1. Introduction
Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all staff, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.
Lacking adequate information security awareness, staff is less likely to recognize or react appropriately to information security threats and incidents, and are more likely to place information assets at risk of compromise. In order to protect information assets, all workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.
1.1 Objective
This policy specifies Pratt Community College’s internal information security awareness and training program to inform and assess all staff regarding their information security obligations.
1.2 Scope
This policy applies throughout the organization as part of the governance framework. It applies regardless of whether staff use computer systems and networks, since all staff are expected to protect all forms of information assets including computer data, written material/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.
1.3 Audience
This policy applies to all PCC employees and contractors with access to PCC systems, networks, PCC information, nonpublic personal information, personally identifiable
information, and/or customer data.
1.4 Document Changes and Feedback
This policy will be updated and re-issued at least annually to reflect, among other things, changes to applicable law, update or changes to PCC requirements, technology, and the results or findings of any audit.
2. Policy Requirements
All awareness training must fulfill the requirements for the security awareness program as listed below:
- The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards,procedures, guidelines, laws, regulation, contractual terms, and generally held standards of ethics and acceptable behavior.
- Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness, for example Information Risk and Security Management, Security Administration, Site Security and IT/Network Operations personnel. Such training requirements must be identified in departmental/personal training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.
- Security awareness and training activities should commence as soon as practicable after staff joins the organization, generally through attending information security induction/orientation as part of the on boarding process. The awareness activities should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.
- Where necessary and practicable, security awareness and training materials an exercises should suit their intended audiences in terms of styles, formats, complexity, technical content, etc. Everyone needs to know why information security is so important, but the motivators may be different for workers focused on their own personal situations or managers with broader responsibilities to the organization and their staff.
- PCC will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.
2.1 PCC Information Security Awareness Training
The PCC Information Technology (IT) department requires that each employee upon hire and at least annually thereafter successfully complete or Kevin Mitnick Security
Awareness Training 15 Min. Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually. Staff will be given a reasonable amount of time to complete each course so as to not disrupt business operations.
2.2 Simulated Social Engineering Exercise
The PCC IT department will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. The PCC IT department will conduct these tests at random throughout the year with no set schedule or frequency. The PCC IT department may conduct targeted exercises against specific departments or individuals based on a risk determination.
2.3 Remedial Training Exercises
From time to time PCC staff may be required to complete remedial training course or may be required to participate in remedial training exercises with members of the PCC IT department as part of a risk-based assessment.
3. Compliance & Non-Compliance with Policy
Compliance with this policy is mandatory for all staff, including sub-contractors. The PCC IT department will monitor compliance and non-compliance with this policy and report to the VP of Finance and Operations the results of training and social engineering exercises. The penalties for non-compliance are described in Appendix A of this policy.
3.1 Non-Compliance Actions
Certain actions or non-actions by PCC personnel may result in a non-compliance event (Failure).
A Failure includes but is not limited to:
- Failure to complete required training within the time allotted
- Failure of a social engineering exercise.
Failure of a social engineering exercise includes but is not limited to:
- Clicking on a URL within a phishing test
- Replying with any information to a phishing test
- Opening an attachment that is part of a phishing test
- Enabling macros that are within an attachment as part of a phishing test
- Allowing exploit code to run as part of a phishing test
- Entering any data within a landing page as part of a phishing test
- Transmitting any information as part of a vishing test
- Replying with any information to a smishing test
- Plugging in a USB stick or removable drive as part of a social engineering exercise
- Failing to follow PCC policies in the course of a physical social engineering exercise
Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.
3.2 Compliance Actions
Certain actions or non-actions by PCC personnel may result in a compliance event (Pass).
A Pass includes but is not limited to:
- Successfully identifying a simulated social engineering exercises
- Not having a Failure during a social engineering exercise (Non-action)
- Reporting real social engineering attacks to the IT department
3.3 Removing Failure Events through Passes
Each Failure will result in a Remedial training or coaching event as described in Appendix A of this document. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.
4. Responsibilities and Accountabilities
Listed below is an overview of the responsibilities and accountabilities for managing and complying with this policy program.
Director of Information Technology is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization’s and the organization’s customer’s information assets.
Director of Information Technology is responsible for developing and maintaining a comprehensive suite of information security policies (including this one), standards, procedures and guidelines that are to be mandated and/or endorsed by management where applicable. Working in conjunction with other corporate functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understand of staff’s responsibilities identified in applicable policies, laws, regulations, contracts, etc.
All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.
All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.
Third Parties
In the process of choosing a service provider assessment will be made to ensure that the provider will implement and maintain appropriate safeguards for covered information. Contracts with service providers may include the following provisions:
- An explicit acknowledgement that the contract allows the contract partner access to covered information.
- A specific definition or description of the covered information being provided.
- A stipulation that the covered information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
- An assurance that the contract partner will protect the covered information it receives according to commercially acceptable standards and no less rigorously than it protects its own covered information.
- A provision providing for the return or destruction of all covered information received by the contract provider upon completion or termination of the contract.
- An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles Pratt Community College to terminate the contract without penalty.
- A provision ensuring that the contract’s confidentiality requirements shall survive any termination of the agreement
Third parties will be required to follow PCC policies regardless of whether specifically included in a contract.
Appendix A – Schedule of Failure Penalties
The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by the PCC IT team to reduce the risk that an individual may pose to the PCC.
Failure Count |
Resulting Level of Remediation Action |
First Failure | Mandatory completion of Kevin Mitnick Security Awareness Training – 15 min |
Second Failure | Mandatory completion of Kevin Mitnick Security Awareness Training – 25 min |
Third Failure | Mandatory completion of KnowBe4 Security Awareness Training – 30 min |
Fourth Failure | Face to face meeting with their manager. Action maybe up to and include terminate |
Fifth Failure | Potential for Termination of Employment or Employment Contract |
Appendix B – Methods for Determining Staff Risk Ratings
The following is a list of situations that may increase a risk rating of a PCC staff member. Higher risk ratings may result in an increased sophistication of social engineering tests and an increase in frequency and/or type of training and testing.
- Staff member email resides within a recent Email Exposure Check report
- Staff member is an executive or VP (High value target)
- Staff member possesses access to significant PCC confidential information
- Staff member is using a Windows or Apple-based operating system
- Staff member uses their mobile phone for conducting work-related business
- Staff member possesses access to significant PCC systems
- Staff member personal information can be found publicly on the internet
- Staff member maintains a weak password
- Staff member has repeated PCC policy violations