Security Awareness Training

 

I. Purpose 
This procedure establishes the UNCSA information security awareness and training program to inform and assess all faculty, staff, and students regarding their information security obligations. 

Technical security controls are a vital part of our information security framework but are insufficient to secure all information assets. Adequate information security also requires the awareness and proactive support of all faculty, staff, and students, supplementing and making full use of the technical security controls to include security awareness education. This need is evident in the case of social engineering attacks and other current exploits, which specifically target humans rather than IT and network systems. 

Insufficient security awareness training and education for faculty, staff, and students can produce scenarios where they are less likely to recognize or react appropriately to information security threats and incidents and are more likely to place information assets at risk of compromise. All must be informed about relevant, current information security matters and motivated to fulfill their information security obligations to protect information assets. 

II. Source of Authority 

This procedure is issued in support of Information Technology Security Regulation 512, and Information Technology Security Procedures 512(III)(D), Access Control. 

III. Scope 

This procedure applies to all faculty, staff, students, affiliates, vendors, contractors, and consultants.   The procedure applies to the latter whether they are explicitly bound (e.g., by contractual terms and conditions) or implicitly bound (e.g., by generally held standards of ethics and acceptable behavior) to comply with our information security procedures. 

Whether an individual uses computer systems and networks, everyone is expected to protect all information resources, including computer data, written materials/paperwork, and even intangible forms of knowledge and experience related to UNCSA.  

VI. Definitions 

A. Affiliate: An affiliate is an individual who requires access to information resources to work in conjunction with the university but is not a UNCSA employee or student.   Affiliates must have a sponsor who is an employee. Vendors, contractors, consultants, and other third-party providers who access information resources are considered affiliates.  

B. Information Security Program: The information security program is a set of coordinated services and activities designed to protect information resources and manage the risks associated with those resources. It includes regulations, procedures, rules, standards, assessments, and training to govern and safeguard UNCSA classified information and information resources.  

C. Information Resources: As used in UNC System Policy 1400.1, "information resources are information owned or processed by the university, or related to the business of the university, regardless of form or location, and the hardware and software resources used to electronically store, process or transmit that information." Information resources expressly include data, software, and physical assets. 

D. Phishing (email):  The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. 

E. Vishing (voice):  The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. 

F. Smishing (SMS/Text):  The fraudulent practice of sending text messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers.  

V. Procedure Requirements 

A. General 

All awareness training must fulfill the requirements for the security awareness program as listed below:  

• The information security awareness program should ensure that all faculty, staff, and students achieve and maintain a basic understanding of information security matters as outlined in our Information Technology (IT) Security Regulation 512 and Information Technology Acceptable Use Regulation 508. 
• Additional training is appropriate for faculty and staff with specific obligations towards information security that are not satisfied by essential security awareness; for example, Information Risk and Security Management, Security Administration, Site Security, and IT/Network Operations personnel. Such training requirements must be identified in departmental personnel training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and professional qualifications, and anticipated job requirements. 
• Security awareness and training activities should commence as soon as possible after faculty, staff, and students join the organization, generally through attending information security induction/orientation as part of the onboarding process. The awareness activities should continue periodically to maintain a reasonably consistent level of awareness. 

• The UNCSA Office of Networking and Cybersecurity will provide faculty, staff, and students with security awareness training materials, security procedures, rules, standards, and guidance on a wide variety of information security matters.  

B. Security Awareness Training 

• The UNCSA Information Technology (IT) department requires that each employee complete the Kevin Mitnick Security Awareness Training module upon hire and at least annually after that. Specific staff may be required to complete additional training modules depending on their particular job requirements upon hire and at least annually.  
• The UNCSA IT department will conduct periodic simulated social engineering exercises, including but not limited to phishing (email), vishing (voice), smishing (SMS), USB testing, and physical assessments. The UNCSA IT department will conduct these tests at random throughout the year with no set schedule or frequency. The UNCSA IT department may perform targeted exercises against specific departments or individuals based on a risk determination.  

C. Compliance 

The UNCSA IT department will monitor to assure compliance with this procedure and periodically report to the Vice-Chancellor of Finance the results of training and social engineering exercises.   

Specific actions or non-actions by UNCSA personnel may result in a compliance incident.   A compliance incident includes but is not limited to: 

• Not completing required training within the time allotted 
• Choosing an incorrect action during a social engineering exercise  

Incorrect actions during a social engineering exercise include but are not limited to: 

• Clicking on an unknown link within a phishing test 
• Replying with any information to a phishing test 
• Opening an attachment that is part of a phishing test 
• Enabling macros that are within an attachment as part of a phishing test 
• Allowing exploit code to run as part of a phishing test
• Entering any data within a landing page as part of a phishing test
• Transmitting any information as part of a vishing test
• Replying with any information to a smishing test 
• Plugging in a USB stick or removable drive as part of a social engineering exercise
• Failing to follow UNCSA policies during a physical, social engineering exercise  

The UNCSA IT department may also determine, on a case-by-case basis, that specific compliance incidents are a false positive and should not count negatively on an employee's compliance profile.  

Compliance Assurance 

The UNCSA IT Department ensures ongoing compliance with security protocol by utilizing specific preventative and remedial actions, including:  

• Computer or network access revocation 
• Mandatory remedial online training 
• Mandatory remedial in-person training  

UNCSA IT Department reserves the right to determine which preventative or remedial actions are most appropriate based on the severity of non-compliance. Loss of computer or network access can be detrimental to job performance, and those effects will be the responsibility of the employee's supervisor.   

VI. Roles and Responsibilities 

A. The Chief Information Security Officer/Information Security Manager is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization's and the organization's customer information assets. 

B. The Office of Networking and Cybersecurity is responsible for developing and maintaining a comprehensive suite of information security regulations, rules, standards, procedures, and guidelines mandated and endorsed by management. Working in conjunction with other university functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understanding of staff's information security responsibilities. 

C. All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required. 

D. All Faculty and Staff are personally accountable for completing the security awareness training activities and complying with applicable regulations, policies, rules, laws, and procedures.  

VII. Revision History 

11/28/22 – First issuance, approved by the UNCSA CIO  
 

VIII. Related References 

Information Technology (IT) Security Regulation 512 
Information Technology Acceptable Use Regulation 508