Policies & Procedures

Security Awareness and Training 6028

I. PURPOSE 

The purpose of this policy is to identify the conditions necessary to provide information technology system users with appropriate awareness of system security requirements and of their responsibilities to protect information technology resources and systems.

II. DEFINITION 

IT system users in this context means faculty, retired faculty, staff, Longwood University Foundation employees, retired staff, student workers and any other individuals approved for access by the Chief Information Officer.

III. POLICY 

Training requirements: At a minimum, basic security awareness training topics will include malicious code protection, proper disposal of data storage media, proper use of encryption products, password management, intellectual property rights, including software licensing and copyright issues and other concepts as required. IT system users will be required to document acceptance of security policies after receiving security awareness training.

Additional security training may be required based on Longwood-specific or role-specific security training requirements.

  1. Examples: If Longwood processes data covered by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) then IT security training must address those specific data security requirements.
  2. IT system managers, IT system designers, System Owners, Data Owners, members of the Disaster Recovery Team and members of the Incident Response Team require specialized IT security training as practicable and necessary.

Attendance and monitoring: Documentation is required for all IT security training. Training must be completed within 30 days of: (1) access being granted to IT resources and systems or (2) the assignment of role-specific security responsibilities.

Security awareness training is required at least annually or more often as necessary.

The Information Security Policy, Awareness and Training Coordinator is responsible for monitoring receipt of IT security training.

IV. ENFORCEMENT 

The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of information technology (IT) resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, December 7, 2007.

Revised and approved by the Board of Visitors, March 26, 2010.

Security Awareness Training Enforcement Procedures

Visit
Strategic Operations
on www.longwood.edu