University of South Alabama Logo     
Policy No: 2047
Responsible Office: Office of Information Security
Last Review Date: 06/18/2020
Next Required Review: 06/18/2025

Information Security Awareness Training Policy


1. Purpose

The purpose of this policy is to raise the awareness of information security, and to inform and highlight the responsibilities faculty, staff, and certain student workers, third party contractors and volunteers have regarding their information security obligations. Formal information security awareness will aid in the protection of data, personal, intellectual property, financial, or restricted and sensitive information, networked systems, and applications entrusted to and utilized by the University, by providing a broad understanding of information security threats, risks and best practices.

2. Applicability

2.1  Faculty, Staff and Student Workers:

This policy applies to all faculty, staff and student workers as they may access, store, process, transmit or manage University data, systems, or applications. As members of the USA community faculty, staff and student workers are accountable, and have an obligation to demonstrate an understanding of their unique role and responsibility, as the best defense to ensure the protection of the University’s information, data, and reputation.

2.2  Third Party Contractors (defined as vendors, consultants – non-USA employees) and Volunteers:

Third Party Contractors and volunteers who have access to University Data or systems in the course of their employment or volunteer activities are also covered by this policy. Except under narrow circumstances described in Policy Section below, volunteers may not have access to University Data or systems. When working or providing services on behalf of USA, Third Party Contractors and volunteers are accountable and have an obligation to demonstrate an understanding of their unique role and responsibility as the best defense to ensure the protection of the University’s information, data, and reputation.

2.3  Exceptions:

Employees that do not have access to computers or access to University data during the regular execution of their job duties. Any other exceptions to this policy must be approved by the Information Security Office.

3. Definitions

University Data: University Data is any data or information that is created, owned, received, stored, or managed by USA.

Third Party Contractors: defined as vendors or consultant(s), and not University employees.

4. Policy Guidelines

The University Information Security Office is responsible for the information security awareness program, training, education, and awareness communication for the University. The program will include an enhanced understanding and appreciation of information risks; services that the University Information Security Office provides; information about the threats, techniques, and consequences to the University; information on reporting incidents; guidance and resources to protect information and devices at work and at home.

5. Procedures

5.1  Faculty, Staff and Student Workers:

5.1.1  Formal participation and review of the security awareness program is mandatory for all full time and part time faculty and staff, every two years. Newly hired faculty and staff are required to complete the training within 90 days of last day of the month of their hire date. The requirement for a review every two years shall be superseded by an incident or information indicating a need for immediate intervention and training by a specific employee, department, or the entire University. Additional topic specific training may be required, based on role, information type access/use (e.g. PCI-DSS, Research, CUI, HIPAA, etc.), or identified increased risk.

Note: Newly hired employees are exempted from the 2-year training requirement if they have completed the training within one year of the date the 2-year training cycle begins. For example, a recent hire is assigned training on February 1 and completes on October 1, the 2-year training cycle begins for the University, in this case, the new hire will be exempt from retaking the training.

5.1.2  Student workers who may have access to, or the ability to store, process, transmit or manage University Data are also required to complete this training within 30 days of their hire date. As part of the employment process, Enrollment Services and the Federal Work Study Program (or the hiring supervisors) are to contact the Information Security Office to have the student enrolled in cyber security awareness training.

5.1.3  The University Information Security Office will coordinate, monitor, and track the completion of the required Security Awareness program. University Vice Presidents and Deans are required to ensure adherence to the policy, and completion of the required program. Program content will be updated yearly, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.

5.2  Third Party Contractors and Volunteers:

5.2.1  Third party contractors who have access to University data, the network, or systems, are also required to complete cyber security awareness training. Supervisors of any third party contractors are to contact the Information Security Office to have the contractor enrolled in cyber security awareness training. Training will need to be completed within 30 days after access is permitted. Volunteers may not have access to University Data or systems except in those instances in which it is strictly necessary in the performance of their volunteer or service activities. The University administrator, faculty or staff, who is overseeing the volunteers and authorized by the Information Security Department before such access is granted, must request any such access.

5.2.2  University Vice Presidents and Deans overseeing Third Party Contractors and volunteers with access to University Data are required to ensure adherence to the policy, and completion of the required program. Program content will be updated, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.

6. Enforcement

Failure to comply with this policy may result in denial or removal of access privileges to the University’s electronic systems (e-mail, eLearning, wireless, and USA network). Specific to faculty, staff and student workers, there may also be disciplinary consequences for failure to adhere to the policy.

7. Related Documents

Not Applicable.