To protect our University community and assets, it is paramount that all employees are equipped with the necessary knowledge and skills to safeguard sensitive information. Consequently, Saint Peter’s University has developed and implemented an Information Security Awareness Training Policy. This policy requires all employees, including faculty, staff, contractors, and any other individuals with access to University data, to undergo and successfully complete Information Security Awareness training.
The purpose of this policy is to ensure that all employees are aware of their role in maintaining a secure information environment and can recognize and appropriately respond to potential threats. The Information Security Awareness Training is designed to provide education on a wide range of topics, including, but not limited to, data protection, cyber threats, password hygiene, phishing attacks, malware, and safe online behavior.
Policy Requirements
-
Training Frequency: All employees must complete the Information Security Awareness Training annually. Newly hired employees must complete the training within their first 90 days of employment.
-
Training Completion: Employees are required to achieve a passing score of 80% or higher on the post-training assessment. Employees who do not pass the assessment on the first attempt will be given opportunities for retakes until a passing score is achieved.
-
Exemptions: Exemptions to this policy may only be granted under specific criteria:
-
Criteria for Exemption: Job positions may be considered for exemption if they do not involve working with protected data and require limited access to technology at work. Protected data includes data of levels 1, 2, or 3 as defined by the University's Data Classification and Usage Policy.
-
Identification and Approval: The determination of qualifying positions for exemption will be a collaborative effort between department heads, the Office of the CIO, and the Office of Human Resources. Department heads must submit a request for exemption in writing, providing comprehensive justification based on the exemption criteria. The Office of the CIO and the Office of Human Resources will review such requests and grant or deny the exemption. Their decisions will be considered final.
-
Periodic Review: The list of exempt positions will be reviewed annually or whenever a significant change in job duties that could impact their interaction with Protected Data or access to technology occurs.
Roles and Responsibilities
-
Office of the CIO: Responsible for creating, updating, and administering the Information Security Awareness Training. They will track compliance, report non-compliance, and address questions about the policy or training.
-
Managers and Supervisors: Responsible for ensuring their team members comply with this policy, encouraging a culture of information security, and providing resources and support for employees to complete the training.
-
Employees: Required to complete the training annually, abide by the guidelines provided, and apply learned security measures in their daily work.
Failure to complete the training within the specified time frame may result in restricted access to University IT resources, suspension of access to systems, networks, and data. Furthermore, non-compliant employees risk the revocation of university-owned devices and other disciplinary actions up to and including termination of employment.
Approved by the IT Governance Committee 08/01/2023