Every faculty and staff member has an obligation to do their part in protecting sensitive information and IT systems at the University of Tennessee. To ensure the safety of user information, computers, and IT Systems, the University of Tennessee offers access to “Securing the Human,” a training program that provides security awareness training to all faculty and staff members across campus. UT Policy IT0123 (effective October 10, 2014) establishes guidelines for maintaining the security skills of the organizational users, IT personnel, and security staff.
What is Securing the Human?
Securing the Human is an online computer-based security awareness and training program that provides faculty and staff with the materials they need to engage in informative and efficient security training. The training is an excellent opportunity for departments to ensure their staff is aware of cyber security threats and issues. Securing the Human is produced by SANS, one of the most trusted and by far the largest source for information security training and security certification in the world.
The training consists of a number of videos that cover specific security topics. The videos range anywhere from 1 to 5 minutes in length and are intended to raise awareness and influence user behavior that will reduce security risks. The training allows the users to complete the training at their own pace, monitor their progress, and revisit completed training.
Securing the Human: Core Training Videos
(In addition to the “Introduction” and the “End” modules, users are assigned the following core modules along with specific modules based on their affiliation to the university.)
You Are The Target
Employees often believe they are not a target, thus exposing organizations to tremendous risk. This module addresses that misconception by explaining how employees are under attack and why. In addition, the video explains that this training will not only protect employees at work, but at home as well. This engages people, helping ensure the success of the organization’s security awareness program.
Many of today’s most common cyber attacks are based on social engineering. As such, this video explains what social engineering is, how attackers fool people and what to look out for. The video then demonstrate a common social engineering attack. It finishes with how people can detect these attacks and how to respond to them.
Email and Instant Messaging
One of the primary means of attacks and exploitation is through email. Email is used for both simple, large scale attacks and more targeted spear phishing attacks. This video explain how these attacks work, including recent examples of phishing, spear phishing, malicious attachments and links and scams. It then explain how to detect and stop these attacks.
The browser has become the gateway to the Internet; it is the primary tool that employees use for online activity. As such, browsers and their plugins have become a common target for attackers. This video teach people how to browse safely, including keeping the browser and plugins updated, avoiding bad neighborhoods and being careful of and scanning what they download.
Social networking sites have exploded in popularity, with staff sharing all sorts of private information about themselves and work. Cyber attackers know this and use this information for identity theft, spreading malware, scams and even targeted attacks. This video discusses these risks and the steps employees can take to protect themselves and the organization.
Mobile Device Security
Today’s mobile devices (like tablets and smartphones) are extremely powerful. In most cases, these devices have the same functionality, complexity and risks of a computer, but with the additional risk of being highly mobile and easy to lose. This video covers how to use mobile devices safely and how to protect the data on them.
Passwords are the keys to the kingdom and employees must guard them well. This video covers what passwords are, why they are important and what makes a strong password, with an emphasis on passphrases. In addition, the video covers how to protect and safely use passwords, including the use of different passwords, password managers and not sharing passwords with others
Organizations have a tremendous amount of sensitive information that they must take extra steps to protect. This video explains these steps, including the use of only authorized systems to store or process sensitive information, restrictions on transferring or sharing such information and requirements for securely disposing of sensitive data.
Often, the most common way employees connect to the Internet is through wireless connectivity, usually WI-FI. This video discusses the risks of public WI-FI and the steps that employees can take to protect themselves. In addition, the video covers that only authorized WI-FI access points with prior management approval can be deployed within your organization.
For many organizations, employees are no longer working at the office. Instead, they work from home or on the road while traveling. Since organizations no longer have physical control of the user’s work environment, there are unique risks. This module focuses on how these employees can protect themselves, including laptop security and creating a secure, mobile working environment.
No matter how effective a security team and their processes are, there will be incidents. This video focuses on how employees can identify and report an incident. We cover things to look for, such as suspicious activity or virus alerts, and whom to report an incident to.
Personal Identifiable Information [PII]
This video explains what PII is and the extra steps employees must take to protect both it and other confidential information. Examples include use of encryption, use of personal email accounts, the sharing of sensitive information, using only authorized systems to store or process sensitive information, and securely disposing of sensitive data.
Custom Training Programs
The University of Tennessee encourages its employees to complete the 12 core training videos, however, Securing the Human offers over 40 training videos. Upon request, training programs can be tailored to more specific audiences or departments. To request a modified training program please contact the Information Security Office through the OIT HelpDesk contact form.