Proprietary Statement

This document was developed specifically for and by Christopher Newport University.  The concepts and methodologies contained herein are proprietary to Christopher Newport University.  Duplication, reproduction, or disclosure of information in this document without the express written consent of Christopher Newport University is prohibited.

All Trademarks, Registered Trademarks, Service Marks, and brand and product names used in this document are the property of their respective owners.

© Copyright 2021 Christopher Newport University. All rights reserved.

Review and Revision History

Date

Version

Description of Change (Affected Sections)

Author

8/25/2021

1.0

Initial Release

Wendy L. Corrice


TABLE OF CONTENTS

Introduction 5

Purpose 5

Scope 5

Roles and Responsibilities 5

Definitions 6

Guidelines 6

Recommendations 7


Introduction

Security awareness training courses, while inherently valuable to Christopher Newport University’s information security strategy, need practical support to be effective. In other words, just showing end users videos or asking them to complete quizzes isn’t enough on its own – Christopher Newport University must ensure users have acquired the knowledge they need through simulated phishing attacks.

Phishing awareness training refers to a training campaign that educates end users on specific phishing threats they may encounter in their daily lives. Effective phishing awareness training initiatives leverage phishing simulations to enhance employee understanding, allowing them to detect and avoid phishing attacks in a safe environment.

Purpose

Simulating phishing attacks assess the maturity of Christopher Newport University’s security awareness posture, and subsequently, optimizes future iterations of campaign learning material and components. 

Scope

Phishing Simulation is currently limited to the following Departments:

  • Advancement
  • Business Office
  • Executive Team
  • Financial Aid
  • Human Resources
  • Registrar
  • Users at the discretion of the Information Security Officer

Roles and Responsibilities

  1. Information Security Officer (ISO) - The Christopher Newport University employee, who is responsible for developing, enforcing and managing Christopher Newport University's information technology (IT) security program.
  2. University Faculty, Staff, Student Workers, and Volunteers - All University-Related Persons are responsible for complying with these guidelines and, where appropriate, supporting and participating in processes related to compliance with these guidelines.
  3. Vice Presidents, Deans, Directors, Department Heads, and Supervisors - All Vice Presidents, Deans, Directors, Department Heads and Supervisors must take appropriate actions to comply with all information technology and security policies. These individuals have ultimate responsibility for University resources, for the support and implementation of these Guidelines within their respective Units, and, when requested, for reporting on compliance to ISO.

Definitions

  • Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
  • Sensitive System - A Sensitive System is a term given to any IT system in which the classification is highly confidential according to Data Classification Standard.
  • Simulation - A simulation is the imitation of the operation of a real-world process or system over time.
  • Social Engineering - the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
  • University Data -University Data is any data or information that is created, owned, received, stored, or managed by Christopher Newport University.

Guidelines 

The Commonwealth of Virginia Information Technology standard (VITA SEC 501) requires agencies to provide basic security awareness training to information system users. Users who have access to systems that are classified as “sensitive” in accordance with Christopher Newport University’s Data Classification Standard must include practical exercises in security awareness training that simulate actual cyber-attacks. Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.

  1. PHISHING SIMULATION TRAINING
    1. Users in the scope referenced above will receive random phishing simulation emails.  These simulated emails will be sent with no prior notice to the end-user, their supervisors, or departments. 
      1. Phishing email campaigns will be scheduled and tracked by the Information Security Officer or their designee.
      2. Targeting Campaigns will be scheduled as follows:
        • The frequency may be one-time or recurring
        • Target activity will be tracked for a period of a least seven days after the campaign is launched
  1. User Compliance Testing Requirements:

Targeted users who fail the simulation shall be required to complete the following steps:

    1. Automatic enrollment in online course remediation as defined by the Information Security Officer.
    2. Users will have ten days to successfully complete the remediation course.
  • Users who fail to complete the remediation course in the allotted time will be subject to the following:
      1. A first email reminder from the Information Security Officer to complete the course within 2 business days of notification by the Information Security Officer that they are in default.
      2. Second email reminder, should the user not complete their course remediation will include a copy to their Supervisor/Department Head that their CNU ID/password will be disabled within five days of receipt of the email notification for failure to complete the remediation course.
      3. User accounts will remain disabled until the remediation course is successfully remediated.
  1. PHISHING SIMULATION VIOLATION GUIDELINES:

Users who are found to repeatedly fail simulations (or real world phishing attempts) will be subject to the following:

  1. First violation, the user will receive automatic email notification of automatic enrollment in remediation training.
  2. Second violation, the user will be notified by the Information Security Officer with a copy to the supervisor/department head.
  3. Third violation, the user, be notified by the Information Security Officer with a copy to Supervisor/Department Head and Vice President.  Any follow on violations or failures of simulations may result in their account being disabled and/or disciplinary action.

Recommendations


  1.  What constitutes a Phishing simulation “fail”:
    1. Users who click on embedded links will result in a fail and automatically enroll in a remediation training course.  


    1. Note:  Do not click on links in email messages unless you are 100% certain they lead somewhere you want to go. The messages look legitimate. The links lead to fake websites that will try to steal your password or credit card number. Always hover over a link in an email message before you click on it.
  • Tips: 
    1. Verify the sender is legitimate by hovering over the from address
    2. Contact the purported sender by phone or send a separate email to verify they sent the email.  
    3. Do not forward the suspected email to other users and ask the recipient if it’s valid
    4. Mark suspect emails as “Spam” or “Phishing” in Gmail



  1. Users who open attachments will result in a fail, and automatic enrollment in a remediation training course. 


    1. Note:  Do not click on attachments in email messages unless you are 100% certain they lead somewhere you want to go. The messages look legitimate. The links lead to fake websites that will try to steal your password or credit card number. Always hover over a link in an email message before you click on it.
  • Tips: 
    1. Verify the sender is legitimate by hovering over the from address
    2. Contact the purported sender by phone or send a separate email to verify they sent the email.  
    3. Do not forward the suspected email to other users and ask the recipient if it’s valid


    1. Users who forward suspect emails will result in a fail and will be required to enroll in remediation training.
      1. Note:  Forwarding suspect spam emails increases the chances that the phishing attempt will lure in additional users.  
  • Tips: 
      1. If you received a suspicious email, COPY and PASTE the message body into a Help Desk ticket at https://help.cnu.edu and a member of the ITS staff will review it. 
  • No labels