Information Security Education and Awareness Training

Similar documents
Welcome to HR Partners! November 13, 2018

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

Big Data, Security and Privacy: The EHR Vendor View

Mobile Connect Privacy Principles

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Standard Statement and Purpose

PHWIGC framework that addresses the issues raised by the Francis Report. Author: John Morley & Jane Evans Information Governance Managers

Institutional Compliance Awareness. Updated 2/23/18

Privacy Management Programs. Ruth Marks and Stacey Pratt April 2018

FI0311 Credit Card Processing

Liverpool Hope University

Assessments for Certified and Non-Certified Vendors

Purpose of this tool. Page 1

Privacy Statement for ING customers. Americas - May 2018

AUDIT COMMITTEE CHARTER AS AMENDED AS OF MAY 6, 2015

PSC-ED-FSA-TISD. Moderator: Christal Simms November 14, :00 pm CT

06.0 Data and Access Classification

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

The Changing Landscape of Card Acceptance

Privacy Policy Sites covered by this Policy Statement

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This procedure applies to staff, students, and relevant data subjects

Social Media Guidelines: King County 1

Data Protection/ Information Security Policy

IT Strategic Plan Portland Community College 2017 Office of the CIO

Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

Dexia Group Audit Charter

University Internal Audit

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

LAB MEASURING THE IMPACT OF YOUR AWARENESS PROGRAM

PCI Requirements Office of Business and Finance Issued July 2015

Cloud Computing Opportunities & Challenges

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Enterprise Mobility Suite

Online Payment Services

PCI Requirements Office of Business and Finance Issued July 2015

falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?

The Bank of Elk River: Digital Wallet Terms and Conditions

Flexible Spending Account Administration Best Practices

Attachment 2: Merchant Card Services

On the Alert: Incident Response Plan for Healthcare 111/13/2017

PCI Toolkit

October 27, Internal Audit Report Building Safety Division Cash Controls Development Services Department

Identity Provider Policy. Identity and Authentication Services (IA Services)

Internal Controls Overview

PCI DSS SECURITY AWARENESS

IT Strategic Plan Portland Community College 2017 Office of the CIO

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

Students First Administrative Planning PRESENTATION OF SAMPLE DRAFT PLANNING TEAM RECOMMENDATIONS OCTOBER 19, 2017

ANNEX 2 Security Management Plan

Supplier Security Directives

DATA PROTECTION POLICY

Essential IT Considerations for Sarbanes-Oxley Act

Policy for integrity and marketing activities. Latest update: 21 May General

Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

ORCA Privacy Statement

Sarbanes-Oxley Compliance Kit

Third Party Risk Security Insights and Program Updates

Tampa Bay Information Network TBIN Audit Plan

Submitting an Expense Claim

B Impact Assessment Addendum for Education Product and Service Providers

One Government. Transformation Initiatives. Transformation Management Office (TMO) Presentation to IM Aware December 7, 2017.

Process Control Information. Office of Human Resources, Technology Services, Facilities. Contingent Worker Provisioning and De-Provisioning

DEPARTMENT OF PARKING AND TRANSPORTATION SERVICES AUDIT OF INFORMATION SYSTEMS

JobX Training for FWS Students

Deep Dive into Managing RFIs, RFPs, and Proofs of Concepts

BPO Asia In ormation Security Domains & Controls

Northcliffe Surf Life Saving Supporters Association Inc. Privacy Policy

Audit Policies & Procedures

Enterprise Risk Management Matrix December 1, 2014 West Texas A&M University

HOW TO PREVENT REGISTRATION FRAUD. The ultimate guide to responsibly growing a user base

CATERPILLAR INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS (adopted by the Board of Directors on February 11, 2015)

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

Virtual Terminal User Guide

MEDICAL UNIVERSITY OF SOUTH CAROLINA DEPARTMENT OF PUBLIC SAFETY. EFFECTIVE DATE: 1 January 1999 PAGE 1 OF 10

We have prepared a general privacy notice covering all subject data and including use of our website at

Data Classification Taking control of your data By Thiruvadinathan Happiest Minds, Infrastructure Management and Security Services

CDS LOGON SCREEN. ! Type your assigned logon (may be case sensitive) to the Cashier Deposit System (CDS).

COGNOS REPORTING SECURITY PROCEDURE

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers

Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010

Southern and Central California 2015 Compensation and Benefits Survey Frequently Asked Questions

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

IBM Clinical Trial Management System for Sites

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies.

