Information Security Awareness Training JAN2021 Tb - Paul Mitchell Schools
3/11/21Gramm-Leach-Bliley Act (GLBA)1 Federal Law that mandates that higher education facilities protect the security,confidentiality, and integrity of student information (including Future Professionalsand graduates). The objectives of GLBAA training are to educate staff on:ü Requirements of the GLBAAü How to identify Future Professional informationü How to safeguard Future Professional informationGramm2 Ensure the security and confidentiality of student information (including FutureProfessionals and graduates) Protect against any anticipated threats or hazards to the security or integrity of suchinformation Protect against unauthorized access to or use of such information that could result insubstantial harm or inconvenience to Future Professionals or graduates31
3/11/21 All Paul Mitchell school staff and ownership must follow all GLBArules (including partner and corporate schools). All team members employed by the school either part-time or fulltime must follow all GLBA rules.4Future Professional/graduate information is defined as “any recordcontaining nonpublic personal information about a FutureProfessional or graduate of a Paul Mitchell School, whether in paper,electronic, or other form, that is handled or maintained by or onbehalf of the school. This is known as Personally IdentifiableInformation (PII) or Controlled Unclassified Information (CUI).5Paul Mitchell Schools must safeguard all financial information in their possession, “regardless ofwhether such information pertains to individuals with whom Paul Mitchell Schools have aprofessional relationship, or pertains to the Future Professionals of other higher learninginstitutions that have provided such information to another financial or learning institution.”Examples: Applicants Parents Staff Faculty Some Vendors62
3/11/21 Credit Card Account NumbersBank Account NumbersIncome HistoriesCredit Histories Social Security Numbers Tax Returns and Associated Forms7 Unauthorized access of financial information by third parties Unauthorized transfer of data to third parties Interception of data during transmission Physical loss of data due to disaster or theft Compromise of computer system security Identity theft8 Check references before hiring new team members. Train team members to identify and properly collect and maintain Future Professionaland graduate information.Basic steps include:üüüüüüUsing password-protected screensaversChanging passwords frequently (and not posting passwords at or near computers)Locking rooms and file cabinets where paper records are maintainedEncrypting Future Professional information if it must be e-mailed (7-Zip)Recognizing fraudulent attempts to obtain Future Professional information (common sense)Referring requests for Future Professional information to designated team members (Financial AidLeaders/Admissions Leaders) Limit access to Future Professional information to only those team members whohave a business reason for handling the information and to only such an extent thatthey need it to do their jobs.93
3/11/21To avoid risks in operations concerning information systems(including network and software design, information processing,storage, transmission and disposal), the Federal Trade Commission(FTC) suggests, in part, that Paul Mitchell Schools (and any school)follow the next key points.10 Store records in a secure area.For example:ü Store paper records in a locked room when such records are unattended.ü Keep archived data secure by keeping them in a physically secure area or storing them ina safe backup system.ü Ensure that storage areas are protected against physical hazards such as floods and fire.ü Don’t store Future Professional information on a computer without a complex passwordor in open, unlocked files.11 When collecting or transmitting Future Professional information, provide foreasy to understand and secure data transmission:ü Use a Secure Sockets Layer (SSL) or other secure connection for transmitting andcollecting sensitive financial information (such as credit card information).ü If staff must use email to transmit sensitive financial information, ensure that the contentis encrypted and password-protected (use 7-Zip).ü Caution Future Professionals against transmitting sensitive financial information viaelectronic mail. Dispose of Future Professional information appropriately and securely.For example:ü Shred Future Professional information and store it in a secure area until it is disposed of.ü Erase all Future Professional information from computers, diskettes, hard drives, or otherelectronic media when disposing of these items.ü Destroy all hardware that is to be disposed of.124
3/11/21To avoid risks in operations concerning information system failures (includingthe prevention, detection, and response to attacks and intrusions), the FTCsuggests, in part, that Paul Mitchell Schools: Maintain current controls by:ü Installing anti-virus software that updates automatically (if you have Windows 10, you’reset!)ü Maintaining current firewalls (speak with your IT vendor or with the PMAE IT Team forcorporate schools)ü Regularly checking with software vendors to install patches that correct softwarevulnerabilities (speak with your IT vendor or with the PMAE IT Team for corporateschools)ü Following a written plan to address any breaches of physical, administrative, or technicalsafeguardsü DO NOT ALLOW STAFF TO USE PERSONAL HOME LAPTOPS or IPADS13 Other suggestions for managing system failures are:ü Back up all Future Professional information regularly.ü Combine the use of passwords and personal identifiers to authenticate the identity ofFuture Professionals who attempt to transact business electronically.ü Notify the Information Security Program Coordinator (School Owner or School Director)so that he/she may notify Future Professionals if their nonpublic personal information issubject to unauthorized access, loss, or damage.14 If you receive a request for a Future Professional's financial information, referthe requestor to those school Staffs who have undergone information securitytraining.ü If you suspect an attempt to fraudulently obtain a Future Professional's financialinformation, immediately report the attempt to the Information Security ProgramCoordinator (Owner or Director).ü If you are still unsure, contact the PMAE IT Department at support@paulmitchell.edu orthe Support Portal at https://support.paulmitchell.edu155
3/11/211. The GLBA mandates that higher learning institutions safeguard Future Professionals’financial information.2. According to the GLBA, Paul Mitchell Schools must protect Future Professionals’financial information that is maintained on hard disks, printed files, and on computers.3. According to the GLBA, Paul Mitchell Schools must protect Future Professionals’financial information that is printed on paper.4. Any staff members should place paper listings of Future Professionals’ financialinformation in campus trash cans when he/she no longer uses the informationcontained in the paper listing.5. Any staff members should place hard disks that contain Future Professionals’ financialinformation in campus trash cans when he/she no longer uses the informationcontained on the hard disks.166. Future Professional information may be appropriately stored in an area whichhas flooded several times in the past, but which has been properly cleanedeach time.7. Staff may freely transmit financial information to Future Professionals andother staff via email.8. If Future Professionals’ financial information is stolen, then staff should keepthis occurrence to him/herself so as not to cause disruption to the school.9. Staff should take affirmative steps to avoid risks in Paul Mitchell Schoolsoperations.10. If any staff member believes that Future Professionals’ financial informationhas been or may be inappropriately released, then the staff member shouldcontact the School Owner or School Director for his/her school.17Standardized Security Framework NIST SP 800-171 The New standard for Information Security is published by theNational Institute of Standards and Technology (NIST). TheSpecial Publication or “SP” is SP 800-171 “Protecting ControlledUnclassified Information in Nonfederal Systems andOrganizations” (our schools). NIST Special Publication 800-171 defines the security requirements (controls) required to protectCUI in nonfederal information systems and organizations. Information systems that process, store, or transmit CUI may be federal or nonfederal. W hen federal (including contractors operating on behalf of the school), agency securityrequirements are applied. W hen non-federal, SP 800-171 security requirements are applied.186
3/11/21NIST 800-171 The Simple Version1. Access Control: W ho is authorized to view this data?2. Awareness and Training: Are people properly instructed in how to treat this info?3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators beidentified?4. Configuration Management: How are your networks and safety protocols built and documented?5. Identification and Authentication: W hat users are approved to access CUI, and how are they verifiedprior to granting them access?6. Incident Response: W hat’s the process if a breach or security threat occurs, including propernotification?7. Maintenance: W hat timeline exists for routine maintenance, and who is responsible?19NIST 800-171 The Simple Version8. Media Protection: How are electronic and hard copy records and backups safely stored? W ho hasaccess?9. Physical Protection: W ho has access to systems, equipment, and storage environments?10. Personnel Security: How are employees screened prior to granting them access to CUI?11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?12. Security Assessment: Are processes and procedures still effective? Are improvements needed?13. System and Communications Protection: Is information regularly monitored and controlled at keyinternal and external transmission points?14. System and Information Integrity: How quickly are possible threats detected, identified, andcorrected?20Cyber Security Risk Matrix This should be done annually or any time there is an incident, such asa virus infection. Use the Risk Assessment Matrix. If matrix totals are greater than 25, use the Policy Adjustment Formand contact your IT vendor or PMAE IT Team for guidance on how toimprove your current policies and training. Note any policy changes and improvements and keep them on record,as this is required for your school’s audit. This is not a complicated effort; just use common sense andjudgement. When in doubt, ASK!217
3/11/21Security Breach Incident Report Each time there is a security breach or IT incident, fill out the SecurityBreach Incident Report Form. Involve your School Owner and School Director and (if needed) yourIT team to ensure best practices are followed. Include as much detail as possible, and attach extra pages of theincident if needed. The detail and event of what happened is more important than fillingout the form perfectly. Again, we just need to know what happened so it can be fixed.22Staff Training Training for any newly hired staff is required for any position in theschool. Yes, even the janitors (they can be the best eyes!). Take the US Department of Education Requirements—InformationSecurity course on the training site: https://training.paulmitchell.edu. Team members’ certificates of completion are to be kept in their filesfor audit records. This is required. All team members must review and understand the Gramm-LeachBliley Act Security Plan and sign and date it with the School Ownerand School Director. This is to be kept in the team member’s file andannually updated.23Equipment Policy and Disclosure Each team member should sign and review the Company EquipmentPolicy and Disclosure. This should be reviewed annually with all staff to ensure theyunderstand the proper use of company equipment. Each team member should review and sign the Use of PersonalDevices for Work policy. Staff and School Owners/School Directorsshould then sign the policy, and it should be filed for audit purposes.248
3/11/21Use of Personal Devices for Work PMAE does not endorse nor support the use of ANY personal devices forschool work. Staff should work with their School Owner/School Director to bestaccommodate the use of work machines. Personal devices can be easily compromised if other family, friends,children, etc., access and use this device. PMAE recommends that schools issue or assign a machine for staff to usefor work products and purposes. Personal machines used for work is highly dangerous and WILLCOMPRIMISE your school’s security. Staff should sign and understand the Use of Personal Devices for Workpolicy.25Cyber Security Forms Company Equipment Policy: Should be read and signed by all staff (at the time ofhire and annually) and kept in the employee file. Gramm-Leach-Bliley Act Security Plan: Should be read and signed annually by allstaff and School Owners/School Directors and kept in the employee file. Personal Equipment Policy and Disclosure: Should be read and signed annuallyand kept in the employee file. Use of Personal Devices for Work: Should be read and signed annually and keptin the employee file. Risk Assessment Matrix: Should be used annually and each time there is anincident by an appointed team member to inspect cyber security operations inthe school. Policy Adjustment Form: Should be used by appointed staff member each timethe risk matrix threshold is exceeded.26Final Quiz: Information Security—True or False1. Hacking, cybersecurity, and identity theft are on the decline, soawareness should be relaxing as time goes by.2. A student’s phone number and home address are publicly available,so it is not considered CUI or PII and is not under the strictguidelines of the GLBA.3. Janitors, product distributors, and other third-party vendors areunder staff requirements if they have access to CUI or PII.4. It’s perfectly fine to allow staff to use and leverage their personaldevices so they can easily remote and work from home. It’s muchmore safe to access CUI and PII from a home device.279
3/11/21Final Quiz: Information Security—True or False5. Currently, there is not a governing body like NIST to oversee aschool’s cybersecurity requirements.6. Our school is required to train staff on a regular basis regardingcybersecurity and GLBA.7. New hires to our school are exempt from Information SecurityAwareness Training.8. NIST SP 800-171 is the special publication that covers schoolrequirements regarding cyber security.28Gramm-Leach-Bliley Act (GLBA)2910
All Paul Mitchell school staff and ownership must follow all GLBA rules (including partner and corporate schools). All team members employed by the school either part-time or full-time must follow all GLBA rules. 4 Future Professional/graduate information is defined as "any record containing nonpublic personal information about a Future
Security Awareness Training Security Awareness Training Enhance your training program with fun, engaging security awareness content that supports cyber security leaders and their behavior change initiatives. Enjoy multilingual, mobile responsive, and accessible content that makes security awareness training available to all users and promotes .
3 MATHS HEROES 22 -Jan2021 and 23 2021 VI VII MsPreeti, Reena 4 CROSS COUNTRY MATHS 18 -Jan 2021 VI VII MsPreeti, Reena 5 MATH-WHIZZ 20 -Jan 2021 VIII Ms SupriyaKhokhran 6 MATH -O-STRING 18 Jan 2021 IX Ms SupriyaKhokhran 7 LIMIT BREAKER 19 -Jan2021 and 21 2021 X XI Ms Jyoti Yadav 8 MATHS GLOSSARY 20 -Jan 2021 X XI Ms Jyoti Yadav
Harnessing the value of security awareness training: 19 Outlining key features in your security awareness training program: 22 Refined security awareness training - best practices checklist: 24 Partner across departments: 25 Listen to your staff: 25 Incentivise awareness: 26 Commit to measurement: 26 Use relevant data: 26
Security Awareness Training Guide For Vendors/Contractors **VENDOR/CONTRACTOR ONLY TRAINING Last Modified: August 31, 2016 Page 5 of 9 8. The Security Awareness Training will be listed on the course list, click the link to load the course to begin the training. 9. Click 'Start' to begin the GBI Security Awareness Training and
4. Hazmat security awareness training: General security training (this course). 5. In-depth hazmat security training: Specific training that your employer must provide about the procedures in the companies written hazmat security plan. The material in this manual provides general awareness training and hazmat security awareness training.
may include assembling a security awareness team, role-based security awareness, metrics, appropriate training content, and communication of security awareness within the organization. Security Awareness Content: A critical aspect of training is the determination of the type of content.
State Security Awareness Training . State Emergency Management Agency (SEMA) Training Courses . Other Security Awareness Training . CASE, LLC and WMC, LLC . TRB's National Cooperative Highway Research Program Report 525: Surface Transportation Security, Volume 7: System Security Awareness for Transportation Employees . First Observer Food .
2018 Cause Awareness Day Calendar January Alzheimer’s Disease Awareness Month Cervical Health Awareness Month Dry January National Blood Donor Month National Glaucoma Awareness Month Thyroid Awareness Month 8-14 – Obesity Awareness Week 11 – National Human Trafficking Awareness
