Information Security Awareness, Education and Training Standard
Appendix to Policy
- Participation by University Community Members in Security Awareness & Training
- Program Design Requirements for those responsible for designing or delivering security awareness training
To provide appropriate awareness and training on information security to help protect University IT resources, including data, network and services. Some individuals must meet additional legal, regulatory, or contractual obligations related to security awareness, education and training.
Participation by University Community Members in Security Awareness & Training
The following table defines baseline participation for University community members in security awareness and training based on the security level of their unit’s systems and data.
|SA.A.01||Complete mandatory security awareness training course||Required||Required||Required 1|
|SA.A.02||Periodically review University information security policies and procedures published in the University Policy Library||Required||Required||Required|
|SA.A.03||Participate in on-going general security awareness||Recommended||Recommended||Recommended|
|SA.A.04||Complete additional security training specific to your job (suggest for developers: once every two years)||Required
Effective July 2019
|Recommended 1||Recommended 1|
1When notified that you must take a course.
Program Design Requirements for those responsible for designing or delivering security awareness training
The following table defines baseline program design requirements for those responsible for designing or delivering security awareness.
|SA.B.01||Track individual’s completion of security awareness training||Required||
Effective July 2019
|SA.B.02||Periodically review and update content (suggest: annual)||Required1||Required||Required|
1PCI DSS requires annual review and update of content for people involved in storing, processing or transmitting cardholder data.
This applies to content and program management of security awareness, education and training. The content is delivered through various channels, including but not limited to online training, web sites, newsletters, messaging, in-person presentations, or printed material.
This applies to University community members who use or manage University IT resources.
- More information on Information Security Awareness, Education and Training
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to information security awareness.