Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
- Participation by University Community Members in Security Awareness & Training
- Program Design Requirements for those responsible for designing or delivering security awareness training
Objective
To provide appropriate awareness and training on information security to help protect University IT resources, including data, network and services. Some individuals must meet additional legal, regulatory, or contractual obligations related to security awareness, education and training.
Security Controls
Participation by University Community Members in Security Awareness & Training
The following table defines baseline participation for University community members in security awareness and training based on the security level of their unit’s systems and data.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SA.A.01 | Complete mandatory security awareness training course | Required | Required | Required 1 |
| SA.A.02 | Periodically review University information security policies and procedures published in the University Policy Library | Required | Required | Required |
| SA.A.03 | Participate in on-going general security awareness | Recommended | Recommended | Recommended |
| SA.A.04 | Complete additional security training specific to your job (suggest for developers: once every two years) | Required Effective July 2019 |
Recommended 1 | Recommended 1 |
1When notified that you must take a course.
Program Design Requirements for those responsible for designing or delivering security awareness training
The following table defines baseline program design requirements for those responsible for designing or delivering security awareness.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SA.B.01 | Track individual’s completion of security awareness training | Required | Required Effective July 2019 |
Required |
| SA.B.02 | Periodically review and update content (suggest: annual) | Required1 | Required | Required |
1PCI DSS requires annual review and update of content for people involved in storing, processing or transmitting cardholder data.
Resources Covered
This applies to content and program management of security awareness, education and training. The content is delivered through various channels, including but not limited to online training, web sites, newsletters, messaging, in-person presentations, or printed material.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Information Security Awareness, Education and Training
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to information security awareness.
Published Date
November 2014
Last Reviewed
April 2019