Purpose
The purpose of this standard is to
improve the cybersecurity awareness and resilience of all university members by
conducting simulated phishing attacks. These simulations aim to educate and
train individuals to recognize and appropriately respond to phishing attempts,
thereby reducing the risk of successful phishing attacks.
Scope
This standard applies to all faculty,
staff, students, and any other individuals with access to the university’s
information systems.
Definitions
- Phishing: A fraudulent
attempt to obtain sensitive information by disguising as a trustworthy
entity in electronic communications.
- Phishing Simulation: A
controlled exercise where simulated phishing emails are sent to users to
test their awareness and response to phishing attempts.
Standards
- Simulation
Frequency: Phishing simulations will be conducted at least
semi-annually.
- Notification: Users will
be informed that phishing simulations are part of the university’s
cybersecurity training program, but specific details of each simulation
will not be disclosed in advance.
- Data Collection: Data on
user responses to phishing simulations will be collected and analyzed to
identify areas needing improvement.
- Confidentiality: Individual
user responses will be kept confidential and used solely for training and
improvement purposes.
- Training: Users who fall
for simulated phishing attacks will be required to complete additional
cybersecurity training.
- Reporting: Aggregate
results of phishing simulations will be reported to the university’s UCSS
security team and relevant stakeholders.
Roles And
Responsibilities Regarding Enforcement
- UCSS Security
Team: Responsible for designing, executing, and analyzing phishing
simulations.
- Department Heads: Ensure
that their teams participate in the required training and adhere to the
standard.
- All Users: Participate in
phishing simulations and complete any required follow-up training.
Non-Compliance And
Exceptions
Non-compliance with this standard may
result in disciplinary action, up to and including termination of access to university
information systems. Exceptions to this standard may be granted on a
case-by-case basis by the UCSS security team, subject to review and approval.
Applicable UL Lafaytte IT Policies:
Comprehensive
Information Security Program:
http://helpdesk.louisiana.edu/sites/helpdesk/files/UL%20Lafayette%20Comprehensive%20Information%20Security%20Program%20-%202014.pdf
Related UL
Lafayette IT Policies And/Or Standards:
RESPONSIBLE OFFICE: Information Technology
APPROVAL AUTHORITY: Gene Fields, Chief Information
Officer
STANDARDS MANAGER: UCSS Security
CONTACT: abuse@louisiana.edu
EFFECTIVE DATE: 01/01/2025
NEXT SCHEDULED REVIEW: January 2026
REVISION HISTORY:
|
Date
|
Change Description
|
|
11/05/2024
|
Kin
Cheung (Initial Draft Submitted)
|