Regular Mock Phishing Assessment

To continue exercising the due diligence and commitment to the Office of the Privacy Commissioner for Personal Data (PCPD), ITSC will continue educating colleagues and students on phishing attacks through regular mock-phishing exercises. Two such exercises are held annually to raise awareness.

 

Enforcement

Endorsed by University’s IT Governance Committee, starting from 2025, those who fail the simulation must complete an online quiz within 14 days to prevent disruption to their Wi-Fi and VPN access. This enforcement aims to raise awareness and help individuals stay vigilant against phishing attempts.

 

1. Regular Mock Phishing Assessment

The assessment arrangement is as follow:

Assessment Exercise

  • Maximum no. of cycles: twice a year
  • Templates: 4 email templates for each cycle
  • Email distribution: Each staff / student will receive 1 email template for each cycle

Training (applicable to staff/student who got phished)

  • After each round of the exercise, the staff / student who got phished is required to go through the training materials and to complete an online quiz by answering 3 questions.
  • The online quiz has to be completed within 14 days, otherwise, your Wi-fi and VPN usage will be suspended until you completed the quiz.

Reporting

  • provide report of each run on assessment results and training status to University and Faculties

 

2. Schedule

Tasks Schedule
2 Rounds Mock Phishing Exercise

  • Conduct Mock Phishing Exercise
  • Online Quiz
Every Q1 & Q4

 

3. Background

  • In May 2017, the Office of the Privacy Commissioner for Personal Data (PCPD) requested the University to consider the adoption of additional measures, such as mock phishing exercise, to raise employees’ awareness of phishing attack, in addition to other corrective actions and preventive measures for personal data protection.
  • In 2018, ITSC deployed vendor solution and conducted 4 rounds of mock phishing exercises for all CUHK staff members to simulate phishing attack.
  • During 2019-2021, ITSC conducted another cycle of mock-phishing exercise with a new arrangement on taking a compulsory quiz if one is being baited.
  • From 2022, in order to continue exercising the due diligence and commitment to PCPD, ITSC would continue reminding and educating colleagues on phishing attack by conducting regular mock-phishing exercise.
  • From 2023, regular mock-phishing exercise is extended to all students as well.

 

 

Published on Feb 2022

Last updated on Nov 2024