Security Standard 01: Security Training

Summary

Outline

1. Security Awareness Training
    
   1. Initial and Recurring Training - The Chief Information Security Officer (CISO) shall ensure that security training is delivered and tracked. Initial and recurring training:
      1. should, at minimum, identify User responsibilities, common threats, regulatory and Institutional requirements regarding the acceptable use and security of Information Resources, proper handling of IWU Protected and Sensitive Data, and incident notification; and
      2. is to be administered in accordance with the following schedule.
         1. Each new employee (e.g. full time faculty, staff and adjuncts) must complete initial training within 14 days after the date that such a person is begins their work at the Institution.
         2. Recurring training for employees shall take place annually.
             
   2. Annual Awareness Training should, at minimum, educate and assist in identifying common threats, promote the proper handling of data, describe behaviors that increase risk, those that reduce risk, and proper incident notification.  The method of delivery shall be via the Proofpoint Security Education Platform and scheduling of awareness training should coincide with other required university compliance training as agreed upon with IWU Legal and Risk leadership.
      1. Each employee shall complete the mandatory annual training within the agreed upon timeframe as defined by the CISO, Risk and Legal.
      2. If an employee does not complete all required training, the employee's IWU login account will be disabled.  The employee will then be required to contact the IWU Support Center, open a support case for re-instatement and communicate with the CISO on completion timing. The account will then be re-enabled so that completion of mandatory training can occur.  If training is not completed within the grace period, a report will be sent to the employee's supervisor and human resources.
          
   3. Compliance Training - Annual HIPAA and PCI training should occur and target IWU employees who are responsible for the security of PHI and credit card information.  This targeted training will coincide with the annual awareness training schedule. This training shall adhere to sections 1.2.1 and 1.2.2.
       
   4. Technical Security Training - All Technical Support Staff (e.g., support center, network support, server support) responsible for managing university owned IT devices are required to take, as a part of annual awareness training, specific modules that relate to their function within Information Technology Services if available.  This training shall adhere to sections 1.2.1 and 1.2.2.
       
   5. Information Security Policy Acknowledgement - New hire and annual awareness training shall include modules that reference important information security policies. By completing the policy review within the annual training, the employee acknowledges the policy and their responsibility for compliance.
       
   6. Email Phishing Training - At multiple times throughout the year, all employees will be subject to email phishing security campaigns.  The cadence and frequency shall be determined by the CISO.  This training shall;
      1. simulate current threats,
      2. provide feedback in the event of a negative interaction with the phishing email,
      3. and provide additional training for employees who fail the exercise more than once.

Publication Tracking