1 PURPOSE
Our people are the best resource we have for safeguarding the privacy of our constituents and the confidentiality, integrity, and availability of the information we hold on their behalf. To leverage this powerful resource, we must work together as a University System to cultivate a Cybersecurity aware culture. This kind of culture facilitates the integration of Cybersecurity best practices into day-to-day activities, operational business processes, and decision making at all levels of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û).
This Standard defines the Cybersecurity Awareness and Training Program which ensures all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members:
- Know their cybersecurity responsibilities
- Know how to properly utilize and protect the institutional information and information technology resources entrusted to them
- Understand how to comply with the cybersecurity Policies and Standards that apply to them.
2 SCOPE
This Standard applies to all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members who have access to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources and institutional information, regardless of its format. It defines all aspects of Cybersecurity Awareness and Training at ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û.
3 STANDARD
3.1 CYBERSECURITY AWARENESS AND TRAINING PROGRAM
In support of our core mission of education, the Chief Information Security Officer (CISO) shall ensure all employees are aware of their cybersecurity responsibilities and have the necessary knowledge and training to fulfill them by implementing a Cybersecurity Awareness and Training Program. The program shall be inclusive of all awareness and training components defined in this Standard.
3.2 CYBERSECURITY AWARENESS
Under the oversight of the CISO, Cybersecurity Governance, Risk, & Compliance (GRC) shall develop, implement, administer, facilitate, and manage a range of activities geared to building a security-aware culture across all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û institutions. These activities shall include, but not be limited to:
- Participating in institution-wide events like University Day
- Hosting speakers, presentations, and interactive sessions targeting specific cybersecurity topics
- Providing training or advisory services to address specific concerns for administrative, academic, and business units
- Issuing alerts and advisories, as appropriate, to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community
- Representing cybersecurity on institutional committees and task forces
- Coordinating and running Cybersecurity incident response drills
3.3 EMPLOYEE CYBERSECURITY TRAINING
New Employees
All newly hired ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees shall complete basic cybersecurity training, either in-person or via a computer-based training (CBT) program, within the first 30 days of employment. Assessment of content comprehension shall be used to gauge the effectiveness of the training. The New Hire Cybersecurity Training Program shall be developed, implemented, managed, and maintained by Cybersecurity GRC.
Current Employees
All ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees shall have access to a cybersecurity refresher training course, either in-person or via a CBT program, annually. Assessment of content comprehension shall be used to gauge the effectiveness of the training. The Employee Cybersecurity Training Program shall be developed, implemented, managed, and maintained by Cybersecurity GRC. Additionally, all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees participate in the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Phishing Awareness Program outlined below.
3.4 ROLE-SPECIFIC TRAINING FOR EMPLOYEES
Employees whose responsibilities require interaction with certain types of institutional information as well as those with specific cybersecurity responsibilities shall be required to complete role-specific cybersecurity training courses. Managers in administrative, academic, and business units with cybersecurity role-based training requirements are responsible for notifying Cybersecurity GRC when new employees join the unit.
Although specific required frequencies are defined for each role-based training requirement, substantial changes to regulations, security control implementations, or information technology resources used in these areas may result in a requirement to complete out of band training.
The following areas currently have role-based training requirements:
GLBA Cybersecurity Training
- Any employee who interacts with student financial aid information is required to complete the designated cybersecurity training course, in person or via CBT, annually, to satisfy GLBA (Gramm Leach Bliley Act) training requirements
- Cybersecurity GRC is responsible for developing, implementing, maintaining, and monitoring compliance with the GLBA Cybersecurity Training Program
PCI-DSS Compliance Training
- Any employee who handles credit card processing is required to complete the designated PCI-DSS (Payment Card Industry – Data Security Standard) Training Program via CBT, annually
- The PCI data stewards at each institution are responsible for developing, implementing, maintaining, and monitoring compliance with the PCI-DSS Training Program
HIPAA Compliance Training
- All employees working in components subject to HIPAA (Health Insurance Portability and Accountability Act) Regulations are required to complete training, in person or online
- The HIPAA Privacy Officer is responsible for developing, implementing, maintaining, and monitoring compliance with the HIPAA Training Program, with assistance from Cybersecurity GRC
Advanced Cybersecurity Training
- Employees with specific cybersecurity responsibilities may be required to complete additional training programs at the discretion of the CISO
- Employees who are required to complete this type of training will be notified by Cybersecurity & Networking and advised on additional training requirements
- Cybersecurity GRC is responsible for developing, implementing, maintaining, and monitoring compliance with any advanced cybersecurity requirements
Cybersecurity Incident Response Training
Cybersecurity GRC provides training on the Incident Response Plan and any related, role-specific procedures. Role-based annual training is required for the following:
- All members of the Cybersecurity Ops & IAM (Cyber Ops) team
- Non-Cyber Ops members of the standing IRT (including back-up designees)
- Institutional Subject Matter Experts
- First level support team members (specifically on Cybersecurity Incident Reporting Procedures)
3.5 ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û PHISHING AWARENESS PROGRAM
All ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees, students, sponsored users, and emeritus shall have access to participate in the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Phishing Awareness Program. This program provides ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with a realistic phishing experience in a safe and controlled environment. This type of awareness training provides the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community with the opportunity to become familiar with and more resilient to the kinds of tactics used in real phishing attacks.
Each ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community member shall be provided with regular simulated phishing training opportunities during each academic year. Community members who are unable to identify phishing simulations as phishing, and either click a link or open an attachment shall be considered susceptible to phishing. Susceptible community members shall be presented with just-in-time training as part of the simulation experience.
Community members who are susceptible to multiple simulations shall be required to complete online Phishing Awareness training within 15 days of proving susceptible.
Cybersecurity GRC is responsible for administration, monitoring, and management of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Phishing Awareness Program.
3.6 CYBERSECURITY TRAINING RECORDKEEPING
In cooperation with other authorities responsible for administering elements of this program, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity GRC shall maintain comprehensive training records indicating which employees and students have completed each individual cybersecurity training requirements to ensure a full accounting of annual training is always available.
DOCUMENT HISTORY
- Approved by: CHIEF INFORMATION SECURITY OFFICER, T NUDD, 19 AUG 2021 v1 CYBERSECURITY POLICY & STANDARD WORKING GROUP, 27 AUG 2020 V0.2
- Reviewed by: CHIEF INFORMATION SECURITY OFFICER, D STOCKMAN, JAN 2021 v0.2 CYBERSECURITY POLICY & STANDARD WORKING GROUP, AUG 2020
- Revision History: REVIEW DRAFT FINALIZED, DR DAVID YASENCHOCK, 06 MARCH 2023
- Revised formatting, K Sweeney, 30 MAY 2024