Phishing Escalation Process

Summary

  • Staff are tracked based on how many failures they have had in a 12-month period (logs will be kept annually to monitor trends)
  • Assign clear actions required for each subsequent failure are documented in “3.5b ICT Policy for Staff” as an appendix. See stages below.
  • Training course completion will be monitored by IT Services and the DHSM who will follow up with Line Manager any non-compliance. Automated reminders will be sent by the system to managers and staff of training required.
  • Add a new section to “3.5b ICT Policy for Staff” called “7. ICT Security Awareness” to replace and expand on point 6.2. Reference that regular phishing tests will be performed on staff and remedial training and/or HR processes may be involved for repeat failures. Detail the expectations of staff including 2FA, password complexity. Use the KnowBe4 provided ICT Security Awareness Policy as a reference for best practice.
  • Monthly report to the DHSM to monitor, includes the latest % of staff who failed the monthly test and lists of staff with high failure counts and next steps to include, where possible, the list of any incomplete training.

Schedule of Failure Penalties

The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by the School to reduce the risk that an individual may pose to the company.

  • Stage 1 - Existing 5-minute auto training online within one week of failure (automated emails copied to Line Manager with two days prior to deadline)
  • Stage 2 - Existing 10-minute auto training online within one week of failure (automated emails copied to Line Manager with two days prior to deadline)
  • Stage 3 - In person training with the Director of IT. Line Manager/HR notified
  • Stage 4 - In person training with the Director of IT and Line Manager to identify how best to support staff member. HR and Bursar notified for formal record keeping
  • Stage 5 - Review of capability measures with HR/Bursar. Repeat as necessary for subsequent failures.

All users move through stages 1-3, but at stages 4 and 5, the actions taken by the Line Manager and HR/the Bursar take into account the access that the individuals have to school systems and therefore the greater risk of the user.

The DHSM will monitor these users using the monthly report.