| Third Failure |
Mandatory completion of Failure Video 3 (not to exceed 30 minutes) |
| Fourth Failure |
Face to face meeting with their ISO |
| Fifth Failure |
Face to face meeting with their manager and ISO |
| Sixth Failure |
Face to face meeting with the ISO, manager and respective VP
- Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
|
| Seventh Failure |
Meeting with ISO, respective VP and Head of Human Resources
- Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
|
| Eighth Failure |
Formal review of employment with Head of Human Resources
- Possibility that additional administrative and technical controls will be implemented to prevent further Failure events
|
| Ninth and Subsequent Failures |
Potential for Termination of Employment or Employment Contract |
Back to the top
Appendix B - Methods for Determining Staff Risk Ratings
The following is a list of situations that may increase a risk rating of a FSW staff member. Higher risk ratings may result in an increased sophistication of social engineering tests and an increase in frequency and/or type of training and testing.