security awareness, training, and education plan · • basic security awareness training (at-2):...
TRANSCRIPT
SecurityAwareness,Training,AndEducationPlan
Version2.0December2016
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page1
TABLEOFCONTENTS
1.1SCOPE 21.2PRINCIPLES 21.3REVISIONS 32.1OBJECTIVE 43.1PLANDETAILS 43.2WORKFORCEDESIGNATION 43.3NEWHIRES 43.4EMPLOYEESANDRETIREES 4
3.4.1ITSTAFF 43.4.2EXECUTIVEANDMANAGEMENT 4
3.5THIRD-PARTYUSERS 53.6VISITORS 53.7PARTICIPATIONTRACKING 53.8EVALUATIONANDFEEDBACK 53.9UPDATING 53.10SANCTIONSFORCOMPROMISEDACCOUNTS 5
3.10.1FACULTY,STAFF,STUDENTWORKERS 53.10.2RETIREES 63.10.3THIRD-PARTYUSERS 6
3.11SANCTIONFORNON-COMPLETIONOFANNUALTRAINING 63.11.1FACULTY,STAFF,STUDENTWORKERS 63.11.2RETIREES 73.11.3THIRD-PARTYUSERS 7
3.12NEWHIRES 73.13PRACTICALEXERCISES 84.1MANDATORYCONTROLS 8
5.1DISCRETIONARYCONTROLS 9
6.1REFERENCES 97.1DEFINITIONS 10
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page2
1.1 SCOPE Thisplanappliestoallusersofandinformationtechnology(IT)resourcesowned,operated,orprovidedbytheUniversityofTennesseeatMartin(UTM)includingitsremotecenters.“Users”includesbutisnotlimitedtostudents,faculty,staff,contractors,agents,representatives,andvisitorsaccessing,using,orhandlingtheUniversity’sinformationtechnologyresources.InformationtransmittedorstoredonUniversityITresourcesisthepropertyoftheUniversityunlessitisspecificallyidentifiedasthepropertyofotherparties.
1.2 PRINCIPLES TheUniversityhaschosentoadoptthepolicyprinciplesestablishedintheNationalInstituteofStandardsandTechnology(NIST)800seriesofpublications,andthispolicyisbasedonthoseguidelines.Specifically,thisplanisbasedonguidelinesinNISTSpecialPublication800-50BuildinganInformationTechnologySecurityAwarenessandTrainingProgram.TheChancellororequivalentateachCampusmustdesignateanindividualorfunctionalpositionresponsibleforinformationsecurityattheirCampus(PositionofAuthorityand/orCampusAuthority).ThePositionofAuthorityshouldbeatahighenoughorganizationalleveltoallowhim/hertospeakwithauthorityonandfortheCampus.UTMmustdeveloporadoptandadheretoaplanthatdemonstratescompliancewithrelatedpoliciesandstandards.ThisplanistheresponsibilityofthePositionofAuthority.EachUserofUniversityresourcesisrequiredtobefamiliarandcomplywithUniversitypolicies.AcceptanceofUniversitypolicyisassumedifaUseraccesses,uses,orhandlesUniversityresources.
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page3
1.3 REVISIONS Date Action Name06/10/2016 Created(0.1) BrianStubblefield08/03/2016 Content,wording(0.2) 08/03/2016 Submittedforpreliminaryreview 08/26/2016 Wording,formatting(0.3) 08/31/2016 Third-partyusers,securitycontrols(0.4) 10/11/2016 Mandatoryanddiscretionarycontrols,recommendedchanges,
visitors(0.5)
11/17/2016 Eduroamdefinition,executiveandmanagementsubsection(0.6) 11/18/2016 Changedtoplan(0.7) 11/21/2016 Practicalexercises,LMS,HR0128reference,sanctions,title(0.8) 12/19/2016 Reviewed,approved,adopted(1.0) 08/15/2017 AddedWorkforcedesignationandreferences,practicalexercises
wording(1.1)
09/05/2017 UpdatedprinciplesfromCoPdocument,editonsanctions,pagenumbering(1.2)
10/27/2017 Addedsanctionsfornon-completionofannualtraining(1.3) 12/11/2017 RecommendedchangestoannualtrainingsanctionsfromIT
Governance,specifiedDec.31(1.4)
12/18/2017 Approved(2.0)
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page4
2.1 OBJECTIVE Toestablishaformal,documentedSecurityAwareness,Training,andEducationprogramforUniversityinformationsystemsusers,andfacilitateappropriatetrainingcontrols.
3.1 PLAN DETAILS ThecampusWorkforcemustsuccessfullycompletesecurityawarenesstrainingbyDecember31eachyear.AreasonableamountoftimewillbegrantedtosuccessfullycompletethetraininginthecurrentLearningManagementSystem(LMS).Informationsecurityawarenesstrainingwillbeusedinpersonnelperformanceevaluations.AdditionaltrainingwillberequiredforindividualswithspecificrolesandresponsibilitieswithintheUniversity.
3.2WORKFORCEDESIGNATIONTheWorkforceatUTMwillconsistofallcurrentfacultyandstaff,retirees,andITSstudentworkers.
