Welcome to CC

Cyber Security Training and Awareness Policy

Explore This Section

Responsible office
Information Technology Services
Responsible party
Vice President for Information Technology Services / CIO
Last revision
January 2025
Approved by
The Cabinet
Approval date
January 2024
Effective date
April 2024
Last review
January 2026
Additional references

Scope

All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.

Policy

  • New employees must complete an assigned awareness training program within 30 days of hire.
  • All those with an individual CC account must complete an assigned awareness training program annually. CC will test the efficacy of the security awareness training program through periodic social engineering exercises.
  • Specialized Training: some departments, like HR, Finance, Leadership, Security Management, and IT, may have unique security needs. You might need additional training if you're in one of these teams. The Administration will specify these needs, and the training should be completed in the same timeline as the general Security Awareness Training.
  • Supplemental training may be required in certain situations:
    • Security breaches that are tied to an individual's CC account.
    • Departments with regulatory compliance requirements, such as FERPA, GLBA, and PCI DSS.
    • Failure of a simulated security challenge as defined by taking one or more of the following activities on a simulated phishing test:
      • Clicking on the link in the phishing test
      • Opening an attachment from the phishing
      • Replying to a phishing test email
      • Entering data on a phishing email landing page
      • Transmitting any information as part of a vishing (Phone Phishing) test
    • A significant shift in job responsibilities which demands heightened security knowledge.

Procedures

How to report phishing if you see a malicious message in your inbox

  • Individual email clients (Outlook, Apple Mail, Thunderbird, etc.) may or may not have a built-in phishing report button. If your email client has one, you can use it. Otherwise, the supported method is to log into your CC mail directly via the CC website. Select the mail in question and then use the "Report" button.                 

Consequences for failing to complete training

  • If an employee misses the security training deadline, ITS will ask the employee’s direct supervisor/Student Conduct Office to enforce that person taking the training and will provide a 2-week extension of the deadline before account suspension is initiated. 
    • If the end-user does not complete the training within the 2-week extension, ITS will suspend the end-user’s account. 
  • To restore access, end-users must contact the ITS Solutions Center and explain they need access to complete the training.
  • Once access is re-established, there is a 48-hour window to complete the training. Failure to do so will lead to another suspension. 
    • Subsequent reactivation requires approval from HR/Student Conduct Office or the immediate supervisor.

Security Testing Through Simulated Exercises

From time to time, we'll simulate potential threats. These could be deceptive emails (phishing), misleading phone calls (vishing), or on-site assessments. 

  • Timing of Tests: The exact timing remains unpredictable. Like real-world security threats pop up when we least expect them, our tests will too. 
  • Subjects of Testing: While everyone will get tested, sometimes we zoom in on specific departments or folks, especially if we've noticed a specific risk, or through other institutions who are reporting a heightened risk in specific areas.
  • Purpose: After our drills, we look at how we did. We'll provide more training where needed. 

 Inadequate Performance in Security Exercises

  • Failures may mandate additional training or coaching
  • Repeated inadequacies will lead to supervisor notification and intensified coaching measures
  • Accruing three consecutive "Pass" evaluations will initiate a de-escalation in coaching intensity

 What Counts as a "Failure"?

Generally, interacting with an actual phishing message in any way damages CC (other than opening it, which is unavoidable in many cases). We need you to be able to tell a phishing message from a legitimate one, so our tests are based on real phishing messages that have been turned into tests. Accordingly, a failure on our test is any of the following circumstances.

  • Not finishing required training on time
  • Not passing a security test (those fake “drill” emails or calls)
  • Examples of failing a security test:
    • Clicking on a link in a test email.
    • Responding with any details to that email.
    • Opening a fake attachment.
    • Turning on macros in a test attachment.
    • Filling in details on a fake webpage from the test.
    • Sharing any information during a fake phone call (vishing).
  • Even if there are many missteps in one test, we'll only count it as one "failure."

 Sometimes, we might decide that a recorded "failure" was a mistake. If that happens, it won't count against you.

The following table outlines the penalty for failures. The CC ITS team may take steps not listed here to reduce an individual's risk to Colorado College.

*Note that employees are held to a higher standard than other accounts because of their level of access to sensitive and restricted data.

 

Failure Count

Resulting Level of Remediation Action

First Failure

End-user notified and their mistake is explained to them along with noting that this counts as a failure and subsequent failures will have consequences.

Second Failure

Supervisor notified. End-user attends additional training.

Third Failure

End-user and supervisor attend in-person training with CC ITS. 

Fourth and subsequent Failures

Additional training/technical controls at the discretion of leadership. HR initiates disciplinary action, including but not limited to suspension and/or termination.

Evaluating Employee Risk Profiles

This section outlines various scenarios that might increase the risk profile of a CC end-user. Those with high risk profile may be subjected to more advanced social engineering tests and might receive more frequent or specialized training and testing.

  • The end-user's email appears in a recent Email Exposure Check report.
  • The end-user holds an executive or VP role, making them a high-value target.
  • The end-user has access to substantial CC confidential data.
  • The end-user utilizes their personal mobile phone for work tasks.
  • The end-user can access considerable Protected Health Information (PHI).
  • Publicly available personal information about the end-user is accessible on the Internet.
  • The end-user has previously fallen prey to information security breaches.
  • The end-user has had repeated violations of CC policies.

What counts as a "Pass"

At CC, when our team members take the right steps, it's noted as a "Pass." Here's what you can do to earn one:

  • Training: Finish the security awareness training within the time given.
  • Spotting Fake Attacks: If you identify a phishing email, report it by forwarding it to its@coloradocollege.edu with the phrase “scam report”
  • Avoiding Mistakes: Not slipping up during a security test (like not falling for our test emails) counts as a Pass.


Evaluating Employee Risk Profiles

This section outlines various scenarios that might increase the risk profile of a CC employee. Those with a high risk profile may be subjected to more advanced social engineering tests and might receive more frequent or specialized training and testing.

  • The employee's email appears in a recent Email Exposure Check report.
  • The employee holds an executive or VP role, making them a high-value target.
  • The employee has access to substantial CC confidential data.
  • The employee utilizes their personal mobile phone for work tasks.
  • The employee can access considerable Protected Health Information (PHI).
  • Publicly available personal information about the employee is accessible on the Internet.
  • The employee has previously fallen prey to information security breaches.
  • The employee has had repeated violations of CC policies.

Responsibilities and Accountabilities

A structured approach to information security is critical for the organization. Here's a breakdown of the roles and responsibilities associated with this policy:

Chief Information Officer (CIO):

  • Holds accountability for orchestrating an effective security awareness and training program.
  • Ensures all employees are informed and equipped to safeguard both the organization's and our community members' digital assets.

Information Technology Services (ITS):

  • Crafting and sustaining an extensive collection of information security guidelines, which encompasses this policy.
  • Collaborates with other departments to facilitate proper awareness and training sessions. These sessions are aimed at enlightening staff about their duties, as outlined in various policies, regulations, contracts, and more.

Managers:

  • Ensure teams under their purview actively participate in security training and awareness initiatives.
  • Ensure that all employees under their charge are up-to-date with their required training.

All employees, contractors and volunteers:

  • Personally responsible for completing all mandated security awareness training modules.

Definitions

Report an issue - Last updated: 02/05/2026