Information Security Awareness Training

Policy Approval Authority President
Responsible Division Division of Information Technology
Responsible Officer(s) Chief Information Officer, Chief Information Security Officer
Contact Person Fred Williams
Primary Audience Faculty
Status Active
Last Review Date 06-15-2021
Policy Category/Categories Information Technology


The purpose of this policy is to ensure that all Northern Illinois University employees are taught Information Security Awareness to gain the knowledge, skills, and abilities to maintain confidentiality, integrity and availability of the University's information and information technology resources.

The University seeks to establish a culture that ensures institutional data is secure. This policy and associated procedures establish the minimum requirements for the Information Security Awareness and Training controls.


This policy applies to all university employees.


"Security Awareness Training" is a formal process for educating employees about the Internet and computer security. A good security awareness program should educate employees about current threats, what they are and how to protect themselves, as well as institutional policies and procedures for working with the Division of IT and the Office of Information Security (OIS).

"Data Classification" is the determination of the data type, regardless of storage media (electronic or paper for example) and associated risks and security requirements, as outlined by the Data Classification Guidelines and Procedures.


The Office of Information security, on behalf of Northern Illinois University, is responsible for the implementation of an information security awareness training program to increase employees' awareness of their information security responsibilities in protecting the confidentiality, integrity, and availability of university information resources.

NIU employees must complete all assigned information security awareness training materials within 30 days of the training being made available to them.

Annual Training

Each year, the annual information security awareness training will occur during the same time frame as the State of Illinois Ethics Training. The employee's classification and employment status with the University at the time, determines if they are required to complete the information security awareness training during the training period.

The following employees are required to complete the annual information security awareness training during the normal time:

  • Civil service
  • Supportive professional staff
  • Faculty and Instructors
  • Employees on sabbaticals and educational leaves
  • Extra Help and Temporary Employees
  • Student employees, graduate assistants and teaching assistants

The following employee are not required to complete the annual information security awareness training during the normal time:

  • Employees on unpaid leave
  • Employees on FMLA and disability during the training period

Training for New Hires

As part of onboarding to NIU, all new employees including

  • Civil Service
  • Supportive Professional Staff
  • Faculty and Instructors
  • Extra Help and Temporary Employees
  • Student employees, graduate assistants and teaching assistants

are required to complete information security awareness training.

Additional Information

Ad-hoc or supplemental information security awareness training may be required for some employees depending on role changes, involvement in information security incidents, demonstration of unacceptable risky behaviors as relates to information security, or by request.

Compliance and Responsibilities

The Office of Information Security in conjunction with other IT resources, will verify compliance to this policy through various methods, including but not limited to email reminders to employee's official university email account, application tools, reports, internal and external audits, and feedback to the Office of Information Security.

The Office of Information Security is authorized to limit network access for individuals or units not in compliance with all information security policies and related procedures. If any employee fails to complete assigned training within 30 days, their division head will be notified, and the employees account may be suspended. The employee may reactivate their account for a short period by contacting the DoIT Service Desk. Once the account is reactivated, they must complete the assigned training.

Procedural History of the Policy

Version 1.0 6/15/2021

Contact Us

Policy Library

Back to top