3.3NEWHIRESAllnewemployeesarerequiredtocompletesecurityawarenesstrainingwithin30daysofbeinghired(AT-2).TheaccountexpirationdatewillbesetinActiveDirectorysoiftraininghasn’tbeencompletedbeforethedeadline,theiraccountwillbedisabled.Theiraccountwillbereactivatedtemporarilyuntiltheysuccessfullycompletetraining.TheexpirationdatewillberemovedoncetheuserhaspassedthesecurityawarenesscourseintheLMS.
3.4EMPLOYEESANDRETIREESAllemployeesandretireesarerequiredtosuccessfullycompletethe“RequiredTraining”moduleeachcalendaryear(AT-2).Re-testingforsanctionsdoesnotapplytowardtheannualrequirement.3.4.1ITSTAFFAllITSstaffandstudentworkersmustsuccessfullycompletethe“ITStaff”moduleinadditiontotherequiredyearlytraining(AT-3).3.4.2EXECUTIVEANDMANAGEMENTAllexecutivesandmanagersmustsuccessfullycompletethe“ExecutiveandManagement”moduleinadditiontotherequiredyearlytraining(AT-3).
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page5
3.5THIRD-PARTYUSERSThird-partyusersmustcompletetrainingpriortoaccessingthenetworkorsystems(AT-3).Third-partyusersfromotherUTcampusesorinstitutesareexemptfromcompletingtrainingprovidedtheyhavecompletedsecurityawarenesstrainingfromtheirrespectivecampusorinstitute.
3.6VISITORSVisitorstocampusarenotrequiredtocompletesecurityawarenesstraining.Theyareonlypermittedtousethepublicly-accessiblecomputersintheLibrary,the“UTMGuest”wirelessnetwork,orEduroamiftheyarefromaparticipatinginstitution.
3.7TRACKINGPARTICIPATIONTheLMSusedtoprovidetrainingcontentmusthavetheabilitytomonitorandreportcomplianceandprogress(AT-4).ParticipationinsecurityawarenesstrainingcanbedocumentedforcreditinaccordancewithUTpolicyHR0128unlessitwasrequiredbysanctions.
3.8EVALUATIONANDFEEDBACKMechanismsforevaluationandfeedbackshouldbeimplementedintotrainingtohelpdetermineeffectivenessandquality.
3.9UPDATINGTrainingcontentanddeliveryshouldbeevaluatedatleastyearly.Additionalevaluationwillbenecessarywithchangesin:
1. Updatedcontent2. Platform3. Policies4. Legalrequirements
3.10SANCTIONSFORCOMPROMISEDACCOUNTSSanctionswillbeimplementedagainstuserswhoallowtheiraccountstobecompromisedandaredependentonthenumberofoccurrences(PS-8).Theseverityofanincidentcanalsobeusedfordeterminingsanctions.
3.10.1FACULTY,STAFF,STUDENTWORKERS1stOffense:
• Actionsarereportedtoimmediatesupervisorordepartmenthead• Retakesecurityawarenesstraining
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page6
2ndOffense:• Actionsarereportedtothedepartmenthead,ChairoftheDepartment,
and/orDeanoftheCollege• Retakesecurityawarenesstraining• Additionaltrainingmayalsoberecommendedorrequired
3rdOffense:• Actionsarereportedtotheappropriatevice-chancellor• Notationismadeintheoffender’sHumanResourcesfile• Internetaccessisrestricteduntilone-on-onetrainingwithamemberofITS
securitystaffiscompleted4thOffenseandbeyond:
• Tobedeterminedbytheappropriatevice-chancellor
3.10.2RETIREES1stOffense:
• Retakesecurityawarenesstraining
2ndOffense:• Networkaccessisrestricteduntilone-on-onetrainingwithamemberofITS
securitystaffiscompleted
3rdOffense:• Permanentrevocationofnetworkaccessprivileges
3.10.3THIRD-PARTYUSERS1stOffense:
• Networkaccessisrevoked
3.11SANCTIONSFORNON-COMPLETIONOFANNUALTRAININGSanctionswillbeimplementedagainstuserswhodonotcompletetherequiredannualtrainingbeforeDecember31.
