SEC-S012 Information Security Awareness Training Standard

  1. OBJECTIVE: 
    1. Technical security controls are a vital part of the Austin Peay State University’s information security framework but are not in themselves sufficient to secure all information assets.Effective information security also requires the awareness and proactive support of all university employees. This is obvious in the increasing social engineering attacks and other current exploits being used by threat actors which specifically target vulnerable humans rather than information technology and network systems.
    2. Lacking adequate information security awareness, university employees are less likely to recognize or react appropriately to information security threats and incidents, and are more likely to place information assets at risk of compromise.In order to protect information assets, all university employees must be informed about relevant, current information security matters, and be motivated to fulfill their information security obligations.
    3. This Standard specifies the Austin Peay State University internal information security awareness and training program to inform and assess all university employees regarding their information security obligations.
  2. RESPONSIBILITIES: 
    1. This Standard applies to all Austin Peay State University employees with access to university systems, networks, university information, nonpublic personal information, personally identifiable information, and/or customer information. Employees include faculty, staff, adjuncts, temporary employees, student employees, and retirees.
    2. The Information Technology Security team (ITSec) is responsible for the implementation, management, and enforcement of this Standard
  3. APPROVAL AUTHORITY:
    1. Chief Information Officer
  4. SCOPE:
    1.  This Standard, operating under University Policy 4:042 Information Security and Data Classification, applies throughout the university as part of the data governance framework. The Standard applies to all employees, regardless of whether staff use computer systems and networks or not.All employees are expected to protect all forms of information assets, including computer data, written materials, and intangible forms of knowledge and experience.
  5. REQUIREMENTS:
    1. Information Security Awareness Training
      1. All information security awareness training must fulfill the requirements as listed here:
        1. The Information Technology Security (ITSec) team requires that each university employee upon hire and at least annually thereafter complete training modules as assigned in the university’s Information Security Awareness training platform(s).
        2. The university will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.
        3. Where necessary and practicable, information security awareness and training materials and exercises will be provided to suit their intended audience in terms of styles, formats, complexity, technical content, etc.
        4. Information security awareness and training activities will begin as soon as practicable after employees join the university, generally through attending information security orientation as part of the onboarding process as well as enrollment in the Information Security training portal training campaign for new hires.Information security awareness activities and training will continue on a continuous basic thereafter in order to maintain a reasonably consistent level of awareness.
        5. Additional training is appropriate for university employees with specific obligations towards information security that are not satisfied by basic security awareness. Additional training will be assigned to university employees that handle data covered by GLBA as well as PCI-DSS.
        6. The information security awareness program will ensure that all university employees achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.
    2. Simulated Social Engineering Exercises
      1. The ITSec team will conduct periodic simulated social engineering exercises including but not limited to: phishing (email), vishing (voice), mmishing (SMS), USB testing, and physical assessments.  The ITSec team will conduct these tests randomly throughout the year with no set scheduled frequency.  The ITSec team may conduct targeted exercises against specific departments or individuals based on a risk determination.
    3. Remedial Training Exercises
      1. The ITSec team may assign remedial training courses or remedial training exercises to select university employees based on a risk-based assessment or repeat failures of simulated social engineering exercises.​​​​​​​​​​​​​​
    4. Compliance with this Standard
      1. ​​​​​​​​​​​​​​​​​​​​​ ​​​​​​​Compliance with this Standard is mandatory for all university employees,The ITSec team will monitor compliance and non-compliance with this Standard and report to university leadership the results of training and social engineering exercises.  Non compliance may mean the loss of access to university systems until training has been successfully completed.
    5. Exceptions
      1. An exception to complying with this Standard will require documented approval from the IT Security Director and must be demonstrated to the director with a legitimate need for this exception.
         
  6. ASSOCIATED DOCUMENTS:
    1. ​​​​​​​4:042 Information Security and Data Classification Policy
  7. RECORD RETENTION TABLE:​​​​​​​​​​​​​​​​​​

Identification

Storage

Retention

Disposition

Protection

OITManagers Network Share

Electronic

Perpetual

Delete

Electronic Back-up

  1. REVISION HISTORY:

Date:

Rev.

Description of Revision:

11/07/2022

 

Initial Release