Security Awareness Training Policy
I. Overview
The confidentiality, integrity and availability of data, information, and systems are of vital importance to the continued operation of Bucks County Community College (the College) and furtherance of its mission. Security Awareness Training programs are a critical component in accomplishing this objective.
II. Purpose
Faculty and staff are the frontline to protecting the Colleges Information Technology Resources. This policy will provide consistent guidance and an overall approach to security awareness while also establishing the requirements for security awareness training.
III. Scope
This policy applies to all College faculty and staff.
IV. Policy Owner
The Chief Information Officer (CIO) is responsible for this policy and the Chief Operating Officer (COO) is responsible for its administration. At a minimum, the policy will be reviewed and updated once per year, where applicable. If significant changes in the environment warrant updating of this policy, then those updates will be applied as soon as possible. The policy will be disseminated whenever it is updated.
V. Definitions and Terms
- Information Technology Resource(s) – includes but is not limited to the following: computer and networking equipment, workstations, laptops, software, operating systems, storage devices and media, network accounts, email services and email accounts, Internet browsing and related services, voice mail, applications, scanning and fax systems, tablets, and smartphones.
- Phishing Simulation - a program used to send realistic phishing emails to gauge faculty and staff awareness of phishing attacks. Phishing simulation is typically used in coordination with phishing training that educates users about how these attacks work and how to avoid them.
VI. Policy
- All newly hired faculty and staff that have access to the College’s Information Technology Resources are required to complete the Security Awareness Training course within the first thirty (30) days of their date of hire.
- All faculty and staff that have access to the College's Information Technology Resources are required to complete the Security Awareness Training Training course every calendar year.
- All faculty and staff that have access to the College’s Information Technology Resources are required to acknowledge that they have reviewed the College’s Responsible Use Policy which will ensure that they are fully aware of security best practices and their role in protecting the College’s Information Technology Resources and data.
- Managers and Supervisors are responsible for ensuring that each of their direct reports completes all security awareness trainings.
- To increase awareness and knowledge of the tactics and techniques used to compromise accounts and access Information Technology Resources Information Technology Services (ITS) may conduct automated phishing simulation exercises. Additional training will be required for any faculty and staff member following three (3) failed phishing simulations within a given calendar year.
- Security awareness training content will be reviewed annually by the IT Security Officer.
VII. Exceptions
Any exception to the policy must be approved by the policy owners in advance.
VIII. Compliance
- Compliance with this policy will be accomplished through automated reporting tools.
- Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
IX. Related Standards, Policies and Processes
Responsible Use Policy
X. Approval
Board of Trustees – June 13, 2024