Information Security Awareness Training

Policy Approval Authority President
Responsible Division Division of Information Technology
Responsible Officer(s) Chief Information Officer, Chief Information Security Officer
Contact Person Fred Williams
Primary Audience Faculty
Status Active
Last Review Date 06-15-2021
Policy Category/Categories Information Technology


The purpose of this policy is to ensure that all Northern Illinois University employees are taught Information Security Awareness to gain the knowledge, skills, and abilities to maintain confidentiality, integrity and availability of the University’s information and information technology resources.

The University seeks to establish a culture that ensures institutional data is secure. This policy and associated procedures establish the minimum requirements for the Information Security Awareness and Training controls.


This policy applies to all University employees.


“Security Awareness Training” is a formal process for educating employees about the Internet and computer security. A good security awareness program should educate employees about current threats, what they are and how to protect themselves, as well as institutional policies and procedures for working with the Division of IT and the Office of Information Security (OIS).

“Data Classification” is the determination of the data type, regardless of storage media (electronic or paper for example) and associated risks and security requirements, as outlined by the Data Classification Guidelines and Procedures, which can be found here:

Data Classification Guidelines and Procedures - NIU - Division of Information Technology


The Office of Information security, on behalf of Northern Illinois University, is responsible for
the implementation of an information security awareness training program to increase
employees’ awareness of their information security responsibilities in protecting the
confidentiality, integrity, and availability of university information resources.

NIU employees must complete all assigned information security awareness training materials
within 30 days of the training being made available to them.

Annual Training

Each year, the annual information security awareness training will occur during the same time
frame as the State of Illinois Ethics Training. The employee’s classification and employment
status with the University at the time, determines if they are required to complete the information
security awareness training during the training period.

The following employees are required to complete the annual information security
awareness training during the normal time:

• Civil service
• Supportive professional staff
• Faculty and Instructors
• Employees on sabbaticals and educational leaves
• Extra Help and Temporary Employees

The following employee are NOT required to complete the annual information security
awareness training during the normal time:

• Student employees, graduate assistants and teaching assistants
• Employees on unpaid leave
• Employees on FMLA and disability during the training period

Training for New Hires

As part of onboarding to NIU, all new

• Civil Service
• Supportive Professional Staff
• Faculty and Instructors
• Extra Help and Temporary Employees

employees are required to complete information security awareness training.

This does NOT include positions classified only as student employees, graduate assistants and teaching assistants.

Additional Information

Ad-hoc or supplemental information security awareness training may be required for some
employees depending on role changes, involvement in information security incidents,
demonstration of unacceptable risky behaviors as relates to information security, or by request.

Compliance and Responsibilities

The Office of Information Security in conjunction with other IT resources, will verify
compliance to this policy through various methods, including but not limited to email reminders
to employee’s official university email account, application tools, reports, internal and external
audits, and feedback to the Office of Information Security.

The Office of Information Security is authorized to limit network access for individuals or units
not in compliance with all information security policies and related procedures. If any employee
fails to complete assigned training within 30 days, their Division Head will be notified, and the
employees account may be suspended. The employee may reactivate their account for a short
period by contacting the DoIT Service Desk. Once the account is reactivated, they must complete
the assigned training.

Procedural History of the Policy

Version 1.0 6/15/2021


There are no comments to show.

Back to top of page