Security Awareness, Training, And Education Plan Version 2.0 December 2016
TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PLAN DETAILS 4 3.2 WORKFORCE DESIGNATION 4 3.3 NEW HIRES 4 3.4 EMPLOYEES AND RETIREES 4 3.4.1 IT STAFF 4 3.4.2 EXECUTIVE AND MANAGEMENT 4 3.5 THIRD-PARTY USERS 5 3.6 VISITORS 5 3.7 PARTICIPATION TRACKING 5 3.8 EVALUATION AND FEEDBACK 5 3.9 UPDATING 5 3.10 SANCTIONS FOR COMPROMISED ACCOUNTS 5 3.10.1 FACULTY, STAFF, STUDENT WORKERS 5 3.10.2 RETIREES 6 3.10.3 THIRD-PARTY USERS 6 3.11 SANCTION FOR NON-COMPLETION OF ANNUAL TRAINING 6 3.11.1 FACULTY, STAFF, STUDENT WORKERS 6 3.11.2 RETIREES 7 3.11.3 THIRD-PARTY USERS 7 3.12 NEW HIRES 7 3.13 PRACTICAL EXERCISES 8 4.1 MANDATORY CONTROLS 8 5.1 DISCRETIONARY CONTROLS 9 6.1 REFERENCES 9 7.1 DEFINITIONS 10 Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 1
1.1 SCOPE This plan applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Martin (UTM) including its remote centers. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 1.2 PRINCIPLES The University has chosen to adopt the policy principles established in the National Institute of Standards and Technology (NIST) 800 series of publications, and this policy is based on those guidelines. Specifically, this plan is based on guidelines in NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training Program. The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus. UTM must develop or adopt and adhere to a plan that demonstrates compliance with related policies and standards. This plan is the responsibility of the Position of Authority. Each User of University resources is required to be familiar and comply with University policies. Acceptance of University policy is assumed if a User accesses, uses, or handles University resources. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 2
1.3 REVISIONS Date Action Name 06/10/2016 Created (0.1) Brian Stubblefield 08/03/2016 Content, wording (0.2) 08/03/2016 Submitted for preliminary review 08/26/2016 Wording, formatting (0.3) 08/31/2016 Third-party users, security controls (0.4) 10/11/2016 Mandatory and discretionary controls, recommended changes, visitors (0.5) 11/17/2016 Eduroam definition, executive and management subsection (0.6) 11/18/2016 Changed to plan (0.7) 11/21/2016 Practical exercises, LMS, HR0128 reference, sanctions, title (0.8) 12/19/2016 Reviewed, approved, adopted (1.0) 08/15/2017 Added Workforce designation and references, practical exercises wording (1.1) 09/05/2017 Updated principles from CoP document, edit on sanctions, page numbering (1.2) 10/27/2017 Added sanctions for non-completion of annual training (1.3) 12/11/2017 Recommended changes to annual training sanctions from IT Governance, specified Dec. 31 (1.4) 12/18/2017 Approved (2.0) Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 3
2.1 OBJECTIVE To establish a formal, documented Security Awareness, Training, and Education program for University information systems users, and facilitate appropriate training controls. 3.1 PLAN DETAILS The campus Workforce must successfully complete security awareness training by December 31 each year. A reasonable amount of time will be granted to successfully complete the training in the current Learning Management System (LMS). Information security awareness training will be used in personnel performance evaluations. Additional training will be required for individuals with specific roles and responsibilities within the University. 3.2 WORKFORCE DESIGNATION The Workforce at UTM will consist of all current faculty and staff, retirees, and ITS student workers. 3.3 NEW HIRES All new employees are required to complete security awareness training within 30 days of being hired (AT-2). The account expiration date will be set in Active Directory so if training hasn t been completed before the deadline, their account will be disabled. Their account will be reactivated temporarily until they successfully complete training. The expiration date will be removed once the user has passed the security awareness course in the LMS. 3.4 EMPLOYEES AND RETIREES All employees and retirees are required to successfully complete the Required Training module each calendar year (AT-2). Re-testing for sanctions does not apply toward the annual requirement. 3.4.1 IT STAFF All ITS staff and student workers must successfully complete the IT Staff module in addition to the required yearly training (AT-3). 3.4.2 EXECUTIVE AND MANAGEMENT All executives and managers must successfully complete the Executive and Management module in addition to the required yearly training (AT-3). Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 4
3.5 THIRD-PARTY USERS Third-party users must complete training prior to accessing the network or systems (AT-3). Third-party users from other UT campuses or institutes are exempt from completing training provided they have completed security awareness training from their respective campus or institute. 3.6 VISITORS Visitors to campus are not required to complete security awareness training. They are only permitted to use the publicly-accessible computers in the Library, the UTM Guest wireless network, or Eduroam if they are from a participating institution. 3.7 TRACKING PARTICIPATION The LMS used to provide training content must have the ability to monitor and report compliance and progress (AT-4). Participation in security awareness training can be documented for credit in accordance with UT policy HR0128 unless it was required by sanctions. 3.8 EVALUATION AND FEEDBACK Mechanisms for evaluation and feedback should be implemented into training to help determine effectiveness and quality. 3.9 UPDATING Training content and delivery should be evaluated at least yearly. Additional evaluation will be necessary with changes in: 1. Updated content 2. Platform 3. Policies 4. Legal requirements 3.10 SANCTIONS FOR COMPROMISED ACCOUNTS Sanctions will be implemented against users who allow their accounts to be compromised and are dependent on the number of occurrences (PS-8). The severity of an incident can also be used for determining sanctions. 3.10.1 FACULTY, STAFF, STUDENT WORKERS 1 st Offense: Actions are reported to immediate supervisor or department head Retake security awareness training Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 5
