Policy of Mock Phishing Assessment (2019-21)

1. Background

In May 2017, the Office of the Privacy Commissioner for Personal Data (PCPD) requested the University to consider the adoption of additional measures, such as mock phishing exercise, to raise employees’ awareness of phishing attack, in addition to other corrective actions and preventive measures for personal data protection.
In 2018, ITSC deployed vendor solution for 4 rounds of mock phishing exercises for all CUHK staff members to simulate phishing attack.
During 2019-2021, in order to continue exercising the due diligence and commitment to PCPD, ITSC would conduct another cycle of mock-phishing exercise with a new arrangement on taking a compulsory quiz if one is being baited.

2. Mock Phishing Assessment (2019-21)

To continue exercising the due diligence and commitment to PCPD, another cycle of mock-phishing exercise would be conducted with new arrangement on taking a compulsory quiz if one is being baited.

Assessment Exercise

Exercise Period: 2 years
Maximum no. of run: Twice a year
Templates: 4 templates for each run
Email distribution: Each staff will receive 1 email template for each run

Training

Training would be provided for new staff
After each round of the exercise, the staff who got phished will be asked to go through training materials and to complete an online quiz

Reporting

provide report of each run on assessment results and training status to University and Faculties

To continue reminding and educating staff on phishing attack so that they will always on high alert.

3. Schedule

Tasks	Schedule
Preparation & UAT (Done)	Sep-Oct 2019
Raise Proposal to IT Governance Committee	May 2020
Make announcement to all staff	Jun 2020
4 Rounds Mock Phishing Exercise Conduct Mock Phishing Exercise Online Quiz* Onsite Training Session Notes : After each round of the exercise, the staff who got phished will be asked to go through training materials and to complete an online quiz.*	Jul 2020-Jun 2021

Published on May 2020