MCC Cybersecurity Policies and Procedures

Section 6.2.4 of the Commonwealth of Massachusetts’s Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states, “All personnel will be required to complete Annual Security Awareness Training."

Following the recommended practices outlined in the Commonwealth’s Information Security Risk Management Standard, Middlesex Community College conducts a college-wide information cybersecurity awareness program for MCC personnel. The college will:

  • Curate & develop appropriate training materials related to information security risks and risk management.
  • Conduct annual information security refresher training for MCC personnel and, where relevant, contractors and temporary staff.
  • Conduct phishing attack simulations on a regular basis for MCC personnel in order to ensure maximum information security vigilance.

The training program will:

  • Identify common cybersecurity risks and best practices for mitigating these risks.
  • Describe best practices for enhancing both organizational and personal security against cybersecurity attacks.
  • Explain acceptable use of information technology
  • Inform personnel about relevant policies and standards
  • Detail every individual’s accountability for each of the provisions of all policies and the underlying procedures.
  • Test each individual’s understanding of all policies and of his or her role in maintaining the highest ethical standards.

New Hire Information Security Awareness Orientation: All new personnel must complete an initial Security Awareness Training assignment. This assignment will be conducted via web-based learning and will be included in the new hire orientation checklist. The New Hire Security Awareness assignment must be completed within 30 days of new hire orientation.

The New Hire Cybersecurity Awareness orientation will include content that specifically addresses key issues in information security such as common cyberattack threats and the proper handling of private information (PII & FERPA). All new hires must read the college's Computer & Network Usage Policy and complete an Acknowledgment of Compliance form.

Cybersecurity Awareness for Teleworkers

Given the increasing numbers of MCC employees who engage in telework, the college is committed to ensuring that all employees who telework receive professional development that identifies the cybersecurity risks associated with teleworking and best practices to evade these threats.

Changes in Roles:   Personnel who transfer to new positions or roles with substantially different information security requirements will be required to complete cybersecurity training relevant to their new responsibilities. This training must be completed before the new role becomes active.

Annual Cybersecurity Awareness Training:  All personnel will be required to complete Annual Cybersecurity Awareness Training. At the start of each new fiscal year, email reminders will be sent to personnel at the beginning of a new training cycle, alerting personnel to annual refresher training completion deadlines. The college will ensure that all principles, policies, procedures and training materials are accessible by all personnel as appropriate.

The content of the cybersecurity awareness training program will be reviewed annually by the Director of Professional Development, the Director of Compliance and the acting IT Information Security Officer, so that the program stays in line with organizational policies and procedures and is built on lessons learned from information security incidents.

All MCC personnel must complete by June 30th of each fiscal year the annual information security training. Completion rates will be tracked and reported to personnel managers and college leadership. Any MCC personnel who fail to complete their training within the established training period will have their access to critical information systems (budgets, shared drives, emails) removed.

Access will not be restored until personnel can demonstrate full compliance with security training requirements.

 

Last Modified: 10/3/24