Information Security Education and Awareness Training



Similar documents
PII Personally Identifiable Information Training and Fraud Prevention

Revision Date: October 16, 2014 Effective Date: March 1, Approved by: BOR Approved on date: October 16, 2014

Contact: Henry Torres, (870)

PII = Personally Identifiable Information

SANS Securing The Human

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

How To Protect Yourself From Cyber Threats

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

SecurityMetrics Vision whitepaper

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Wellesley College Written Information Security Program

Virginia Commonwealth University Information Security Standard

Privacy Law Basics and Best Practices

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Western Oregon University Information Security Manual v1.6

Ferris State University

Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015

HORRY COUNTY PRIVACY AND IDENTITY THEFT PREVENTION POLICY

PCI Compliance: Protection Against Data Breaches

Identifier: IT-001 Revision Date: 10/1/2015 Effective Date: 10/18/2012 Approved by: BOR Approved on date: 10/18/2012

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

Cal Poly Information Security Program

Information Security

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Utica College. Information Security Plan

Missouri Student Information System Data Governance

ITS Policy Library Use of . Information Technologies & Services

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

B. Credit - Deferral of payment of a debt incurred for the purchase of goods services, including educational services.

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

24 Highbury Crescent London N5 1RX UK Tel: + 44 (0) Fax: +44 (0)

SIMMONS COLLEGE OFFICE OF THE GENERAL COUNSEL RED FLAG RULE POLICY. Background of the Federal Legislation Known as Red Flag Rule

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

M&T BANK CANADIAN PRIVACY POLICY

California State University, Sacramento INFORMATION SECURITY PROGRAM

The potential legal consequences of a personal data breach

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

David Coble Internal Control Officer

Homeland Security Virtual Assistance Center

plantemoran.com What School Personnel Administrators Need to know

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Certified Secure Computer User

Dartmouth College Merchant Credit Card Policy for Processors

Security Management. Keeping the IT Security Administrator Busy

Presented by Dave Olsen, CPA, President

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

Top Ten Technology Risks Facing Colleges and Universities

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Compliance and Industry Regulations

So the security measures you put in place should seek to ensure that:

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

ITS Policy Library Use of . Information Technologies & Services

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

ITS Policy Library Device Encryption. Information Technologies & Services

INFORMATION SECURITY FOR YOUR AGENCY

Appendix A: Rules of Behavior for VA Employees

Maximum Global Business Online Privacy Statement

INTERNational Connections Privacy Impact Assessment

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

BRIDGEVALLEY COMMUNITY & TECHNICAL COLLEGE OPERATING POLICY

DSU Identity Theft Prevention Policy No. DSU

ESI Incident Response Procedures 1

Information Security Plan May 24, 2011

2008 NASCIO Award Submission. Utilizing PCI Compliance to Improve Enterprise Risk Management

STATE OF HAWAI I INFORMATION PRIVACY AND SECURITY COUNCIL

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

University of Tennessee's Identity Theft Prevention Program

Electronic Communication

STANDARD ADMINISTRATIVE PROCEDURE

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

Robert Hackworth, Chief Security Officer, KDE Office of Knowledge, Information & Data Services Division of Engineering and Management

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Online Lead Generation: Data Security Best Practices

PII Compliance Guidelines

Congregation Identity Theft Education Program

The University of North Carolina at Charlotte Identity Theft Prevention Program

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Data Breach and Senior Living Communities May 29, 2015

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Computer Security at Columbia College. Barak Zahavy April 2010

Personal Information Protection Act Information Sheet 11

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Iowa Health Information Network (IHIN) Security Incident Response Plan

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Cal Poly PCI DSS Compliance Training and Information. Information Security 1

Report on Student Data Security in Online Assessment OHIO DEPARTMENT OF EDUCATION DECEMBER 2014

CSR Breach Reporting Service Frequently Asked Questions

Information Circular

Information Security Incident Management Guidelines

Identity Theft Prevention Committee Updates and Discussions: 3/15. Team,

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Transcription:

