Policy Statement:

Rockhurst University is committed to ensuring the security of its information systems and protecting sensitive data from unauthorized access, theft, and misuse. To achieve this, all employees are required to complete training on phishing and other email security threats. Bi-weekly simulated phishing tests will be conducted to assess employees' awareness and response to potential threats. Failure to pass the simulated test will result in mandatory additional training.

Policy Scope:

This policy applies to all Rockhurst University employees, including faculty, staff, and administrators, who have access to the university's network and email systems.

Policy Guidelines:

Training Program:

  1. Rockhurst University will provide comprehensive training on phishing and other email security threats to all employees.
  2. The training program will cover topics such as identifying phishing emails, recognizing common email security threats, best practices for email security, and reporting suspicious emails.
  3. The training will be available through an online learning platform or conducted through in-person workshops, as determined by the university's IT department.
  4. All employees must successfully complete the training within [specific timeframe, e.g., 30 days] of their employment start date.

Simulated Phishing Tests:

  1. a. Bi-weekly simulated phishing tests will be conducted throughout the year to assess employees' ability to recognize and respond to phishing attempts.
  2. b. Simulated phishing emails will be sent to employees' work email accounts, designed to resemble real phishing emails.
  3. c. Employees must exercise caution and refrain from clicking on any suspicious links or opening attachments in simulated phishing emails.
  4. d. If an employee fails a simulated phishing test by clicking on a link or opening an attachment, they will be required to undergo additional mandatory training.

Consequences of Failure:

  1. If an employee fails a simulated phishing test, they will be notified of their failure and be required to complete additional mandatory training on email security within a specified timeframe.
  2. Failure to complete the additional training within the designated timeframe may result in temporary suspension or revocation of network account privileges.
  3. Employees will regain full access to their network accounts upon successful completion of the additional training.

 

Reporting Suspicious Emails:

  1. Employees are encouraged to report any suspicious emails or potential phishing attempts to the university's IT Help Desk.
  2. Reporting procedures and contact information for the IT department will be provided during the training.
  3. Prompt reporting of suspicious emails will enable the IT department to take appropriate action to mitigate potential risks.

Training Recordkeeping:

  1. The university's IT department will maintain records of employee training completion, including successful completion of the initial training and any additional mandatory training.
  2. Training records will be used to monitor compliance with the policy and track employee progress.
  3. Training records will also be used to identify areas for improvement in the training program and address individual employee training needs.

Policy Review:

  1. This policy will be reviewed annually to ensure its effectiveness and relevance.
  2. Any necessary updates or modifications will be made in accordance with evolving security threats and best practices.

By adhering to this Security Training Policy, Rockhurst University aims to enhance its overall security posture and protect its employees and sensitive information from email-based threats.