ROWAN UNIVERSITY POLICY
Title: Security Awareness and Training
Subject: Information Security
Policy No: ISO:2014:
Senior Vice President for Information Resources and Technology and Chief Information
Responsible Officer: Assistant Vice President
and Chief Information Security Officer
Date Adopted: 06
Last Review: 09
This policy establishes the requirement for information security awareness, training and education for members of the ROWAN Rowan community who have access to the University's information systems and information assets, in accordance with FERPA and HIPAA laws.
all applicable federal, state, and local laws governing the use of computers and the Internet.
Under the direction of the President, the Chief Information Officer , and Chief Information Security Officer , and University Management shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.
This policy applies specifically to all employees, faculty, students, vendors, and third parties who have access to Rowan's information assetsmembers of the Rowan Community who access and use the University's electronic information and information systems.
- Information Assets – Defined as (1) all categories of information and data, including (but not limited to) records, files, and databases, regardless of form and (2) information technology facilities, equipment and software owned, outsourced, or leased by the University. This includes all University IT systems and data, including personal computer systems.
- Security Awareness Training (SAT) – A method to inform users about the importance of protecting information technology systems and assets. SAT teaches security key concepts and best practices, such as creating a strong password, protecting mobile data, following IT Security policy, and reporting security incidents.
- Security Awareness Training Program - The vehicle for disseminating security information for the ROWAN Community. Establishing and maintaining an information security awareness and training program will help to protect ROWAN's vital information resources.
- ROWAN Community – Includes Management, staff, non-employees, faculty, researchers, students, attending physicians, contractors, covered entities, and agents of ROWAN.
Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
The Information Security Office (ISO) will provideInformation Security Awareness, Training and Education
and implement information security awareness, training and education for all members ofthe ROWAN community
the Rowan Community and ensure ongoing maintenance and enhancements to the training and education content.
All members of theROWAN community that will
Rowan Community who have access to information assets must completeSecurity Awareness Training (SAT) upon arrival at ROWAN.
- All members of the ROWAN community that will have access to information assets must annually complete refresher training.
- SAT content must
all required security awareness training, including annual refresher training.
Remedial training will be required for any user whose account has been reported to be compromised
Security awareness training content will be reviewed and updated annually bythe
ISO will provide an annual security awareness training report and monthly updates to theIT
Information Technology Security Board (ITSB).
- Vice Presidents and Deans shall ensure each member of the ROWAN Community has completed the Security Awareness Training.
- The Information Security Office (ISO) is responsible for implementing, maintaining, and providing on-going information security awareness, training and education using various techniques such as awareness sessions, training, newsletter articles, email and an intranet website.
VI. NON-COMPLIANCE AND SANCTIONS
Supervisors are responsible for ensuring that each of their direct reports completes their security awareness trainings.
VI. POLICY COMPLIANCE
Violations of this policy may subject the violator to the removal of system access or disciplinary actions, up to or including termination of employment or dismissal from a school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.
By Direction of the CIO:
SVP and Chief Information Officer