To keep SVSU’s information assets secure and available, security awareness training is administered for new hires and ongoing thereafter to all employees of the organization.
Acceptance of Security Related Policies
SVSU identifies, develops, and maintains a set of security related policies. These policies are provided to faculty, staff, and each new employee.
Annual Review and Update of Security Related Policies
SVSU keeps all security-related policies updated. At least annually, an Information Technology Services (ITS) leader or individuals assigned by ITS leadership review all security related policies. If updates are recommended, the Executive Director of Information Technology Services approves updates to these policies. SVSU will communicate updates to its employees.
AT 02 - Security Awareness Training
The Information Systems Security Manager and the Executive Director of ITS develop a Security Awareness Training Plan. This plan outlines which training content needs to be delivered to which employee (group).
- General Security Awareness Training Plan: SVSU provides each employee with general security awareness training courses at least once a year. The General Security Awareness Training Plan is oriented towards all employees because of the various access levels associated with their roles.
- A course curriculum delivery and tracking software (similar to “Knowbe4”), is used to send quarterly training modules to employees. These include tracking and reporting.
- Phishing simulations are conducted monthly. Those that fail the phishing simulation are auto enrolled in additional training.
- Advanced Security Awareness Training Plan: SVSU requires each System Administrator or Network Engineer to take at least one advanced security awareness course ongoing or at least once a year. The advanced security training is oriented towards all those with elevated access to infrastructure.
According to the training plan, employees are trained in security related issues.
- Each new employee needs to be trained in general security awareness and/or advanced security awareness within the first six months of employment.
- Participation in security awareness training is documented and centrally managed by the Security Awareness Training software and reported to leadership at various intervals.
AT 03 - Role-based Training
SVSU provides role-based security training to personnel with assigned security roles and responsibilities. This training is based on the training outlined in AT 02 Security Awareness training and provides further instructions necessary for the specific role.
On an annual basis, SVSU reviews the need for role-based training and develop a training program to address these needs:
- Information Security Personnel: Threat vectors and mitigation technologies and measures change all the time. Personnel responsible for information Security need to be trained to stay up to date with the latest developments in the field.
- Privileged Access Users: Anyone with privileged access to systems, such as a system administrator, should receive tailored security training on how to ensure they’re keeping the systems they are responsible for secure. If an attacker were to gain access to a privileged user’s credentials, the attacker could potentially wreak havoc in a system by shutting it down, installing malware, and holding the system for ransom. This includes IT personnel responsible for maintaining the systems and devices that support the business objectives.
Role-based training can be accomplished in various ways:
- Specific computer-based training modules
- In-person training administered by SVSU personnel or external experts
- External seminars and conventions
- Classes to accomplish credentials (i.e., CISSP or similar for Information Security Personnel).
ITS leadership establishes an annual training and qualification program for individuals where role-based training is beneficial. The training is administered over the calendar year. Participation is tracked and training activities are recorded.
AT 04 - Security Training Records
- New employees are assigned a general security awareness course two days after their login credentials are created.
- For quarterly security awareness training, the participation in the security awareness training is documented and centrally managed in the third-party application database (currently KnowBe4).
- For role-based training, the participation in the training activities is documented and centrally managed in the goals tracking section of the performance evaluation software.
NIST 800.53 - Security and Privacy Controls for Information Systems and Organizations