PCI FAQS AND MYTHS. Presented by BluePay

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

3 Situations, 2 Lawyers, 1 Corporation, and So Many Features

Create and Acquit an Expense Reimbursement

Hiring Procedures and Guidelines

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

Elections Ontario Privacy Policy

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Privacy Policy MONAT GLOBAL

THE UNIVERSITY OF GEORGIA INTERNAL AUDITING DIVISION INTERNAL CONTROL QUESTIONNAIRE GENERAL

The University of South Carolina MarketPlace E-Commerce Guidelines

Time and Attendance. Managing the Payroll Process PAYROLL LIAISON ROLE User Guide

Single User License Each Additional User License. Optional Modules Accounting Interface (Designed for QuickBooks )** $399 Custom Import $299

OLA Privacy Policy for Australia

Transcription:

Information Technology Information Security Education and Awareness Training Standard Identifier: IT-STND-002 Revision Date: 9/1/2016 Effective Date: 3/1/2015 Approved by: BOR CIO Approved on date: 10/17/2014 Table of Contents 1. Introduction... 2 2. Purpose... 2 3. Scope... 2 4. Definitions... 2 5. Roles and Responsibilities... 3 6. Standards... 3 6.1 Information Security Education and Awareness Program... 3 6.2 College/University Program Coordinator... 4 6.3 Information Security Education and Awareness Program for Users with DCL3 Data Access... 4 6.4 Information Security Education and Awareness Program for Users with DCL2 Data Access... 5 7. Reporting Requirements... 5 8. Control Metrics... 5 9. Control Tests... 5 10. Exceptions... 6 11. Related Publications... 6 12. Revision History... 6

1. Introduction The CSCU system, based on our educational activities, needs to collect and process Personal Identifiable Information (PII) and academic data of our constituents. We are required by law to provide appropriate training to anyone who has access to DCL3 data on an annual basis and training on a regular basis is highly recommended, for users with PII and academic data access. 2. Purpose The Information Security Education and Awareness Training standard specifies the minimum requirements for training based on the user s data access. The standard also specifies the required record keeping and reporting requirements for Data Stewards and Data Coordinator. 3. Scope The standard applies to all CSCU constituent units. 4. Definitions DCL3 Data DCL3 Previously known as Class A Protected at the CSUS DCL3 is protected confidential data, which comprises identity and financial data that, if improperly disclosed, could be used for identity theft or to cause financial harm to an individual or the CSCU System. Security at this level is very high (highest possible). A breach of DCL3 data requires notification to users. Examples of DCL3 data are: Social Security number & Identity Data Bank account or debit card information and Identity Data Credit card number & cardholder information Student Loan Data DCL3 data must be protected from disclosure and maleficence. DCL2 Data DCL2 Previously known as Class A at the CSUS DCL2 is restricted data that is available for disclosure, and may be disclosed under certain circumstances e.g. FOIA, legal request, etc. Such information is restricted due to federal and state law, ethical and privacy considerations. A breach of DCL2 data does not require notification to users. An example of such restrictions would be the FERPA guidelines that govern publication and disclosure of student information. Security at this level is high. Information Security User Education and Awareness Training 2 of 6

Examples of DCL2 data are: Mother s maiden name Academic records Employee Records Information Security User Education and Awareness Training A CSCU Information Security Education and Awareness Training program that meets the minimum training requirements for access to DCL3 data. Assurance Function Assurance is the responsibility of the system owner and is the process the system owner uses to verify that both technical and administrative controls are functioning correctly. Reporting Cycle The reporting cycle ends each year on November 1st when the Security Program report is due to the system office. The system office reports the findings from the reporting cycle by November 15th, per the BOR Information Security Program Resolution. 5. Roles and Responsibilities Data Steward - A Data Steward has planning and policy responsibilities for data within a specific functional area(s) or data domain. Data Stewards have responsibility for understanding, protecting and granting access to CSCU data. Data Manager - A Data Manager has day-to-day responsibilities for data management within a specific functional area(s) or data domain. Data Managers have responsibility for understanding, protecting and managing access to CSCU data. Data User - A data user has operational requirements to access data and use data in performance of his/her assigned duties. Data Management Coordinator The Data Management Coordinator is responsible for communicating and reporting Information Security Education and Awareness Program initiatives. 6. Standards 6.1 Information Security Education and Awareness Program The CSCU Information Security Education and Awareness Program is a comprehensive program with the following program components. An on-line information security training program comprised of modules. The modules required to be taken are based on the user s level of data access. Users with DCL3 data access will require a more comprehensive program than users with DCL2 data access. Information Security User Education and Awareness Training 3 of 6

