Policy for Cyber Security Awareness Assessment

Policy for Cyber Security Awareness Assessment

« Back to Policies

PURPOSE:

The purpose of this policy is to document the process, tools, and methods used to conduct cyber security awareness and training.  This policy, in conjunction with the Medaille College Information Security Awareness Policy, aims to reduce the risks associated with human access to the Medaille College information systems.


 
KEY COMPONENTS:

a.    KnowBe4: Cloud-based security awareness platform used by Medaille College to produce the training and assessment modules.

b.    Campaign: Umbrella term used to describe any training, video, or assessment.
 
c.    High-risk users: Any user that fails an assessment exercise or is identified as victim of an actual phishing attack.  This includes users that respond to phishing email even if they do not divulge information

 

WELCOME ABOARD PACKET LITERATURE:

a.    New employees will receive “How to Detect Phishing Emails” from the IT department when we deliver their technology to them.

 

INITIAL TRAINING:

a.    New User Training Campaign to be completed as specified in the Medaille College Information Security Awareness Policy.

b.    As the nature of cyber security threats change, the Medaille College IT Department reserves the right to modify the campaign to best meet the needs of the College and fulfill the Cyber Security Awareness goals.

c.    Campaign not to exceed 30 minutes.
 
d.    If an assessment test is a part of the campaign, a grade of 85% or better is required to fulfill this requirement.

 


TRAINING – ANNUAL:

a.    This training campaign is to be completed as specified in the Medaille College Information Security Awareness Policy.

b.    As the nature of cyber security threats change, the Medaille College IT Department reserves the right to modify the Campaign to best meet the needs of the College and fulfill the Cyber Security Awareness goals.
 
c.    Campaign not to exceed 30 minutes.
 
d.    If an assessment test is a part of the campaign, a grade of 85% or better is required to fulfill this requirement.


 
ONGOING ASSESSMENT:

a.    On a regular basis, the Medaille College IT Department will send out a cyber security risk assessment exercise.  This will be in the form of a phishing email although IT reserves the right to change the form as necessitated by the current threat landscape.
 
b.    High risk users will be required to attend additional cyber security awareness trainings.  

 

AD-HOC TRAINING:

a.    As the security threat landscape changes, IT and HR may determine that a specific campaign is needed to address a specific security risk.   

b.    All users required to be in compliance with the Cyber Security Policy will be notified via email that a mandatory training exercise has been assigned to them.

c.    Campaigns must be completed within 7 calendar days of assignment.
   
d.    Failure to complete the campaign will result in a loss of Active Directory login abilities until the training has been completed.

 

no_outer_space
show-tags
  • UNIQUE VISITORS:23
  • TOTAL VISITORS:23