Awareness & Training Standard

Description

An important component of an information security program is security awareness and role-based training on the relevant internal and external threats.

Scope

This policy applies to everyone who accesses University data or information resources.

Security Requirements

NIST 800-171 references the following security requirements within the Awareness & Training family:

• Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. [3.2.1]

• Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. Personnel responsible for information-security related duties and responsibilities are required to complete specific KnowBe4 training. The KnowBe4 "Training Campaign" section contains all of the training campaigns that are required from personnel (e.g., Students, Staff and Faculty) [3.2.2]

• Provide security awareness training on recognizing and reporting potential indicators of insider threat. [3.2.3]                 

Other compliance requirements:

• FERPA - Lehigh employees needing access to student data need to validate their understanding of requirements under FERPA prior to obtaining access to student records.

• HIPAA - Lehigh employees needing access to health records will complete annual training related to the protection of PHI (protected health information) and requirements under HIPAA

• Red Flags Rule - The Board of Trustees established the Lehigh Identity Theft program under the direction of the Vice President of Finance and Administration to comply with the Red Flags Rule. Applicable Lehigh employees need to validate their understanding of the Lehigh Identity Theft program and requirements under the Red Flags Rule annually. 

• Data Use Agreements (DUA) - The University may choose to enter into agreements that require us to maintain security and privacy controls on their data, including training. Compliance with DUA is the responsibility of the unit entering the agreement.

Implementation

1. Lehigh personnel with access to sensitive information resources will:

   1. Complete security awareness training prior to, or at least within 30 days of being granted access to any University information resources. This shall be part of the new employee orientation training session.

   2. Annually acknowledge they have read, understand, and will comply with university requirements regarding computer security policies and procedures.

   3. Complete the university security awareness training on an annual basis.

      1. Security awareness training shall address the recognition and reporting of indicators for insider threats.

2. The Chief Information Security Officer (CISO) shall communicate new security program information, security bulletin information, and security items of interest to the community.

3. It is the responsibility of the CISO, or designee, to ensure role-based security training is completed by information technology staff with assigned security roles and responsibilities:

   1. Before authorizing access to information resources or performing assigned duties;

   2. When required by information resource changes; and

   3. Annually, thereafter.

4. Stem leaders are responsible to ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

5. Security Training should be updated annually to remain relevant and at minimum include information on:

   1. Two factor authentication

   2. Social engineering

   3. Sensitive Data lifecycle: identify, store, transfer, archive, and destruction

   4. Common causes for unintentional data exposure and how to avoid them

   5. Common indicators of a security incident and how they should respond

6. Security Training for Defined Roles

   1. Firewall Administrators - [See Firewall Management Standard]

Related

The Awareness and Training Standard is created under the Information Security Policy.

• NIST 800-171/800-53 Rev 5.

• Family Educational Rights and Privacy Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule

• CIS Controls v7.1

Definitions

Revision History