Information Technology Information Security Education and Awareness Training Standard Identifier: IT-STND-002 Revision Date: 8/1/2015 Effective Date: 3/1/2015 Approved by: BOR CIO Approved on date: 10/17/2014 Table of Contents 1. Introduction... 2 2. Purpose... 2 3. Scope... 2 4. Definitions... 2 5. Roles and Responsibilities... 3 6. Standards... 3 6.1 Information Security Education and Awareness Program... 3 6.2 College/University Program Coordinator... 4 6.3 Information Security Education and Awareness Program for Users with DCL3 Data Access... 4 6.4 Information Security Education and Awareness Program for Users with DCL2 Data Access... 5 7. Reporting Requirements... 5 8. Control Metrics... 5 9. Control Tests... 5 10. Exceptions... 6 11. Related Publications... 6 12. Revision History... 6

1. Introduction The CSCU system, based on our educational activities, needs to collect and process Personal Identifiable Information (PII) and academic data of our constituents. We are required by law to provide appropriate training to anyone who has access to DCL3 data on an annual basis and training on a regular basis is highly recommended, for users with PII and academic data access. 2. Purpose The Information Security Education and Awareness Training standard specifies the minimum requirements for training based on the user s data access. The standard also specifies the required record keeping and reporting requirements for Data Stewards and Data Coordinator. 3. Scope The standard applies to all CSCU constituent units. 4. Definitions DCL3 Data DCL3 Previously known as Class A Protected at the CSUS DCL3 is protected confidential data, which comprises identity and financial data that, if improperly disclosed, could be used for identity theft or to cause financial harm to an individual or the CSCU System. Security at this level is very high (highest possible). A breach of DCL3 data requires notification to users. Examples of DCL3 data are: Social Security number & Identity Data Bank account or debit card information and Identity Data Credit card number & cardholder information Student Loan Data DCL3 data must be protected from disclosure and maleficence. DCL2 Data DCL2 Previously known as Class A at the CSUS DCL2 is restricted data that is available for disclosure, and may be disclosed under certain circumstances e.g. FOIA, legal request, etc. Such information is restricted due to federal and state law, ethical and privacy considerations. A breach of DCL2 data does not require notification to users. An example of such restrictions would be the FERPA guidelines that govern publication and disclosure of student information. Security at this level is high. Information Security User Education and Awareness Training 2 of 6

Examples of DCL2 data are: Mother s maiden name Academic records Employee Medical Records Information Security User Education and Awareness Training A CSCU Information Security Education and Awareness Training program that meets the minimum training requirements for access to DCL3 data. Assurance Function Assurance is the responsibility of the system owner and is the process the system owner uses to verify that both technical and administrative controls are functioning correctly. Reporting Cycle The reporting cycle ends each year on November 1st when the Security Program report is due to the system office. The system office reports the findings from the reporting cycle by November 15th, per the BOR Information Security Program Resolution. 5. Roles and Responsibilities Data Steward - A Data Steward has planning and policy responsibilities for data within a specific functional area(s) or data domain. Data Stewards have responsibility for understanding, protecting and granting access to CSCU data. Data Manager - A Data Manager has day-to-day responsibilities for data management within a specific functional area(s) or data domain. Data Managers have responsibility for understanding, protecting and managing access to CSCU data. Data User - A data user has operational requirements to access data and use data in performance of his/her assigned duties. Data Management Coordinator The Data Management Coordinator is responsible for communicating and reporting Information Security Education and Awareness Program initiatives. 6. Standards 6.1 Information Security Education and Awareness Program The CSCU Information Security Education and Awareness Program is a comprehensive program with the following program components. A targeted initial training program based on data access. Users with DCL3 data access will require a more comprehensive program than users with DCL2 data access. Mandatory annual training for users with DCL3 data access. Information Security User Education and Awareness Training 3 of 6