Mandatory annual training for users with DCL3 data access. Voluntary annual training for users with DCL2 data access. On-going user education initiatives to support the training. E.g. posters, e-mail communication, brown bag seminars, etc. Verification program to ensure users are following the Information Security Education and Awareness Program. E.g. targeted phishing, targeted social engineering attack, etc. 6.2 College/University Program Coordinator Each college/university President will identify a Data Management Coordinator who will be responsible for the following: Communicating and providing resources to campus staff on the Information Security Education Awareness Training program. Acting as the point person for communication with the Information Security Program Office. Compiling and submitting the Information Security Education and Awareness Training Program annual report. 6.3 Information Security Education and Awareness Program for Users with DCL3 Data Access All CSCU employees with potential access to DCL3 data are required to complete the Information Security Education and Awareness Training Program annually. The 2016 training program consists of the following SANS Securing the Human modules: Social Engineering, E-mail and Messaging, Browsing, Social Networks, Mobile Device Security, Passwords, Encryption, Data Security and Data Destruction, Working Remotely, Insider Threat, Physical Security, Hacked, Advanced Persistent Threat, Cloud Services, PCI DSS, Personal Identifiable Information (PII), Federal Tax, GLBA, Red Flags Rule, Data Retention, Federal Personal Identifiable Information (PII), and Privacy Security. Any new employee with potential access to DCL3 data is required to take the Information Security Training within 2 weeks of employment. Attendance records for participation in the training programs components need to be maintained by the Data Steward within the Data Management Report spreadsheet and contain at a minimum, the following information: State Employee ID, User Name, e-mail, phone, DCL3 Access, DCL2 Access, DCL3 Training Complete, Date of DCL3 Training, Active Employee, Data of Hire, Last Date of Employment. Note Users who transfer departments with the same or lower level of data access may have their records transferred to the new department. Users who have higher data access will need to take the appropriate training within two weeks of transfer. Information Security User Education and Awareness Training 4 of 6

6.4 Information Security Education and Awareness Program for Users with DCL2 Data Access It is highly recommended that all CSCU employees with potential access to DCL2 data complete the annual Information Security Education and Awareness Training Program. The training program for DCL2 users should cover, at a minimum, the following topic areas: Social Engineering, E-mail and Messaging, Browsing, Social Networks, Mobile Device Security, Passwords, Encryption, Data Security and Data Destruction, Working Remotely, Insider Threat, Physical Security, Hacked, Advanced Persistent Threat, Cloud Services, PCI DSS, Personal Identifiable Information (PII), Federal Tax, GLBA, Red Flags Rule, Data Retention, Federal Personal Identifiable Information (PII), and Privacy Security. It is recommended that any new employee with access to DCL 2 data take, the information security training within 2 weeks of employment. Attendance records for participation in the training programs components need to be maintained by the Data Steward within the Data Management Report spreadsheet and contain at a minimum, the following information: State Employee ID, User Name, e-mail, phone, DCL3 Access, DCL2 Access, DCL3 Training Complete, Date of DCL3 Training, Active Employee, Data of Hire, Last Date of Employment. Note Users who transfer departments with the same or lower level of data access may have their records transferred to the new department. Users who have higher data access will need to take the appropriate training within two weeks of transfer. 7. Reporting Requirements Annually by November 1 st the Data Management Coordinator will submit to the Information Security Program Office a consolidate report of training done during the past reporting cycle. 8. Control Metrics Participation rate for online training courses - percentage of staff completing security training (by business unit) Average scores of online tests, compared to baseline (previous tests, industry data if available, etc.) by business unit Average scores of periodic tests (e.g. click rates for test phishing emails) by business unit Individual scores on skill assessment tests for individual mission critical roles by business unit 9. Control Tests Quarterly, an assurance function will conduct a security test (targeted phishing, social engineering, etc.). They will develop an appropriate random sample and report on the test. Information Security User Education and Awareness Training 5 of 6

10. Exceptions To request an exception, please submit the Information Security Exception request to SecProg@ct.edu The requestor and BOR Information Security Program Office will define the approved alternative configuration if different than the original proposal of the requestor. The exception process is NOT an alternative to the Change Control Management process. 11. Related Publications Related Policies BOR-Information Security Policy Related Procedures Support Services Procedure Website [Link to Procedures page for Requesting Access to Password Reset Form] Web Sites Support Services Website 12. Revision History Previous versions of this standard Revision 1-8/1/2015 Revision 2 9/1/2016 History of Changes 8/1/2015 o Clarification to the timeline with the reporting cycle ending on Nov. 1st. 9/1/2016 o Adjustments made to reflect changes in SANS Securing the Human course listings. Standards superseded by this standard 2007 CSUS Information Security Standards V 1.0 o Section 4.7 Security Awareness, Training, and Education Information Security User Education and Awareness Training 6 of 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback