Information Security Awareness Training
| Policy Approval Authority | President |
| Responsible Division | Division of Information Technology |
| Responsible Officer(s) | Chief Information Officer, Chief Information Security Officer |
| Contact Person | Fred Williams |
| Primary Audience |
Faculty
Staff Administration |
| Status | Active |
| Last Review Date | 06-15-2021 |
| Policy Category/Categories |
Information Technology
|
Purpose
The purpose of this policy is to ensure that all Northern Illinois University employees are taught Information Security Awareness to gain the knowledge, skills, and abilities to maintain confidentiality, integrity and availability of the University’s information and information technology resources.The University seeks to establish a culture that ensures institutional data is secure. This policy and associated procedures establish the minimum requirements for the Information Security Awareness and Training controls.
Scope
This policy applies to all University employees.Definitions
“Security Awareness Training” is a formal process for educating employees about the Internet and computer security. A good security awareness program should educate employees about current threats, what they are and how to protect themselves, as well as institutional policies and procedures for working with the Division of IT and the Office of Information Security (OIS).“Data Classification” is the determination of the data type, regardless of storage media (electronic or paper for example) and associated risks and security requirements, as outlined by the Data Classification Guidelines and Procedures, which can be found here:
Data Classification Guidelines and Procedures - NIU - Division of Information Technology
Policy
The Office of Information security, on behalf of Northern Illinois University, is responsible forthe implementation of an information security awareness training program to increase
employees’ awareness of their information security responsibilities in protecting the
confidentiality, integrity, and availability of university information resources.
NIU employees must complete all assigned information security awareness training materials
within 30 days of the training being made available to them.
Annual Training
Each year, the annual information security awareness training will occur during the same timeframe as the State of Illinois Ethics Training. The employee’s classification and employment
status with the University at the time, determines if they are required to complete the information
security awareness training during the training period.
The following employees are required to complete the annual information security
awareness training during the normal time:
• Civil service
• Supportive professional staff
• Faculty and Instructors
• Employees on sabbaticals and educational leaves
• Extra Help and Temporary Employees
The following employee are NOT required to complete the annual information security
awareness training during the normal time:
• Student employees, graduate assistants and teaching assistants
• Employees on unpaid leave
• Employees on FMLA and disability during the training period
Training for New Hires
As part of onboarding to NIU, all new• Civil Service
• Supportive Professional Staff
• Faculty and Instructors
• Extra Help and Temporary Employees
employees are required to complete information security awareness training.
This does NOT include positions classified only as student employees, graduate assistants and teaching assistants.
Additional Information
Ad-hoc or supplemental information security awareness training may be required for someemployees depending on role changes, involvement in information security incidents,
demonstration of unacceptable risky behaviors as relates to information security, or by request.
Compliance and Responsibilities
The Office of Information Security in conjunction with other IT resources, will verifycompliance to this policy through various methods, including but not limited to email reminders
to employee’s official university email account, application tools, reports, internal and external
audits, and feedback to the Office of Information Security.
The Office of Information Security is authorized to limit network access for individuals or units
not in compliance with all information security policies and related procedures. If any employee
fails to complete assigned training within 30 days, their Division Head will be notified, and the
employees account may be suspended. The employee may reactivate their account for a short
period by contacting the DoIT Service Desk. Once the account is reactivated, they must complete
the assigned training.
Procedural History of the Policy
Version 1.0 6/15/2021- Policy Categories
- Athletics
- Board of Trustees
- Campus Safety / Security
- Ethics & Conduct
- Facilities / Real Estate
- Faculty & Academics
- Finance / Risk Management
- Governance / Administration
- Human Resources / Employment
- Information Technology
- Marketing & Communication
- Outreach
- Research Ethics / Intellectual Property
- Student Affairs
- Sponsored Funding/Grants and Contracts
Contact Us
Rebecca Hunt, Ph.D.
University Policy Librarian
Health Services Building, 226
815-753-9021
policy-library@niu.edu
Comments
There are no comments to show.