Security Awareness Training Policy

REASON FOR POLICY

The end-user awareness aspect of the security program is as equally important as the technical aspect. The security posture reflects the knowledge of the end-users since a large number of threats may target users.

The quality and integrity of the College’s security awareness training ensures that the workforce members, including management of the College’s information systems, understand the security implications of their actions and increases the likelihood that information system security will not be breached, either intentionally or unintentionally, through technical measures (such as hacking) or non-technical measures (such as social engineering).

The goal is to ensure users understand the risks of using information technology, how to defend against malicious threats, and how to react to information security events or incidents, whether at work or at home. Without such training, information systems users have an increased likelihood of breaching security and have lower individual culpability should they breach security.

POLICY SCOPE

This Security Awareness Training Policy applies to all users of all information systems that are the property of the College. Specifically, it includes:

  • All employees, whether employed on a full-time or part-time basis by the College.
  • All contractors and third parties that work on behalf of and are paid directly by the College.
  • All contractors and third parties that work on behalf of the College but are paid directly by an alternate employer.
  • All employees of vendors that access the College’s non-public information systems.

DEFINITIONS

 

IT Security Awareness Training: A formal process for educating employees about computer security.

Breach: Any incident that results in unauthorized access of data, applications, services, networks, and/or devices by bypassing their underlying security mechanisms.

POLICY STATEMENTS

Basic Security Requirements:

  • The College will ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
  • Ensure that organizational personnel are adequately trained to carry out their assigned information-security-related duties and responsibilities.

Derived Security Requirements:

  • Security awareness training will be provided to ensure all parties within the scope of this policy can recognize and report potential indicators of insider threat.
  • Upon completion of security awareness training, all employees will be required to sign a declaration that they have completed training, understand the purpose of the training and the specific procedures taught, and that they intend to abide by the College’s security policies.
  • All employees of the College that work as administrators or hold other positions with significant and relevant security operations responsibilities are required to participate in security operations training within 30 days of starting work or the deployment of a new or significantly updated/revised information system and thereafter on an annual basis. Upon completion of security operations training, all employees will be required to sign a declaration that they have completed the training, understand the purpose of the training, and that they intend to abide by the College’s security policies.
  • Security training will be ongoing at the College. Employees will be kept up to date on new improvements or threats to watch out for.

NON-COMPLIANCE

Violations of this policy that results in a breach will be treated like other allegations of wrong doing at the College. Disciplinary actions up to and including termination and will be evaluated based on the scope of the breach.

Contact