Security Awareness Training
Upon hire and then on an annual basis, all employees and Non-Employee Access (NEA) contractors are required to complete web-based training covering various security awareness topics.
Mandatory annual training duration will be approximately 15-20 minutes and cover the following:
- LRCCD’s Information Security Policy and Regulation
- LRCCD’s data classification and incident reporting requirements.
- Relevant information security topics (e.g phishing, malware, etc.)
Training will be accessed via a notification email with a passwordless login unique to each user. Learners will also be able to authenticate to the learning platform via LRCCD Single Sign-On.
Monthly Security Awareness Emails and Optional Web-Based Micro-Modules
LRCCD will send out a monthly security awareness email/newsletter to all users and a link to a monthly micro-module or other short web-based training that will be optional for the user to complete.
On-Demand Optional Security Awareness Training
Via SSO, all employees and contractors will have access to a personal training page that can be used to access mandatory as well as recommended trainings. Including:
- An extended version of the annual security awareness training presentation
- FERPA Training
- Information security awareness games.
Phishing Simulation Tool
LRCCD will utilize a phishing simulation tool to regularly test all employees on their ability to recognize and respond to phishing attempts.
- LRCCD will conduct a blind initial baseline phishing test of all users to determine starting phish-prone percentage.
- Once initial campaign is completed, District IT will install a phish reporting add-in tool systemwide to be used by employees to report suspected phishing emails.
- Training emails and brief optional web-based training to inform users of the initial campaign and how to use the reporting tool going forward, will be distributed to all employees/contractors.
- Phishing tests will be performed on at least a monthly basis. Phishing templates will initially be the same for all users and will be set at a moderate difficulty for the user to detect. Users that don’t fail (failure is clicking on a link or opening an attachment in a phishing test email) a phishing test will be dynamically placed into a group that receives more difficult phishing templates. If they fail the more difficult tests, they will be put back into the lower difficulty group.
- Users that fail by clicking on a link will be taken to a landing page that indicates what they missed and how to avoid phishing emails in the future.
- Users that click a second time will be presented with a training video covering phishing.
Analysis of User-Submitted Suspected Phishing Emails
LRCCD will utilize a tool that routes reported emails to a triage center
- Emails are automatically analyzed for malicious content
- If malicious content is discovered, submitting user will be notified and steps will be taken to pull identical or similar emails from all other District mailboxes.
* A link to the tool to be used will be placed here.