Information Security Awareness Training Policy

Contents

• Purpose
• Scope
• Policy
• Accountability
• Contacts
• References
• Version History

Purpose

The purpose of the Albany State University (ASU) Information Security Awareness and Training Policy is to identify the conditions necessary to provide information technology system users with appropriate awareness of information and information systems security requirements and of their responsibilities to protect information technology resources and systems. The success of the University’s awareness and training program, and the overall awareness of secure business practices, depends upon the ability of all users to work toward a common goal of protecting ASU’s information, information systems and associated resources.

Scope

This policy refers to all ASU information resources whether individually controlled or shared, stand-alone or networked. It applies to all information and information systems, communication facilities owned, leased, operated, or contracted by the ASU. This includes networking devices, personal digital assistants, telephones, wireless devices, workstations, minicomputers and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.

Policy

This policy is in support of ASU security policies, standards, and procedures designed to educate users about risks to information and information systems. The ASU security training and awareness program includes security awareness presentations, security reminders, general security training, system-specific security training, security management training and professional security education for members of the workforce. Additionally, our awareness and education program will include the following:

• Annual mandatory training
• Scheduled awareness surveys.
• Periodic unscheduled awareness assessments to assure compliance with the training.
• Feedback surveys to improve our awareness training and education program.

Training completion and results will be maintained in the individuals Human Resources personnel file, as part of the permanent record.

Accountability

Violation of this policy may subject the user to sanctions, including the loss of computer and or network access privileges, disciplinary action, suspension, termination of employment, dismissal from ASU, and / or legal action.

Contacts

The Chief Information Officer is charged with the responsibility to periodically review the policy and propose changes as needed.

References

• ASU IT Security Website: https://www.asurams.edu/technology/information-security/
• USGBOR Handbook: http://www.usg.edu/information_technology_handbook/section5
• National Institute for Standards and Technology: http://www.nist.gov
• SANS Institute:Version 1.3 http://www.sans.org
• COBIT 5.0: http://www.isaca.org/

Version History

Date, version number and description of creation or change of the policy

Date	Version	Description
October 9, 2013	1.3	ASU Information Technology Governance Committee