Policies

Security Awareness Training and Testing

Hendrix College, Technology Services
Policy # 12170
Effective: Monday, August 27, 2018
Purpose

This policy specifies the Hendrix College internal information security awareness and training program to inform and assess all College employees regarding their information security obligations.

Additional Authority
Scope

In general, this policy applies to all Hendrix College employees and contractors with access to Hendrix College systems, networks, College information, nonpublic personal information, personally identifiable information, and/or customer data.

This Policy applies throughout the organization as part of the College's governance framework. It applies regardless of whether employees use computer systems and networks, since all employees are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.

Responsible Party

Chief Information Officer

1. Statement

All awareness training must fulfill the requirements for the security awareness program as listed below:

  • The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.
  • Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness, for example Information Risk and Security Management, Security Administration, Site Security and IT/Network Operations personnel. Such training requirements must be identified in departmental/personal training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.
  • Security awareness and training activities should commence as soon as practicable after staff joins the organization, generally through attending information security induction/orientation as part of the on boarding process. The awareness activities should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.
  • Where necessary and practicable, security awareness and training materials and exercises should suit their intended audiences in terms of styles, formats, complexity, technical content, etc. Everyone needs to know why information security is so important, but the motivators may be different for workers focused on their own personal situations or managers with broader responsibilities to the organization and their staff.
  • The College will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.
  1. Hendrix College Information Security Awareness Training

    The Hendrix College Technology Services department requires that each employee upon hire and at least annually thereafter successfully complete a security awareness training course. Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually. Staff will be given a reasonable amount time to complete each course so as to not disrupt College operations.

  2. SimulatedSocial Engineering Exercises

    The Hendrix College Technology Services department will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. The Hendrix College Technology Services department will conduct these tests at random throughout the year with no set schedule or frequency. The Hendrix College Technology Services department may conduct targeted exercises against specific departments or individuals based on a risk determination.

  3. Remedial Training Exercises

    From time to time Hendrix College staff may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the Hendrix College Technology Services department as part of a risk-based assessment.

2. Compliance & Non-Compliance with Policy

Compliance with this policy is mandatory for all staff, including contractors and executives. The Hendrix College Technology Services department will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises.

The penalties for non-compliance are described in Section 4 of this policy.

  1. Non-Compliance Actions

    Certain actions or non-actions by Hendrix College personnel may result in a non-compliance event (Failure).

    A Failure includes but is not limited to:

    • Failure to complete required training within the time allotted
    • Failure of a social engineering exercise

    Failure of a social engineering exercise includes but is not limited to:

    • Clicking on a URL within a phishing test
    • Replying with any information to a phishing test
    • Opening an attachment that is part of a phishing test
    • Enabling macros that are within an attachment as part of a phishing test
    • Allowing exploit code to run as part of a phishing test
    • Entering any data within a landing page as part of a phishing test
    • Transmitting any information as part of a vishing test
    • Replying with any information to a smishing test
    • Plugging in a USB stick or removable drive as part of a social engineering exercise
    • Failing to follow College policies in the course of a physical social engineering exercise

    Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.

    The Hendrix College Technology Services department may also determine, on a case by case basis, that specific Failures are a false positive and should be removed from that staff member's total Failure count.

  2. Compliance Actions

    Certain actions or non-actions by Hendrix College personnel may result in a compliance event (Pass).

    A Pass includes but is not limited to:

    • Successfully identifying a simulated social engineering exercises
    • Not having a Failure during a social engineering exercise (Non-action)
    • Reporting real social engineering attacks to the Technology Services department
  3. Removing Failure Events through Passes

    Each Failure will result in a Remedial training or coaching event as described in Section 4 of this document. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.

3. Responsibilities and Accountabilities

Listed below is an overview of the responsibilities and accountabilities for managing and complying with this policy program.

  • The Chief Information Officer/Information Security Manager is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization's and the organization's customer's information assets.
  • Technology Services Management is responsible for developing and maintaining a comprehensive suite of information security policies (including this one), standards, procedures and guidelines that are to be mandated and/or endorsed by management where applicable. Working in conjunction with other corporate functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understanding of staff's responsibilities identified in applicable policies, laws, regulations, contracts, etc.
  • All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.
  • All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.

4. Schedule of Failure Penalties

The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by the Hendrix College Technology Services team to reduce the risk that an individual may pose to the College.

Failure CountResulting Level of Remediation Action
First through Third FailuresMandatory completion of additional security training courses.
Fourth and Subsequent FailuresAdditional technical security constraints. Stepped disciplinary process in accordance with Human Resources Policies

5. Additional Information

Revisions

Date Change
7/15/2018 Iniital Draft