Voluntary annual training for users with DCL2 data access. On-going user education initiatives to support the training. E.g. posters, e-mail communication, brown bag seminars, etc. Verification program to ensure users are following the Information Security Education and Awareness Program. E.g. targeted phishing, targeted social engineering attack, etc. 6.2 College/University Program Coordinator Each college/university President will identify a Data Management Coordinator who will be responsible for the following: Communicating and providing resources to campus staff on the Information Security Education Awareness Training program. Acting as the point person for communication with the Information Security Program Office. Compiling and submitting the Information Security Education and Awareness Training Program annual report. 6.3 Information Security Education and Awareness Program for Users with DCL3 Data Access All CSCU employees with potential access to DCL3 data are required to complete an Information Security Education and Awareness Training Program within 2 weeks of employment. The training program needs to cover at a minimum the following topic areas: You Are the Target, Social Engineering, E-mail and Messaging, Browsing, Social Networking, Mobile Device Security, Passwords, Encryption, Data Security, Data Destruction, WI-FI Security, Working Remotely, Insider Threat, Help Desk, IT Staff, Physical Security, Protecting Your Personal Computer, Protecting Your Home Network, Hacked, Senior Leadership, Advanced Persistent Threat, Cloud, PCI DSS, FERPA, HIPPA, Personal Identifiable Information (PII), Federal Tax, GLBA-EDU, Red Flags Rule, Data Retention, Social Security Numbers, Federal Personal Identifiable Information (PII), and Privacy Security. Any employee with access to DCL 3 data will need to take, at a minimum, a targeted or information security refresher annually. Attendance records for participation in the training programs components need to be maintained by the Data Steward and contain at a minimum the following information. User Name, e-mail, phone, DCL3 Access, DCL2 Access, DCL3 Training Complete, Date of DCL3 Training, Active Employee, Data of Hire, Last Date of Employment. Note Users who transfer departments with the same or lower level of data access may have their records transferred to the new department. Users who have higher data access will need to take the appropriate training within two weeks of hire. Information Security User Education and Awareness Training 4 of 6

6.4 Information Security Education and Awareness Program for Users with DCL2 Data Access All CSCU employees with potential access to DCL2 data are highly recommended to attend an Information Security Education and Awareness Training Program within 2 months of employment. The training program should to cover at a minimum the following topic areas: You Are the Target, Social Engineering, E-mail and Messaging, Browsing, Social Networking, Mobile Device Security, Passwords, Encryption, Data Security, Data Destruction, WI-FI Security, Working Remotely, Insider Threat, Help Desk, IT Staff, Physical Security, Protecting Your Personal Computer, Protecting Your Home Network, Hacked, Senior Leadership, Advanced Persistent Threat, Cloud, FERPA, Personal Identifiable Information (PII), Red Flags Rule, Data Retention, and Privacy Security. Any employee with access to DCL 2 data is recommended to take, at a minimum, a targeted or information security refresher annually. Attendance records for participation in the training programs components need to be maintained by the Data Steward and contain at a minimum the following information. User Name, e-mail, phone, DCL3 Access, DCL2 Access, DCL3 Training Complete, Date of DCL3 Training, Active Employee, Data of Hire, Last Date of Employment. Note Users who transfer departments with the same or lower level of data access may have their records transferred to the new department. Users who have higher data access will need to take the appropriate training within two weeks of hire. 7. Reporting Requirements Annually by November 1 st the Data Management Coordinator will submit to the Information Security Program Office a consolidate set of training done during the past reporting cycle. 8. Control Metrics Participation rate for online training courses - percentage of staff completing security training (by business unit) Average scores of online tests, compared to baseline (previous tests, industry data if available, etc.) by business unit Average scores of periodic tests (e.g. click rates for test phishing emails) by business unit Individual scores on skill assessment tests for individual mission critical roles by business unit 9. Control Tests Quarterly, an assurance function will conduct a security test (targeted phishing, social engineering, etc.). They will develop an appropriate random sample and report on the test. Information Security User Education and Awareness Training 5 of 6

10. Exceptions To request an exception, please submit the Information Security Exception request to SecProg@ct.edu The requestor and BOR Information Security Program Office will define the approved alternative configuration if different than the original proposal of the requestor. The exception process is NOT an alternative to the Change Control Management process. 11. Related Publications Related Policies BOR-Information Security Policy Related Procedures Support Services Procedure Website [Link to Procedures page for Requesting Access to Password Reset Form] Web Sites Support Services Website 12. Revision History Previous versions of this standard None History of Changes Minor revisions to clarify the timeline as the reporting cycle ending on Nov. 1st. Standards superseded by this standard 2007 CSUS Information Security Standards V 1.0 o Section 4.7 Security Awareness, Training, and Education Information Security User Education and Awareness Training 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information