SECURITY AWARENESS AND TRAINING POLICY
Title: Security Awareness and Training Policy
Subject: Information Security
Policy No: ISO:2014:18
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer
Date Adopted: 06-01-2014
Last Revision: 06-01-2014
Last Review: 09-01-2014
This policy establishes the requirement for information security awareness, training and education for members of the ROWAN community who have access to the University's information systems and information assets, in accordance with FERPA and HIPAA laws.
Under the direction of the President, the Chief Information Officer, Chief Information Security Officer, and University Management shall implement and ensure compliance with this policy.
This policy applies specifically to all employees, faculty, students, vendors, and third parties who have access to Rowan's information assets.
- Information Assets – Defined as (1) all categories of information and data, including (but not limited to) records, files, and databases, regardless of form and (2) information technology facilities, equipment and software owned, outsourced, or leased by the University. This includes all University IT systems and data, including personal computer systems.
- Security Awareness Training (SAT) – A method to inform users about the importance of protecting information technology systems and assets. SAT teaches security key concepts and best practices, such as creating a strong password, protecting mobile data, following IT Security policy, and reporting security incidents.
- Security Awareness Training Program - The vehicle for disseminating security information for the ROWAN Community. Establishing and maintaining an information security awareness and training program will help to protect ROWAN's vital information resources.
- ROWAN Community – Includes Management, staff, non-employees, faculty, researchers, students, attending physicians, contractors, covered entities, and agents of ROWAN.
- The Information Security Office (ISO) will provide Information Security Awareness, Training and Education for all members of the ROWAN community.
- All members of the ROWAN community that will have access to information assets must complete Security Awareness Training (SAT) upon arrival at ROWAN.
- All members of the ROWAN community that will have access to information assets must annually complete refresher training.
- SAT content must be reviewed and updated annually by the ISO.
- The ISO will provide an annual security awareness training report and monthly updates to the IT Security Board (ITSB).
- Vice Presidents and Deans shall ensure each member of the ROWAN Community has completed the Security Awareness Training.
- The Information Security Office (ISO) is responsible for implementing, maintaining, and providing on-going information security awareness, training and education using various techniques such as awareness sessions, training, newsletter articles, email and an intranet website.
VI. NON-COMPLIANCE AND SANCTIONS
Individuals and departments who do not adhere to this policy may be subject to disciplinary actions and/or the removal of system access.
By Direction of the CIO: __________________________________Mira Lalovic-Hand, VP and Chief Information Officer