2,006 - Information Security Awareness Training and Education

Revised: December 2022

The University protects personal data, in part, by requiring information security awareness training for all employees. Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. The University information security awareness, training, and education program ensures compliance with regulatory laws and regulations, and strives to ensure that the University community achieves and maintains at least a basic level of understanding of information security, such as general obligations under various information security policies, standards, procedures, laws, regulations, contractual terms and generally held standards of ethics and acceptable use of information resources. This is important education that employees can apply to their personal computing environment at home and at work to help protect personal information and prevent attacks. The policy mandating training for all employees who access University systems and networks requires the following:

• General Information Security Awareness Training upon hire, and
• Annual General Information Security Awareness Training.

All employees with access to the University’s information resources are required to undergo sufficient training to allow them to protect institutional data and computing resources adequately.

Volunteers and contingent workers who receive access to secure data will be treated as employees for the purposes of this policy and are required to take training prior to the access being granted and continuing education on an annual basis.

This policy does not replace the need for specific training required for personnel with responsibilities related to programming, administering, and securing systems and for specific University community members with access to protected data or privacy information in accordance with compliance laws and regulations, including employee and student data.

The Office of Information Technology and Human Resources are responsible for developing and maintaining a program and provide:

• Initial and ongoing security awareness training on acceptable use of IT resources to the University community.
• Proper information security training as related to functional responsibilities.
• Educational opportunities to ensure information security personnel are equipped with the necessary security skills, knowledge, and competencies.
• Awareness of cardholder data security if position requires handling credit card transactions.
• Information security training that is incorporated into the new hire onboarding processes.
• Annual information security awareness continuing education training that must be completed by all employees.
• Specialized security training applicable to employee functions for information system security and data integration and to functional personnel with responsibilities related to administering and securing systems. Acknowledgment of having received specialized security training must be submitted to the unit Director within the appropriate department before administrative access can be given to any University systems.

Each employee has 60 days to complete the training program or else they will be deemed non-compliant with this policy. Supervisors are responsible for ensuring that their staff complete training within designated intervals. Employees who are noncompliant will be reported to the Dean or Vice President for their respective area. Continued noncompliance may result in credentials being revoked by the Dean, Vice President, or designee, beginning with access to personally identifiable information (PII) and sensitive information. Personally Identifiable information (PII) is any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual. In addition, noncompliance with this policy may result in disciplinary action under university policies.

For any questions on this policy, please consult the Office of Information Technology.