IT Security Awareness Program Guidelines
Date of Current Revision or Creation:ÌýDecember 1, 2020
The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this guideline is to describe the information security awareness, training, and education program for Â鶹´«Ã½.
Definitions
Data Management Group (DMG) - The group is comprised of representatives of Data Owners and technical leads at the University who are responsible for the review and operational effectiveness of data management policies and procedures.
Information Security Officer (ISO) - The Â鶹´«Ã½ employee, appointed by the President or designee, who is responsible for developing and managing Â鶹´«Ã½'s information technology (IT) security program.
Information Technology Advisory Council (ITAC) is defined as the institutional committee of faculty and staff charged with the responsibility to advise review and recommend on matters related to information technology.
Security awareness training is comprised of formal and informal processes for educating employees and students about the University's policies and procedures for working with information technology.
Standards Statement
Security awareness, training and education programs at Â鶹´«Ã½ are aimed at creating an attitude towards a commitment to good security practices and facilitating a climate that views security rules as beneficial to the protection of the University environment.
The Information Security Officer (ISO) is responsible for developing and maintaining an Information Security Program that includes oversight of a security awareness program to promote security awareness across the campus community.
Information Security Awareness Training Program
The IT security awareness program blends formal training with periodic reminders and promotional materials to increase the understanding of vulnerabilities and threats to the University's information systems. Information security training is directed on improving the security skills and competencies of all users and provide specific content based upon specific user roles
All users must participate in the security awareness program through training sessions that correspond to role, responsibilities and use of information technology resources. This requirement is a condition of use.
User Training for All Users
- General Security Awareness/Initial Account Training
This course is expected to increase user understanding and sensitivity to threats, vulnerabilities, and the need to protect University and personal information. All users are required to receive this training. This training is delivered on-line and is tied to account creation process. - Account Refresher Training
This General Security Awarensss Awareness course is required annually, to refresh user understanding and sensitivity to threats, vulnerabilities, and the need to protect University and personal information. All users are required to receive refresher training and it is tied to account renewal process. Users may also elect to receive refresher training as desired. - General Community Awareness
General awareness is broadly available through a variety of methods and media channels. Awareness is provided through guidelines and best practices on the Information Technology Services web site, posting of notices of phishing alerts and other advisories, through awareness messages, periodically in posters, brochures, email, newsletters, flyers, giveaways, on mouse pads in computer laboratories and by videos and telecasts on Monarch Vision TV. Efforts to increase awareness using social media are ongoing. Security policies and standards are published. An online awareness page shares best practice. Security staff provides presentations to groups upon requests. The ITS Help Desk staff incorporates security information into routine contacts with customers. - Instructor-led Topical Training
Special topic presentations designed to address specific security training needs are provided. Sessions may be voluntary and are focused on a narrow topic, such as Internet Safety, Social Networking Security, 2-factor authentication, or Cyber Self Defense. - Cyber Security Event
Along with other institutions, each October, Â鶹´«Ã½ participates in the National Cyber Security Alliance's National Cyber Security Awareness Month campaign to raise awareness about cyber security and online safety by highlighting precautions users can take to help protect themselves online.
Training for Security Roles
- IT Security Administrator Training
Training for those who manage, administer, operate, and design IT systems, is conducted via conferences, formal training, or informal training opportunities annually as practicable and necessary. - Security Review and Consultation
Staff from the IT Security office is available to consult with campus users on risk assessments, application reviews, vulnerability scans, rights managements and information on security best practices.
Employee Roles
- Employee Security Awareness Training
This course provides an overview of compliance and is designed to explain employee responsibilities to security. Attention to IT Security policy and standards is provided with special focus on handling of sensitive data. This training is usually delivered on-line and is tied to account management process. - New Employee Orientation
Basic information and training materials are provided to new employees as a part of their orientation to the University.
Specialized Roles
- New Student Orientation
Basic information and training materials are provided to new students as a part of their orientation to the University. - Remote Users Security Training
This course provides an overview of employee responsibilities when connecting to information resources from a remote location. Attention to IT Security policy and standards, securing the workstation, handling of sensitive data and incident reporting is provided. This training is delivered on-line and is tied to VPN account management process. - Restricted System Owner Training
System owners for systems with sensitive data or business function have an annual meeting with the ITS Security Office to review their roles and responsibilities and to refresh their system risk assessment, which constitutes a role-based awareness opportunity for this role. - Disaster Recovery Team Training
Annual table-top exercises, weather events or cyclical planning exercises are included in awareness efforts. Major storms, business continuity events, or Business Impact Analysis events allow for training and awareness for aspects of the Information Security Program, and related policies and procedures. These opportunities are designed to prepare the members of the Disaster Recover Team and broader audiences to effectively function in their roles by having a good understanding of the Â鶹´«Ã½ IT Business Impact Analysis and Disaster Recovery Plan. - Specialized User Communication
Formal distribution lists or other communication methods are used to dispense information to special user populations. Information is focused on policies, standards, procedures, skills, tools, etc. needed to perform their specific role or function. Specialized populations may include Campus Residents, System Administrators, Data Owners, System Owners, the Data Management Group and the Information Technology Advisory Council.
Procedures, Guidelines & Other Related Information
- University Policy 3500 - Policy on the Use of Computing Resources
- University Policy 3505- Information Security Policy
- Information Technology Security Program
- Safe Computing Practices web site
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
March 2012 |
ITAC/CIO |
Reaffirmed |
December 2012 |
IT Policy Office |
Numbering revision; departmental name update |
August 2015 | IT Policy Office/ISO | Three year review, updated roles, groups, links. |
December 2018 | IT Policy Office | Definitions and links checked |
December 2020 | IT Security Office | Minor update for ensuring consistency with established practices |