Security Awareness Training

Upon hire and then on an annual basis, all employees and Non-Employee Access (NEA) contractors are required to complete web-based training covering various security awareness topics.

Mandatory annual training duration will be approximately 15-20 minutes and cover the following:

  • LRCCD’s Information Security Policy and Regulation
  • LRCCD’s data classification and incident reporting requirements.
  • Relevant information security topics (e.g phishing, malware, etc.)

Training will be accessed via a notification email with a passwordless login unique to each user. Learners will also be able to authenticate to the learning platform via LRCCD Single Sign-On.

Monthly Security Awareness Emails and Optional Web-Based Micro-Modules

LRCCD will send out a monthly security awareness email/newsletter to all users and a link to a monthly micro-module or other short web-based training that will be optional for the user to complete.

On-Demand Optional Security Awareness Training

Via SSO, all employees and contractors will have access to a personal training page that can be used to access mandatory as well as recommended trainings. Including:

  • An extended version of the annual security awareness training presentation
  • FERPA Training
  • Information security awareness games.

Phishing Simulation Tool

LRCCD will utilize a phishing simulation tool to regularly test all employees on their ability to recognize and respond to phishing attempts.

  • LRCCD will conduct a blind initial baseline phishing test of all users to determine starting phish-prone percentage.
  • Once initial campaign is completed, District IT will install a phish reporting add-in tool systemwide to be used by employees to report suspected phishing emails.
  • Training emails and brief optional web-based training to inform users of the initial campaign and how to use the reporting tool going forward, will be distributed to all employees/contractors.
  • Phishing tests will be performed on at least a monthly basis. Phishing templates will initially be the same for all users and will be set at a moderate difficulty for the user to detect. Users that don’t fail (failure is clicking on a link or opening an attachment in a phishing test email) a phishing test will be dynamically placed into a group that receives more difficult phishing templates. If they fail the more difficult tests, they will be put back into the lower difficulty group.
  • Users that fail by clicking on a link will be taken to a landing page that indicates what they missed and how to avoid phishing emails in the future.
  • Users that click a second time will be presented with a training video covering phishing.

Analysis of User-Submitted Suspected Phishing Emails

LRCCD will utilize a tool that routes reported emails to a triage center

  • Emails are automatically analyzed for malicious content
  • If malicious content is discovered, submitting user will be notified and steps will be taken to pull identical or similar emails from all other District mailboxes.

* A link to the tool to be used will be placed here.