Issue/Question
What is the USD security policy on Security Awareness and Skills Training
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Security Awareness and Skills Training
Policy Statement: The University acknowledges that cybersecurity awareness and skills are essential for protecting its information assets and reducing the risk of security incidents. This policy outlines guidelines for providing comprehensive security awareness and skills training to all members of the University community.
Policy Implementation:
-
Mandatory Security Awareness Training:
- All employees, contractors, and students with access to University information systems and data will be required to undergo mandatory security awareness training upon initial onboarding and periodically thereafter.
- Training topics will include cybersecurity best practices, recognizing phishing attempts, secure password management, data protection guidelines, and incident reporting procedures.
-
Role-Based Training:
- Role-based security training will be provided to employees based on their job functions and level of access to sensitive information. This includes but is not limited to PCI, GLBA, FERPA, HIPAA, and PCI
- Training programs will be tailored to address specific security requirements and responsibilities associated with different roles within the University, such as IT administrators, data custodians, and end-users.
-
Phishing Awareness and Simulation:
- Phishing awareness training will include simulated phishing exercises to educate users about common phishing tactics and how to recognize and report suspicious emails.
- Phishing simulation campaigns will be conducted periodically to assess the effectiveness of training efforts and identify areas for improvement.
-
Technical Skills Development:
- Technical security training programs will be offered to IT personnel and cybersecurity professionals to enhance their skills in areas such as network security, incident response, penetration testing, and secure coding practices.
- Training resources, including online courses, workshops, and certifications, will be made available to support ongoing skills development and professional growth.
-
Security Policy Review and Acknowledgement:
- All members of the University community will be required to review and acknowledge the University's security policies, procedures, and guidelines.
- Acknowledgement of security policies will serve as evidence of understanding and compliance with security requirements and expectations.
Compliance and Enforcement: Non-compliance with this policy may result in disciplinary action, including but not limited to loss of access privileges, fines, or termination of employment. It is the responsibility of all members of the University community to adhere to this policy and actively participate in security awareness and skills training activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of security awareness and skills training initiatives.
This policy provides a comprehensive framework for implementing CIS Control 14 within the University environment. It provides guidelines for implementing comprehensive security awareness and skills training programs within the University environment, focusing on educating all members of the University community about cybersecurity best practices and empowering them to contribute to the University's security posture.
Please contact the Service Desk if you need further assistance