Security Awareness, Training, And Education Plan

Similar documents
Media Protection Program

Password Standard Version 2.0 October 2006

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Subject: University Information Technology Resource Security Policy: OUTDATED

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

UTAH VALLEY UNIVERSITY Policies and Procedures

Policies & Regulations

Guest Wireless Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Bring Your Own Device Policy

CCC Data Management Procedures DCL3 Data Access

Virginia Commonwealth University School of Medicine Information Security Standard

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Ohio Supercomputer Center

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

SECURITY ASSESSEMENT & AUTHORIZATION GUIDE

IT Governance Committee Review and Recommendation

Virginia Commonwealth University School of Medicine Information Security Standard

State of Rhode Island Department of Administration Division of Information Technol

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Access to University Data Policy

Ivy Tech Community College of Indiana

SECURITY PLAN CREATION GUIDE

State of Colorado Cyber Security Policies

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Purpose This document defines the overall policy, principles, and requirements that govern the mybyu Portal.

SECURE NETWORK INFRASTRUCTURE GUIDE

IT Accessibility

Policies and Procedures Date: February 28, 2012

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Lakeshore Technical College Official Policy

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Number: USF System Emergency Management Responsible Office: Administrative Services

POLICIES AND PROCEDURES

Cyber Security Program

BFB-IS-3: Electronic Information Security

CONTINGENCY PLANNING GUIDE

Mobile Device policy Frequently Asked Questions April 2016

University of Sunderland Business Assurance PCI Security Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Responsible Officer Approved by

Information Security Incident Response and Reporting

POLICY 8200 NETWORK SECURITY

SPRING-FORD AREA SCHOOL DISTRICT

Information Security Controls Policy

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Information Technology General Control Review

Cyber Risks in the Boardroom Conference

Canadian Access Federation: Trust Assertion Document (TAD)

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Canadian Access Federation: Trust Assertion Document (TAD)

Wireless Security Access Policy and Agreement

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Technology Security Audit RFP2018-P02 - Questions and Answers

Canadian Access Federation: Trust Assertion Document (TAD)

The University of British Columbia Board of Governors

Identity Theft Prevention Policy

Security Standards for Electric Market Participants

Information Security Controls Policy

Security Architecture

CCBC is equipped with 3 computer rooms, one at each main campus location:

Canadian Access Federation: Trust Assertion Document (TAD)

IAM Project Overview & Milestones

Data Governance Framework

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

SECURITY & PRIVACY DOCUMENTATION

LOYOLA UNIVERSITY MARYLAND. Policy and Guidelines for Messaging to Groups

II.C.4. Policy: Southeastern Technical College Computer Use

Canadian Access Federation: Trust Assertion Document (TAD)

2015 HFMA What Healthcare Can Learn from the Banking Industry

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Information Technology Standards

Computer Use and File Sharing Policy

RMU-IT-SEC-01 Acceptable Use Policy

Clear Desk, Clear Screen Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Architecture and Standards Development Lifecycle

Acceptable Use Policy

Minimum Security Standards for Networked Devices

Information Security Incident Response Plan

1. Federation Participant Information DRAFT

Red Flags Program. Purpose

Information Security Incident Response Plan

Employee Security Awareness Training Program

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

General Information Technology Controls Follow-up Review

Guidelines for the use of the IT infrastructure at the University of Bayreuth 10 February 2005

Critical Cyber Asset Identification Security Management Controls

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

OA Cyber Security Plan FY 2018 (Abridged)

Credit Card Data Compromise: Incident Response Plan

Standard for Security of Information Technology Resources

Client Computing Security Standard (CCSS)

Transcription:

Security Awareness, Training, And Education Plan Version 2.0 December 2016

TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PLAN DETAILS 4 3.2 WORKFORCE DESIGNATION 4 3.3 NEW HIRES 4 3.4 EMPLOYEES AND RETIREES 4 3.4.1 IT STAFF 4 3.4.2 EXECUTIVE AND MANAGEMENT 4 3.5 THIRD-PARTY USERS 5 3.6 VISITORS 5 3.7 PARTICIPATION TRACKING 5 3.8 EVALUATION AND FEEDBACK 5 3.9 UPDATING 5 3.10 SANCTIONS FOR COMPROMISED ACCOUNTS 5 3.10.1 FACULTY, STAFF, STUDENT WORKERS 5 3.10.2 RETIREES 6 3.10.3 THIRD-PARTY USERS 6 3.11 SANCTION FOR NON-COMPLETION OF ANNUAL TRAINING 6 3.11.1 FACULTY, STAFF, STUDENT WORKERS 6 3.11.2 RETIREES 7 3.11.3 THIRD-PARTY USERS 7 3.12 NEW HIRES 7 3.13 PRACTICAL EXERCISES 8 4.1 MANDATORY CONTROLS 8 5.1 DISCRETIONARY CONTROLS 9 6.1 REFERENCES 9 7.1 DEFINITIONS 10 Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 1

