University of Minnesota  Appendix

Information Security Awareness, Education and Training Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

To provide appropriate awareness and training on information security to help protect University IT resources, including data, network and services. Some individuals must meet additional legal, regulatory, or contractual obligations related to security awareness, education and training.

Security Controls

Participation by University Community Members in Security Awareness & Training

The following table defines baseline participation for University community members in security awareness and training based on the security level of their unit’s systems and data.

Control Security Level
ID Description High Medium Low
SA.A.01 Complete mandatory security awareness training course Required Required Required 1
SA.A.02 Periodically review University information security policies and procedures published in the University Policy Library Required Required Required
SA.A.03 Participate in on-going general security awareness Recommended Recommended Recommended
SA.A.04 Complete additional security training specific to your job (suggest for developers: once every two years) Required
Effective July 2019
Recommended 1 Recommended 1

1When notified that you must take a course.

Program Design Requirements for those responsible for designing or delivering security awareness training

The following table defines baseline program design requirements for those responsible for designing or delivering security awareness.

Control Security Level
ID Description High Medium Low
SA.B.01 Track individual’s completion of security awareness training Required Required
Effective July 2019
Required
SA.B.02 Periodically review and update content (suggest: annual) Required1 Required Required

1PCI DSS requires annual review and update of content for people involved in storing, processing or transmitting cardholder data.

Resources Covered

This applies to content and program management of security awareness, education and training. The content is delivered through various channels, including but not limited to online training, web sites, newsletters, messaging, in-person presentations, or printed material.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019