Compliance with this policy is mandatory for all staff, including contractors and executives. The Hendrix College Technology Services department will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises.
The penalties for non-compliance are described in Section 4 of this policy.
- Non-Compliance Actions
Certain actions or non-actions by Hendrix College personnel may result in a non-compliance event (Failure).
A Failure includes but is not limited to:
- Failure to complete required training within the time allotted
- Failure of a social engineering exercise
Failure of a social engineering exercise includes but is not limited to:
- Clicking on a URL within a phishing test
- Replying with any information to a phishing test
- Opening an attachment that is part of a phishing test
- Enabling macros that are within an attachment as part of a phishing test
- Allowing exploit code to run as part of a phishing test
- Entering any data within a landing page as part of a phishing test
- Transmitting any information as part of a vishing test
- Replying with any information to a smishing test
- Plugging in a USB stick or removable drive as part of a social engineering exercise
- Failing to follow College policies in the course of a physical social engineering exercise
Certain social engineering exercises can result in multiple Failures being counted in a single test. The maximum number of Failure events per social engineering exercise is two.
The Hendrix College Technology Services department may also determine, on a case by case basis, that specific Failures are a false positive and should be removed from that staff member's total Failure count.
- Compliance Actions
Certain actions or non-actions by Hendrix College personnel may result in a compliance event (Pass).
A Pass includes but is not limited to:
- Successfully identifying a simulated social engineering exercises
- Not having a Failure during a social engineering exercise (Non-action)
- Reporting real social engineering attacks to the Technology Services department
- Removing Failure Events through Passes
Each Failure will result in a Remedial training or coaching event as described in Section 4 of this document. Subsequent Failures will result in escalation of training or coaching. De-escalation will occur when three consecutive Passes have taken place.