Policy: New York State Policy on Security Training for employees:

New York State Policy on Information-Security NYS-P03-002 updated 2017-03-10 states:

“The State Entity (SUNY) workforce must receive general security awareness training, to

include recognizing and reporting insider threats, within 30 days of hire.

Additional training on State Entity specific security procedures, if required, must be completed before access is provided to specific SE sensitive information not covered in the general security training.

All security training must be reinforced at least annually and must be tracked by the State Entity.”

The objective of this Policy is to ensure that each campus has designed and implemented a Program that educates users on their responsibility to protect the confidentiality, availability, and integrity of SUNY data and information; and assess compliance with aspects of:

• Federal Gramm-Leach-Bliley Act (GLBA),
• New York State Acceptable Use of Information Technology Resources Policy and New York State Information Security Policy (NYS IT Policies) as authorized under the New State Technology Law, and
• SUNY Information Security Policy #6900.

Testing the Effectiveness of Awareness Training

In addition to conducting awareness training, testing the effectiveness of that training is also required. To test the program’s effectiveness, Purchase College will develop and perform phishing simulations to identify whether improvements to the Awareness Training Program are needed to address certain areas and to identify individuals who may require additional training.

Purchase College Information Security Awareness Training Program

Purchase College meets the Policy requirements stated above through an Information Security Awareness Training Program (separate document.) That Program is a formal management function, with written goals and charges, that seeks to address the full range of information security training issues that affect the College. The Program seeks to provide training that covers best practices in Information Security and compliance with all applicable laws, regulations, policies, and standards over an extended period of organizational and technical development. The Purchase College Information Security Awareness Training Program Team will establish, document, manage, maintain, and upgrade an ongoing Information Security training program for all college employees and persons with Purchase College electronic accounts. This document covers the Purchase College Policy and Procedure for Internal Phishing to test the effectiveness of the Awareness Training program.

Procedure:

Security Awareness Testing Program: Pro-Active Phishing Campaigns

1. On a periodic basis the college will conduct broad-based and targeted spear-phishing campaigns that mimic the general and Spear-Phishing campaigns the college is regularly subjected to.

1. Phishing Campaign content will be refreshed regularly, and each campaign will have new content.

1. Phishing Simulation campaigns and results will be maintained for review and improvement.

1. General security awareness messaging will be distributed at least once per semester and will include Phish Testing procedures and consequences.

1. Phish Testing will occur on a frequent but irregular basis.

1. Phish Testing Preparation: The team will work with Director of Unit/Area to be used as clickbait on the content and timing of the campaign. Phishing Content will be rotated for each campaign and will use content and lures similar to those found in the wild - IT services, direct deposit changes, salary reports, supervisor availability inquiries, etc.

1. Notification: The testing team will provide advance notification to the email administrator and to the network administrator. Both positions use tools that actively monitor and block phishing attempts. The purpose of this advance notification is so that they do not interfere with these internal Phishing Campaigns.

1. Notification: When a college employee “fails” a Phishing test (clicking a link or entering credentials) the individual - and their supervisor - will be notified of the failure by email. This notification will include an illustration of the “red flags” contained in the message. The notice will also include the requirement that the individual complete additional Security Awareness Training within 21 days.

1. The individual account will be Flagged for Password Reset. Accounts will be flagged during regular business hours so that the individual can quickly get assistance from CTS in reactivating their account. (Important Note: In cases where an individual falls for an external Phish, the account is immediately suspended as well as flagged for password reset. This is to prevent any malicious use of the account while we wait for the individual to contact CTS.)

1. Additional anti-phishing training will be required for any Phishing failures and must be completed within 21 days.

1. The Training Program Team will conduct an annual review of the Testing Program and make necessary adjustments to improve the effectiveness of the Testing Program.

Phishing Platform:

The Security Awareness Testing Procedure may use a variety of tools at any given time. Currently the College uses KnowB4 as our Phishing platform. The platform includes templates for Phishing Campaigns and allows the college to create its own custom phishing templates.

All employees are subject to Phishing campaigns. KnowB4 tracks and reports on individual actions and responses to Phishing campaigns created by the College.

Information Security Awareness Training Program Team

The Program Team (see Information Security Awareness Training Program Team Assignments document) continuously monitors what the College should be doing to improve or maintain information security awareness testing. The Team plans, designs, and recommends campaigns and content, and monitors their effectiveness.

The Team contains members with sufficient power to make consistent progress in meeting its charge. It contains members capable of representing the full range of college units. The Team activity is part-time, but it continuously oversees projects in this field of operations as well as identifying and prioritizing next projects.

Program Charge and Scope

The Chief Information Officer charges and authorizes the Information Security Awareness Training Program Team with the responsibility and authority to develop, document, conduct, analyze, test, and report on the effectiveness of Information Security Awareness Training.

The Team will conduct ongoing Phishing Testing and report these results in writing to the College Cabinet.

The Team will work to coordinate testing schedules and content with other College units as appropriate.

Documents

Formal documents, such as this, are significant components of the Program. Program documents provide specific policy and procedures and provide controls and documentation of key actions and positions of the Team, such as: statements of standards; risk assessments planned and completed; training programs planned and completed; oversight of service providers and contracts; Team evaluations of the Program.

These documents must be controlled as highly sensitive information with limited authorizations. These documents’ locations and security are maintained by the College’s Chief Information Officer (the Team Leader).

Program Origin

The Information Security Awareness Training Program was formally established December 2022 under the authority of the Chief Information Officer. Prior to December 2022, the college had an informal training program in place for many years. While the informal program was highly successful, a Training Audit in 2022 recommended that formal Program Documentation and Assignments be created.

One of the Audit findings was a recommendation to “develop and perform phishing simulations to identify whether improvements to the Awareness Training Program are needed to address certain areas and to identify individuals who may require additional training.”

Change Log:

2023-04-27 Created - modelled on other ISP Program Authorizations/policies