3.11.1FACULTY,STAFF,STUDENTWORKERSJanuary1:
• Accountisdisabledatmidnight• Trainingmustbecompletedwithin48hoursofaccountreactivation
2ndMissedDeadline:• Accountisdisabled• Non-compliancereportedtothedepartmenthead,ChairoftheDepartment,
and/orDeanoftheCollege• Immediatesupervisorordepartmentheadmustrequestaccountreactivation
andtrainingmustbecompletedwithin24hours
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page7
3rdMissedDeadline:• Accountisdisabled• Non-compliancereportedtotheappropriatevice-chancellor• Notationismadeintheoffender’sHumanResourcesfile• Employeerequiredtomeetwiththeirsupervisor,departmenthead,Chairof
theDepartment,and/orDeanoftheCollege,SecurityAdministrator,andCIObeforeaccountreactivation
• Trainingmustbecompletedbytheendoftheworkday
4thMissedDeadline:• Accountisdisabled• Tobedeterminedbytheappropriatevice-chancellor
3.11.2RETIREESJanuary1:
• Accountisdisabledatmidnight• Trainingmustbecompletedwithin48hoursofaccountreactivation
2ndMissedDeadline:• Accountisdisabled• Trainingmustbecompletedwithin24hoursofaccountreactivation
3rdMissedDeadline:• Accountispermanentlydisabled
3.11.3THIRD-PARTYUSERS1stMissedDeadline:
• Accountisdisabled
3.12NEWHIRESSanctionswillbeimplementedagainstnewhireswhodonotcompletetherequiredtrainingwithin30daysofbeinghired(AT-2). 1stMissedDeadline:
• Accountisdisabled• Incidentreportedtoimmediatesupervisorordepartmenthead• Trainingmustbecompletedwithin48hoursofaccountreactivation
2ndMissedDeadline:• Accountisdisabled• Non-compliancereportedtothedepartmenthead,ChairoftheDepartment,
and/orDeanoftheCollege• Immediatesupervisorordepartmentheadmustrequestaccountreactivation
andtrainingmustbecompletedwithin24hours
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page8
3rdMissedDeadline:• Accountisdisabled• Incidentreportedtotheappropriatevice-chancellor• Notationismadeintheoffender’sHumanResourcesfile• Employeerequiredtomeetwiththeirsupervisor,departmenthead,Chairof
theDepartment,and/orDeanoftheCollege,SecurityAdministrator,andCIObeforeaccountreactivation
• Trainingmustbecompletedbytheendoftheworkday
4thMissedDeadline:• Accountisdisabled• Tobedeterminedbytheappropriatevice-chancellor
3.13PRACTICALEXERCISES(AT-2(1))ITSSecuritycanperformvariousexercisestotesttheeffectivenessofthesecurityawarenesstrainingonindividualorgroupsofusers.PriornoticetoandapprovalfromtheCIOandDirectorofITInfrastructureisrequiredbeforeproceedingwithanypracticalexercises.
4.1 MANDATORY CONTROLS MandatorysecuritycontrolsareUniversity-widecontrolsthatarerequiredtobeconsistentlydesigned,implemented,monitored,andassessed.
• WorkforceDesignation:EachCampusmustdesignatethemakeupofitsWorkforcerequiringAwarenessTraining.
• BasicSecurityAwarenessTraining(AT-2):Basicsecurityawarenesstrainingasapartofinitialtrainingfornewusers,whenitisrequiredbyinformationsystemchanges,andannuallythereafter.
• Role-basedSecurityTraining(AT-3):EachCampusmustproviderole-basedsecuritytrainingtopersonnelwithassignedsecurityresponsibilitiesbeforeauthorizingaccesstotheinformationsystemorperformingassignedduties,whenrequiredbyinformationsystemchanges,andannuallythereafter.
• SecurityTrainingRecords(AT-4):Eachcampusmustdocumentandmonitorindividualinformationsystemusersecuritytrainingactivities.
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page9
5.1 DISCRETIONARY CONTROLS DiscretionaryControlsaresecuritycontrolswhosescopeislimitedtoaspecificcampus,institution,orotherdesignatedorganizationalcomponent.DiscretionaryControlsaredesigned,implemented,monitored,andassessedwithinthatorganizationalcomponent.DiscretionarycontrolsmustnotconflictwithorlowerthestandardsestablishedbyMandatoryControls.
• PersonnelSanctions(PS-8):Formalsanctionsprocessesforpersonnelfailingtocomplywithestablishedinformationsecuritypoliciesandprocedures.
• SecurityAwarenessTraining|PracticalExercises(AT-2(1)):Practicalexercisesincludebutarenotlimitedto,forexample,no-noticesocialengineeringattemptstocollectinformation,gainunauthorizedaccess,orsimulatetheadverseimpactofopeningmaliciousemailattachmentsorinvoking,viaspearphishingattacks,maliciousweblinks.
6.1 REFERENCES IT0123–SecurityAwareness,Training,andEducationNISTSP800-50-BuildinganInformationTechnologySecurityAwarenessandTrainingProgramNISTSP800-16Rev1,3rdDraft-ARole-BasedModelforFederalInformationTechnology/CybersecurityTrainingNISTSP800-53Rev4-RecommendedSecurityControlsforFederalInformationSystemsandOrganizationsHR0128-HumanResourcesDevelopment
EffectiveDate:12/19/2016 LastReview:12/18/2017 NextReview:12/2018
Page10
7.1 DEFINITIONS Eduroam:(educationroaming)isasecureroamingaccessservicewhichallowsstudentsandstafffromparticipatinginstitutionstoobtainInternetconnectivitywhenvisitingparticipatinginstitutionsusingtheirowncredentials.Employee:Faculty,staff,orstudentworkerSanction:AnofficialactiontakenagainstauserThird-PartyUser:Anauthorizedusernotaffiliatedwiththeuniversitybutinvolvedincollaboration,includingbutnotlimitedtoauditors,consultants,vendors,andcontractors.Visitor:Ausernotdirectlyaffiliatedwiththeuniversity.