2 nd Offense: Actions are reported to the department head, Chair of the Department, and/or Dean of the College Retake security awareness training Additional training may also be recommended or required 3 rd Offense: Actions are reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Internet access is restricted until one-on-one training with a member of ITS security staff is completed 4 th Offense and beyond: To be determined by the appropriate vice-chancellor 3.10.2 RETIREES 1 st Offense: Retake security awareness training 2 nd Offense: Network access is restricted until one-on-one training with a member of ITS security staff is completed 3 rd Offense: Permanent revocation of network access privileges 3.10.3 THIRD-PARTY USERS 1 st Offense: Network access is revoked 3.11 SANCTIONS FOR NON-COMPLETION OF ANNUAL TRAINING Sanctions will be implemented against users who do not complete the required annual training before December 31. 3.11.1 FACULTY, STAFF, STUDENT WORKERS January 1: at midnight Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Non-compliance reported to the department head, Chair of the Department, and/or Dean of the College Immediate supervisor or department head must request account reactivation and training must be completed within 24 hours Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 6
3 rd Missed Deadline: Non-compliance reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Employee required to meet with their supervisor, department head, Chair of the Department, and/or Dean of the College, Security Administrator, and CIO before account reactivation Training must be completed by the end of the work day 4 th Missed Deadline: To be determined by the appropriate vice-chancellor 3.11.2 RETIREES January 1: at midnight Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Training must be completed within 24 hours of account reactivation 3 rd Missed Deadline: Account is permanently disabled 3.11.3 THIRD-PARTY USERS 1 st Missed Deadline: 3.12 NEW HIRES Sanctions will be implemented against new hires who do not complete the required training within 30 days of being hired (AT-2). 1 st Missed Deadline: Incident reported to immediate supervisor or department head Training must be completed within 48 hours of account reactivation 2 nd Missed Deadline: Non-compliance reported to the department head, Chair of the Department, and/or Dean of the College Immediate supervisor or department head must request account reactivation and training must be completed within 24 hours Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 7
3 rd Missed Deadline: Incident reported to the appropriate vice-chancellor Notation is made in the offender s Human Resources file Employee required to meet with their supervisor, department head, Chair of the Department, and/or Dean of the College, Security Administrator, and CIO before account reactivation Training must be completed by the end of the work day 4 th Missed Deadline: To be determined by the appropriate vice-chancellor 3.13 PRACTICAL EXERCISES (AT-2(1)) ITS Security can perform various exercises to test the effectiveness of the security awareness training on individual or groups of users. Prior notice to and approval from the CIO and Director of IT Infrastructure is required before proceeding with any practical exercises. 4.1 MANDATORY CONTROLS Mandatory security controls are University-wide controls that are required to be consistently designed, implemented, monitored, and assessed. Workforce Designation: Each Campus must designate the makeup of its Workforce requiring Awareness Training. Basic Security Awareness Training (AT-2): Basic security awareness training as a part of initial training for new users, when it is required by information system changes, and annually thereafter. Role-based Security Training (AT-3): Each Campus must provide role-based security training to personnel with assigned security responsibilities before authorizing access to the information system or performing assigned duties, when required by information system changes, and annually thereafter. Security Training Records (AT-4): Each campus must document and monitor individual information system user security training activities. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 8
5.1 DISCRETIONARY CONTROLS Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component. Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component. Discretionary controls must not conflict with or lower the standards established by Mandatory Controls. Personnel Sanctions (PS-8): Formal sanctions processes for personnel failing to comply with established information security policies and procedures. Security Awareness Training Practical Exercises (AT-2(1)): Practical exercises include but are not limited to, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. 6.1 REFERENCES IT0123 Security Awareness, Training, and Education NIST SP 800-50 - Building an Information Technology Security Awareness and Training Program NIST SP 800-16 Rev1, 3rd Draft - A Role-Based Model for Federal Information Technology/Cybersecurity Training NIST SP 800-53 Rev4 - Recommended Security Controls for Federal Information Systems and Organizations HR0128 - Human Resources Development Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 9
7.1 DEFINITIONS Eduroam: (education roaming) is a secure roaming access service which allows students and staff from participating institutions to obtain Internet connectivity when visiting participating institutions using their own credentials. Employee: Faculty, staff, or student worker Sanction: An official action taken against a user Third-Party User: An authorized user not affiliated with the university but involved in collaboration, including but not limited to auditors, consultants, vendors, and contractors. Visitor: A user not directly affiliated with the university. Effective Date: 12/19/2016 Last Review: 12/18/2017 Next Review: 12/2018 Page 10