1.1 SCOPE This plan applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Martin (UTM) including its remote centers. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 1.2 PRINCIPLES The University has chosen to adopt the policy principles established in the National Institute of Standards and Technology (NIST) 800 series of publications, and this policy is based on those guidelines. Specifically, this plan is based on guidelines in NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training Program. The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus. UTM must develop or adopt and adhere to a plan that demonstrates compliance with related policies and standards. This plan is the responsibility of the Position of Authority. Each User of University resources is required to be familiar and comply with University policies. Acceptance of University policy is assumed if a User accesses, uses, or handles University resources. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 2

1.3 REVISIONS Date Action Name 06/10/2016 Created (0.1) Brian Stubblefield 08/03/2016 Content, wording (0.2) 08/03/2016 Submitted for preliminary review 08/26/2016 Wording, formatting (0.3) 08/31/2016 Third-party users, security controls (0.4) 10/11/2016 Mandatory and discretionary controls, recommended changes, visitors (0.5) 11/17/2016 Eduroam definition, executive and management subsection (0.6) 11/18/2016 Changed to plan (0.7) 11/21/2016 Practical exercises, LMS, HR0128 reference, sanctions, title (0.8) 12/19/2016 Reviewed, approved, adopted (1.0) 08/15/2017 Added Workforce designation and references, practical exercises wording (1.1) 09/05/2017 Updated principles from CoP document, edit on sanctions, page numbering (1.2) 10/27/2017 Added sanctions for non-completion of annual training (1.3) 12/11/2017 Recommended changes to annual training sanctions from IT Governance, specified Dec. 31 (1.4) 12/18/2017 Approved (2.0) Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 3

2.1 OBJECTIVE To establish a formal, documented Security Awareness, Training, and Education program for University information systems users, and facilitate appropriate training controls. 3.1 PLAN DETAILS The campus Workforce must successfully complete security awareness training by December 31 each year. A reasonable amount of time will be granted to successfully complete the training in the current Learning Management System (LMS). Information security awareness training will be used in personnel performance evaluations. Additional training will be required for individuals with specific roles and responsibilities within the University. 3.2 WORKFORCE DESIGNATION The Workforce at UTM will consist of all current faculty and staff, retirees, and ITS student workers. 3.3 NEW HIRES All new employees are required to complete security awareness training within 30 days of being hired (AT-2). The account expiration date will be set in Active Directory so if training hasn t been completed before the deadline, their account will be disabled. Their account will be reactivated temporarily until they successfully complete training. The expiration date will be removed once the user has passed the security awareness course in the LMS. 3.4 EMPLOYEES AND RETIREES All employees and retirees are required to successfully complete the Required Training module each calendar year (AT-2). Re-testing for sanctions does not apply toward the annual requirement. 3.4.1 IT STAFF All ITS staff and student workers must successfully complete the IT Staff module in addition to the required yearly training (AT-3). 3.4.2 EXECUTIVE AND MANAGEMENT All executives and managers must successfully complete the Executive and Management module in addition to the required yearly training (AT-3). Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 4

3.5 THIRD-PARTY USERS Third-party users must complete training prior to accessing the network or systems (AT-3). Third-party users from other UT campuses or institutes are exempt from completing training provided they have completed security awareness training from their respective campus or institute. 3.6 VISITORS Visitors to campus are not required to complete security awareness training. They are only permitted to use the publicly-accessible computers in the Library, the UTM Guest wireless network, or Eduroam if they are from a participating institution. 3.7 TRACKING PARTICIPATION The LMS used to provide training content must have the ability to monitor and report compliance and progress (AT-4). Participation in security awareness training can be documented for credit in accordance with UT policy HR0128 unless it was required by sanctions. 3.8 EVALUATION AND FEEDBACK Mechanisms for evaluation and feedback should be implemented into training to help determine effectiveness and quality. 3.9 UPDATING Training content and delivery should be evaluated at least yearly. Additional evaluation will be necessary with changes in: 1. Updated content 2. Platform 3. Policies 4. Legal requirements 3.10 SANCTIONS FOR COMPROMISED ACCOUNTS Sanctions will be implemented against users who allow their accounts to be compromised and are dependent on the number of occurrences (PS-8). The severity of an incident can also be used for determining sanctions. 3.10.1 FACULTY, STAFF, STUDENT WORKERS 1 st Offense: Actions are reported to immediate supervisor or department head Retake security awareness training Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 5

