Information Security Awareness Training Policy
1. Overview
End user information security awareness is the greatest defense against information security breaches. Industry research suggests that an ongoing information security awareness training program can reduce the risk of security breaches by 60% or more. Training our community is critical to improving our security posture and reducing risk to the university.
2. Purpose
The purpose of this policy is to define the University of Akron’s Information Security Awareness Training program and to ensure that all employees, students, and other authorized parties who access university information technology (IT) systems and/or services are exposed to information security awareness materials applicable to their role within the community.
3. Scope
This policy applies to authorized users who are issued digital credentials to access IT resources under the control of the University of Akron, including but not limited to: employees, currently enrolled students, authorized contractors, vendors, volunteers, and other authorized users as determined by the university.
4. Background
University Rule 3359-11-10.3: “Information technology security and system integrity policy” defines the roles and responsibilities of university personnel as they relate to information security. This policy is designed to help ensure satisfactory compliance with University Rule 3359-11-10.3, Section B, Paragraph 10.
5. Definitions
- Digital Credentials – A user’s identification and authentication information, typically a username and password.
- Employee – Regular full-time and part-time faculty, staff, and contract professionals, whether compensated or not, who receive a digital credential from the university.
- Student – A currently enrolled student who is not employed by the university in any capacity.
- Third Party – Any organization, vendor, contractor, or partner operating on behalf of the university.
6. Policy
- All employees and third parties shall:
- Upon hire and annually thereafter, review University Rule 3359-11-10: “Access and acceptable use of university computer and information resources” policy.
- Complete annual information security awareness training prescribed by the Chief Information Security Officer (CISO), which supports information security best practices and the individual’s role in protecting the university’s systems and data.
- Students shall on an annual basis:
- Receive notification of University Rule 3359-11-10: “Access and acceptable use of university computer and information resources” policy.
- Be provided access to information security awareness training that includes information security best practices and their role in protecting the university’s systems and data.
- The CISO shall:
- Make available to all University of Akron constituents and third parties information security awareness training that promotes security as an integral part of day-to-day activities.
- Conduct announced and unannounced phishing simulations to support on-going checks on learning throughout the year.
- Support departments wishing to supplement this information security awareness training as appropriate for systems and data sets that have specific regulatory requirements and data security needs including but not limited to:
- FERPA – Family Educational Rights & Privacy Act
- GLBA – Gramm-Leach-Bliley Act
- GDPR – General Data Protection Regulation
- HIPAA – Health Insurance Portability & Accountability Act
- PCI-DSS – Payment Card Industry Data Security Standard
7. Policy Compliance
- Compliance Measurement
- The CISO will communicate at least annually to inform employees of the prescribed training for the fiscal year.
- The Information Security Services team will verify compliance to this policy by tracking course completion status against a current list of university employees, vendors, contractors, volunteers, and other authorized users who have been provided university digital credentials.
- Non-Compliance
- University Rule 3359-11-10.3, Section D, describes the compliance requirements related to information system security and integrity and it authorizes the university to take actions necessary to ensure compliance.
- Failure to complete the annual training after repeated notifications may result in the loss of technology privileges such as access to IT systems and services including, but not limited to email, ERP, etc. until the training is completed.
- Third parties failing to complete the training within a prescribed period will result in the loss of access to their university digital credentials until training is completed.
- Individuals who lose technology privileges and/or access to their university digital credentials due to non-compliance will coordinate with Information Security Services to complete the prescribed training before full privileges or access will be restored.
- Individuals who fail phishing simulations repeatedly may be offered additional training.
8. Related Documents
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Access Policy
ITS: Secure Access & Data Storage Standard
9. Policy History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 06/01/2022
Prior Effective Dates: N/A
Review Date: 06/01/2023