2020 Archdiocese of Atlanta Employee Policy Manual/September 2020 - Manual / Resource - Page 47
PC at the chancery and make it impossible to have another remote session without
physically turning your PC back on at the office.
Security:
•
•
•
•
•
•
KnowBe4 is the third party vendor we hire to provide the resources to:
o Assess our user base to determine what is appropriate training,
o Train our user base to identify the threats and use the correct response to the
threats,
o Provide unannounced internally generated Phishing tests to each user to maintain
basic skills competency.
o Chancery employees need to complete all (KnowBe4) security training offered by
the IT department within the timeframe stated. Training is offered two ways: (1) as
a monthly scheduled training requirement or (2) because of clicking on a KnowBe4
generated Phishing email. If user incorrectly clicks on one of these Phishes, they will
automatically be enrolled in a separate additional training.
o Noncompliance of the training requirement may result in various sanctions – up to
and including dismissal. More can be found on this in the Security Awareness
Training and Testing Policy.
AOA requires complex passwords. Passwords can only be changed one time per day and a
previous password cannot be used again. Passwords will expire after 180 days. It is the
user’s responsibility to change the password in a timely fashion as to not let it expire. Users
will receive an automated email daily advising them beginning at 14 days prior to the
expiration of the password. A complex password is 10+ characters in length and must
contain at least three of these four types of characters:
o Upper Case Letters
o Lower Case Letters
o Numbers
o Symbols
Various forms of multi-factor authentication (MFA) have also been incorporated into AoA’s
login procedure to better protect all users and their data from becoming compromised.
Both Microsoft MFA and DUO authentication methods have been implemented and
required to gain access to network AoA network resources.
AoA allows access to its computing resources and requires that users identify their
accounts with a username and password. Sharing user account credentials with persons
other than Information Technology Staff is prohibited.
Protect Sensitive Information. In order to secure your data, you first need to have a clear
understanding of what types of sensitive information your office maintains, where it is,
how it flows through the organization and who has access to it. Examples of sensitive or
personally identifying information are full names, Social Security numbers, credit card and
financial information, tax documents, medical records/information, driver’s license
numbers, passport numbers, dates of birth and email addresses. Take an inventory. Do not
keep sensitive data if there is not a legitimate need for it.
This information must not be sent through regular email. Users are encouraged to use the
encrypted e-mail option from Outlook or over the phone.