2 nd Offense: Actions are reported to the department head, Chair of the Department, and/or Dean of the College Retake security awareness training Additional training may also be recommended or required 3 rd Offense: Actions are reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Internet access is restricted until one-on-one training with a member of ITS security staff is completed 4 th Offense and beyond: To be determined by the appropriate vice-chancellor 3.10.2 RETIREES 1 st Offense: Retake security awareness training 2 nd Offense: Network access is restricted until one-on-one training with a member of ITS security staff is completed 3 rd Offense: Permanent revocation of network access privileges 3.10.3 THIRD-PARTY USERS 1 st Offense: Network access is revoked 3.11 SANCTIONS FOR NON-COMPLETION OF ANNUAL TRAINING Sanctions will be implemented against users who do not complete the required annual training before December 31. 3.11.1 FACULTY, STAFF, STUDENT WORKERS January 1: at midnight Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Non-compliance reported to the department head, Chair of the Department, and/or Dean of the College Immediate supervisor or department head must request account reactivation and training must be completed within 24 hours Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 6

3 rd Missed Deadline: Non-compliance reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Employee required to meet with their supervisor, department head, Chair of the Department, and/or Dean of the College, Security Administrator, and CIO before account reactivation Training must be completed by the end of the work day 4 th Missed Deadline: To be determined by the appropriate vice-chancellor 3.11.2 RETIREES January 1: at midnight Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Training must be completed within 24 hours of account reactivation 3 rd Missed Deadline: Account is permanently disabled 3.11.3 THIRD-PARTY USERS 1 st Missed Deadline: 3.12 NEW HIRES Sanctions will be implemented against new hires who do not complete the required training within 30 days of being hired (AT-2). 1 st Missed Deadline: Incident reported to immediate supervisor or department head Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Non-compliance reported to the department head, Chair of the Department, and/or Dean of the College Immediate supervisor or department head must request account reactivation and training must be completed within 24 hours Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 7

3 rd Missed Deadline: Incident reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Employee required to meet with their supervisor, department head, Chair of the Department, and/or Dean of the College, Security Administrator, and CIO before account reactivation Training must be completed by the end of the work day 4 th Missed Deadline: To be determined by the appropriate vice-chancellor 3.13 PRACTICAL EXERCISES (AT-2(1)) ITS Security can perform various exercises to test the effectiveness of the security awareness training on individual or groups of users. Prior notice to and approval from the CIO and Director of IT Infrastructure is required before proceeding with any practical exercises. 4.1 MANDATORY CONTROLS Mandatory security controls are University-wide controls that are required to be consistently designed, implemented, monitored, and assessed. Workforce Designation: Each Campus must designate the makeup of its Workforce requiring Awareness Training. Basic Security Awareness Training (AT-2): Basic security awareness training as a part of initial training for new users, when it is required by information system changes, and annually thereafter. Role-based Security Training (AT-3): Each Campus must provide role-based security training to personnel with assigned security responsibilities before authorizing access to the information system or performing assigned duties, when required by information system changes, and annually thereafter. Security Training Records (AT-4): Each campus must document and monitor individual information system user security training activities. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 8

5.1 DISCRETIONARY CONTROLS Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component. Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component. Discretionary controls must not conflict with or lower the standards established by Mandatory Controls. Personnel Sanctions (PS-8): Formal sanctions processes for personnel failing to comply with established information security policies and procedures. Security Awareness Training Practical Exercises (AT-2(1)): Practical exercises include but are not limited to, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. 6.1 REFERENCES IT0123 Security Awareness, Training, and Education NIST SP 800-50 - Building an Information Technology Security Awareness and Training Program NIST SP 800-16 Rev1, 3rd Draft - A Role-Based Model for Federal Information Technology/Cybersecurity Training NIST SP 800-53 Rev4 - Recommended Security Controls for Federal Information Systems and Organizations HR0128 - Human Resources Development Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 9

7.1 DEFINITIONS Eduroam: (education roaming) is a secure roaming access service which allows students and staff from participating institutions to obtain Internet connectivity when visiting participating institutions using their own credentials. Employee: Faculty, staff, or student worker Sanction: An official action taken against a user Third-Party User: An authorized user not affiliated with the university but involved in collaboration, including but not limited to auditors, consultants, vendors, and contractors. Visitor: A user not directly affiliated with the university. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback