Security Awareness Training Program

Overview

Security awareness training is an important part of the University of Oregon's IT Security Program meant to increase users’ awareness of their information security responsibilities in protecting the confidentiality, integrity, and availability of university information resources. This training is delivered in three main ways:

1. UO Cybersecurity Awareness Training: As part of the employee on boarding process, basic security awareness training is provided by Information Services to all employees. Training content includes security basics, common threats, and how to recognize and report suspected security incidents.  This training should be completed with in 30 days of hire.
2. Regular Training Updates: As part of ongoing education, security training updates are sent by Information Services to on a periodic basis, as well as when significant information system changes occur. Updates consist of relevant security topics including information on security threats, system updates, and how to recognize and report suspected security incidents.
3. Role-Based Security Training: Employees with roles that include: traveling on official business; elevated access; or handling sensitive, confidential, or externally regulated data are provided additional training materials relevant to their specific job roles and functions
4. Simulated Phishing Educational Campaigns:  On a quarterly basis, the Information Security Office conducts a simulated phishing educational exercise for all university employees.

UO Cybersecurity Basics - recommended for all employees

As part of UO's efforts to address the increasing threats to the security of our information systems and data, we recommend UO employees take this short cybersecurity training assignment:

• UO Cybersecurity Basics Training Overview

Employees required to take this training are contacted directly via email from infosectraining@uoregon.edu with instructions.

Every member of the university community has a responsibility to safeguard the information assets entrusted to us. This training program will better prepare all of us to fulfill this responsibility and to strengthen our defenses against future attacks. Adopting behaviors that protect information benefits the university, and can benefit you and your family, as well.

In-Depth Security Topics

The following pages are designed to supplement the above Information Security Awareness Training. They provide a more in-depth review of specific cybersecurity topics. They can be used together as a comprehensive supplemental curriculum or individually to address specific areas. Each page provides tools and information about what to do and what not to do to keep your computer and data safe and secure.

• Home Computing Security Guidelines
  • Home Wi-Fi Network Security Guidelines
  • Personal Computer Security Guidelines for macOS
  • Personal Computer Security Guidelines for Windows
  • Adding Multi-factor Authentication to Personal Accounts
  • iOS Security Guidelines
  • Android Security Guidelines
• Data Handling Quick Reference
• Data Classification Quick Reference
• Data Security in UO Collaboration Tools
• Report an Computer Security Incident to the Information Security Office
  • Use the Report Phish Button to Report Phishing
  • If you can't use the Report Phish Button, Report Phishing this way
  • Report a Lost/Stolen Device
  • Report Abuse, Data Exposure, or Malware to the Information Security Office
• Tips to help determine if a suspicious email is malicious

In-Person Training

To inquire about requesting a special in-person computer security awareness training for your department or unit, please send an email to infosectraining@uoregon.edu.

Role-Based Information Security Training

Information security training needs and requirements vary based on a person's role on campus. UO's Security Awareness Training Program currently offers these other training assignments based on the access that a UO community member has to sensitive or externally regulated data, or if the UO community member travels to a restricted country while performing official duties for the university. 

Keeping Information Secure While Traveling Internationally

UO community members who travel to countries that have a high risk to information security on official university business must complete training. Individuals will be notified of this requirement by first receiving an email from Concur, the university's travel system, that notifies them of the training requirement. Secondly, the individual will receive an email from  infosectraining@uregon.edu with directions on how to access the training.

Security Awareness Resources For Travel

• Information Security recommendations before, while and after returning from traveling abroad
• FAQ for Equipment Loan while Traveling

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act of 1999, is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.

UO provides financial services to student customers. As such, UO falls within the definition of financial institution under GLBA and must comply with the law's requirements.

Individuals who process or have access to GLBA covered data must take this training annually, and will receive an email with instructions on how to access this training. Generally speaking, any employee, faculty, or staff that process customer information, including financial aid and student billing data, must take this training. Please talk to your supervisor or top-level administrator if you have questions about whether or not your position handles GLBA data.

If you are a supervisor or top-level administrator and have questions about whether or not GLBA applies to your department, please email infosectraining@uoregon.edu.

Security Awareness GLBA Resources

• The University of Oregon GLBA Resources Page

Health Information Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patent's consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The following types of individuals and organizations are subject to the HIPAA Privacy Rule and considered covered entities:

• Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
• Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
  • Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
• Healthcare clearinghouses: Entities that process non-standard information they receive from another entity into a standard (e.g., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
• Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.

Individuals who process or have access to HIPAA-covered data must take this training annually. If you need this training or think you need this training please talk to your supervisor or or top-level administrator about whether or not your position handles HIPAA-covered data. Individuals enrolled in this training will receive an email with directions to access the training platform.

If you are a supervisor or top-level administrator and have questions about whether or not HIPAA applies to your department, please email infosectraining@uoregon.edu.

Security Awareness HIPAA Resources

• The University of Oregon's HIPAA Privacy Team
  • Individual Privacy Rights under HIPAA
  • HIPAA Business Associates
• HIPAA and Human Subjects Research
• How to verify if your Zoom account is in the UO HIPAA Zoom Tenant

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), this standard aims to secure credit and debit card transactions against data theft and fraud. While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions.

Individuals who process or store credit card transactions must take this training annually. If you need this training or think you need this training please talk to your supervisor or or top-level administrator about whether or not your position handles PCI DSS covered data. Individuals enrolled in this training will receive an email with directions for accessing the training.

Security Awareness PCI DSS Resources

• Payment Card Acceptance from Business Affairs
• The University of Oregon Payment Card Acceptance Policy
• Report Suspected Identity Theft (Red Flags Rule)

Simulated Phishing Educational Campaigns

The Information Security Office (ISO) carries out quarterly simulated phishing educational campaigns. These simulations will mimic real-world phishing attacks, which:

• request personal data (for example, passwords, credit card information, and bank account details);
• ask you to click on a malicious link or view/download a malicious attachment; and/or
• urge you to take an action that could compromise our organization in some way (for example, by executing a fraudulent wire transfer or sending sensitive data to a threat actor)

As is the case with real phishing emails, our simulations may include logos and brand identifiers from known and trusted organizations. Do not contact the external organization directly when you receive a suspicious email. Instead, use the "Report Phish" button in Outlook, or forward the message to phishing@uoregon.edu to report it to the ISO.

Additional Specialized Training Resources

• Student Records Privacy Policy - This is UO policy that covers the privacy of student records
• Registrar's website for Student Privacy - While the UO Policy (above) takes precedence, this website gives useful information about what data is regulated under FERPA and how it may be used
  • Office of the Registrar's education record release process
• Information from US-CERT about home computer security
• Online Cybersecurity Training from the US Department of Homeland Security - free of cost to government employees, including UO employees
  • Course list
  • Request an account
  • FAQ
• Free courses from FedVTE, without login, and available to the public
• LinkedIn Learning is available to students and employees of the university
• For employees, additional training resources are delivered through MyTrack

Requesting Help

Please submit a ticket to the Security Awareness Training Support Service.