Skip to main contentSkip to main navigationSkip to footer content

Phishing Security Assessment Policy

Policy Purpose

The purpose of this policy is to establish clear procedures for conducting email phishing assessments at the University of Arkansas-Fort Smith. These assessments aim to evaluate the susceptibility of employees to phishing attacks, enhance their awareness of potential threats, and ensure the continuous improvement of the University's security measures. By defining standardized procedures, this policy promotes consistency, efficiency, and effectiveness in identifying and mitigating email phishing risks.

Policy Statement

The University of Arkansas-Fort Smith conducts regular phishing assessments to evaluate employees' vulnerability to phishing attacks and mitigate associated risks. Simulated phishing scenarios are used to gauge awareness, response, and susceptibility. Results inform targeted awareness campaigns and training programs to educate employees on phishing risks, reporting suspicious activities, and secure
practices. The University continuously improves assessment methods and training to address emerging threats and enhance security. Compliance with assessments and training is expected from all employees, ensuring a proactive approach to mitigate phishing risks and strengthen overall security.

Applicability

This policy applies to all University employees.

Definitions

Phishing – A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.

Policy Procedure

1. Phishing campaigns will be conducted at regular intervals determined by IT management to enhance security awareness.
2. The Security Analyst will be responsible for developing the content of the phishing campaigns, which will then be reviewed and approved by IT Management to ensure their relevance and effectiveness.
3. After each phishing campaign, comprehensive after-action reports will be prepared and submitted to IT Management and/or Senior Staff upon their request. These reports will provide insights into the campaign's outcomes, identify areas of improvement, and offer recommendations for further strengthening security measures.
4. If training content is required, Microsoft's built-in phishing training modules will be utilized. These modules are designed to provide effective and up-to-date training on recognizing and responding to phishing attempts.
5. Cabinet Level Management will be notified regarding the implementation and evaluation of phishing campaigns, ensuring their alignment with organizational goals and security objectives.

Enforcement

This policy will be followed when performing Phishing campaigns by the University of Arkansas – Fort Smith Security Team.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

Student emails are not included in the phishing campaign.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 6/19/2023

Last Updated

#5 Policy & Procedure “5. Cabinet level..” was modified by Terry Meadows – CIO 7/1/2025