Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Information Security Officer (ISO) - The Christopher Newport University employee, who is responsible for developing, enforcing and managing Christopher Newport University's information technology (IT) security program.
  2. University Faculty, Staff, Student Workers, and Volunteers - All University-Related Persons are responsible for complying with these guidelines and, where appropriate, supporting and participating in processes related to compliance with these guidelines.
  3. Vice Presidents, Deans, Directors, Department Heads, and Supervisors - All Vice Presidents, Deans, Directors, Department Heads and Supervisors must take appropriate actions to comply with all information technology and security policies. These individuals have ultimate responsibility for University resources, for the support and implementation of these Guidelines within their respective Units, and, when requested, for reporting on compliance to ISO.


  • Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
  • Sensitive System- A Sensitive System is a term given to any IT system in which the classification is highly confidential according to Data Classification Standard.
  • Simulation- A simulation is the imitation of the operation of a real-world process or system over time.
  • Social Engineering - the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
  • University Data -University Data is any data or information that is created, owned, received, stored, or managed by Christopher Newport University.


The Commonwealth of Virginia Information Technology standard (VITA SEC 501) requires agencies to provide basic security awareness training to information system users. Users who have access to systems that are classified as “sensitive” in accordance with Christopher Newport University’s Data Classification Standard must include practical exercises in security awareness training that simulate actual cyber-attacks. Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.

    1. Users in the scope referenced above will receive random phishing simulation emails.  These simulated emails will be sent with no prior notice to the end-user, their supervisors, or departments. 
      1. Phishing email campaigns will be scheduled and tracked by the Information Security Officer or their designee.
      2. Targeting Campaigns will be scheduled as follows:
        • The frequency may be one-time or recurring
        • Target activity will be tracked for a period of a least seven days after the campaign is launched
  1. User Compliance Testing Requirements:


  1.  What constitutes a Phishing simulation “fail”:
    1. Users who click on embedded links will result in a fail and automatic enrollment automatically enroll in a remediation training course.