1. Purpose
   Technical security controls are a vital part of our information security framework but are not in themselves sufficient to secure all information assets. Effective information security also requires the awareness and proactive support of all staff, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attacks and other current exploits being used, which specifically target vulnerable humans rather than IT and network systems.

    

   Lacking adequate information security awareness, staff is less likely to recognize or react appropriately to information security threats and incidents and are more likely to place information assets at risk of compromise. In order to protect information assets, all workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.

    

   This policy specifies the Piedmont University internal information security awareness and training program to inform and assess all staff regarding their information security obligations.

    

2. Scope
   This policy applies throughout the organization as part of the corporate governance framework. It applies regardless of whether staff use computer systems and networks, since all staff are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.

   In general, this policy applies to all Piedmont University employees and contractors with access to Piedmont University systems, networks, Piedmont University information, nonpublic personal information, personally identifiable information, and/or customer data.

    

   This policy will be updated and re-issued at least annually to reflect, among other things, changes to applicable law, update or changes to Piedmont University requirements, technology, and the results or findings of any audit. 
   
   

3. Policy Requirements

1. All awareness training must fulfill the requirements for the security awareness program as listed below:
   1. The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.

       

   2. Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness, for example Information Risk and Security Management, Security Administration, Site Security and IT/Network Operations personnel. Such training requirements must be identified in departmental/personal training plans and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.

       

   3. Security awareness and training activities should commence as soon as practicable after staff join the organization, generally through attending information security induction/orientation as part of the on boarding process. The awareness activities should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.

    

   1. Where necessary and practicable, security awareness and training materials and exercises should suit their intended audiences in terms of styles, formats, complexity, technical content, etc. Everyone needs to know why information security is so important, but the motivators may be different for workers focused on their own personal situations or managers with broader responsibilities to the organization and their staff.

    

   1. The Piedmont University will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.

    

2. Information Security Awareness Training

   The Piedmont University’s Office of Information Technology and Systems (OITS) requires that each employee upon hire and at least annually thereafter successfully complete the Kevin Mitnick Security Awareness Training, which is 15 minutes in length. Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually. Staff will be given a reasonable amount time to complete each course so as to not disrupt business operations.

3. Simulated Social Engineering Exercises

   The Piedmont University OITS will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. The Piedmont University OITS will conduct these tests at random throughout the year with no set schedule or frequency. The Piedmont University OITS may conduct targeted exercises against specific departments or individuals based on a risk determination.

4. Remedial Training Exercises

   From time-to-time Piedmont University staff may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the Piedmont University OITS as part of a risk-based assessment.

    

   3. Compliance & Non-Compliance with Policy

   Compliance with this policy is mandatory for all staff, including contractors and executives. The Piedmont University OITS will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises.

    

   The penalties for non-compliance are described in the Progressive Discipline and Standards of Conduct Policy.

    

1. Non-Compliance Actions

   Certain actions or non-actions by Piedmont University personnel may result in a non-compliance event (Failure).

   A Failure includes but is not limited to:

   • Failure to complete required training within the time allotted
   • Failure of a social engineering exercise

    

   Failure of a social engineering exercise includes but is not limited to:

   • Clicking on a URL within a phishing test
   • Replying with any information to a phishing test
   • Opening an attachment that is part of a phishing test
   • Enabling macros that are within an attachment as part of a phishing test
   • Allowing exploit code to run as part of a phishing test
   • Entering any data within a landing page as part of a phishing test
   • Transmitting any information as part of a vishing test
   • Replying with any information to a smishing test
   • Plugging in a USB stick or removable drive as part of a social engineering exercise
   • Failing to follow Piedmont University policies in the course of a physical social engineering exercise.

      

   Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.

    

   The Piedmont University OITS may also determine, on a case-by-case basis, that specific Failures are a false positive and should be removed from that staff member’s total Failure count.

    

1. Compliance Actions

   Certain actions or non-actions by Piedmont University personnel may result in a compliance event (Pass).

   A Pass includes but is not limited to:

   • Successfully identifying a simulated social engineering exercises
   • Not having a Failure during a social engineering exercise (Non-action)
   • Reporting real social engineering attacks to the IS department

    

2. Removing Failure Events through Passes

Each Failure will result in a Remedial training or coaching event as described in the Progressive Discipline and Standards of Conduct Policy. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.

4. Responsibilities and Accountabilities

Listed below is an overview of the responsibilities and accountabilities for managing and complying with this policy program.

The Chief Information Officer/Information Security Manager is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization’s and the organization’s customer’s information assets.

Information Security Management is responsible for developing and maintaining a comprehensive suite of information security policies (including this one), standards, procedures and guidelines that are to be mandated and/or endorsed by management where applicable. Working in conjunction with other corporate functions, it is also responsible for conducting suitable awareness, training, and educational activities to raise awareness and aid understanding of staff’s responsibilities identified in applicable policies, laws, regulations, contracts, etc.

All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.

All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.