Security Awareness and Skills Training

Body

Issue/Question

What is the USD security policy on Security Awareness and Skills Training

Environment

  • CIS Control 14

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity

Resolution

Security Awareness and Skills Training

Policy Statement: The University acknowledges that cybersecurity awareness and skills are essential for protecting its information assets and reducing the risk of security incidents. This policy outlines guidelines for providing comprehensive security awareness and skills training to all members of the University community.

Policy Implementation:

  1. Mandatory Security Awareness Training:

    • All employees, contractors, and students with access to University information systems and data will be required to undergo mandatory security awareness training upon initial onboarding and periodically thereafter.
    • Training topics will include cybersecurity best practices, recognizing phishing attempts, secure password management, data protection guidelines, and incident reporting procedures.
  2. Role-Based Training:

    • Role-based security training will be provided to employees based on their job functions and level of access to sensitive information.  This includes but is not limited to PCI, GLBA, FERPA, HIPAA, and PCI
    • Training programs will be tailored to address specific security requirements and responsibilities associated with different roles within the University, such as IT administrators, data custodians, and end-users.
  3. Phishing Awareness and Simulation:

    • Phishing awareness training will include simulated phishing exercises to educate users about common phishing tactics and how to recognize and report suspicious emails.
    • Phishing simulation campaigns will be conducted periodically to assess the effectiveness of training efforts and identify areas for improvement.
  4. Technical Skills Development:

    • Technical security training programs will be offered to IT personnel and cybersecurity professionals to enhance their skills in areas such as network security, incident response, penetration testing, and secure coding practices.
    • Training resources, including online courses, workshops, and certifications, will be made available to support ongoing skills development and professional growth.
  5. Security Policy Review and Acknowledgement:

    • All members of the University community will be required to review and acknowledge the University's security policies, procedures, and guidelines.
    • Acknowledgement of security policies will serve as evidence of understanding and compliance with security requirements and expectations.

Compliance and Enforcement: Non-compliance with this policy may result in disciplinary action, including but not limited to loss of access privileges, fines, or termination of employment. It is the responsibility of all members of the University community to adhere to this policy and actively participate in security awareness and skills training activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of security awareness and skills training initiatives.


This policy provides a comprehensive framework for implementing CIS Control 14 within the University environment. It provides guidelines for implementing comprehensive security awareness and skills training programs within the University environment, focusing on educating all members of the University community about cybersecurity best practices and empowering them to contribute to the University's security posture.

Please contact the Service Desk if you need further assistance

ITS STAFF ONLY

  1. Follow Reviewing USD Security Policy Requests

Details

Details

Article ID: 8948
Created
Tue 3/5/24 10:43 AM
Modified
Wed 6/5/24 11:24 AM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated

Related Articles

Related Articles (2)

ITS has invested in KnowBe4 security awareness training to help our faculty and staff understand cyber attacks and phishing threats to themselves and the students that we all serve.