Policies

POLICY:

Utica University is committed to protecting its institutional data and ensuring the security of its information systems. This Information Security Employee Training Policy establishes a framework for training all employees, contractors, and relevant third parties in security best practices to mitigate risks associated with unauthorized access, data breaches, and other security threats.

SCOPE:

This policy applies to all faculty, staff, contractors, volunteers, and third parties who have access to Utica University’s information systems and institutional data. The training requirements outlined in this policy apply regardless of the individual’s role or level of access to data.

REASON FOR POLICY:

The rapidly evolving threat landscape necessitates a proactive approach to cybersecurity awareness and education. The purpose of this policy is to:

• Ensure all individuals with access to university systems and data understand their responsibilities in safeguarding information.
• Promote a culture of security awareness within the university community.
• Reduce the risk of data breaches, unauthorized access, and other cybersecurity incidents through regular and comprehensive training.
• Comply with applicable laws, regulations, and standards related to information security.

DEFINITIONS:

• Information Security Training: Structured educational sessions designed to educate individuals on the principles of cybersecurity, best practices, and specific security policies and procedures.
• Institutional Data: All data created, collected, stored, or processed by Utica University, including sensitive or confidential information.

PROCEDURE:

1. Mandatory Training:
   • All new employees, contractors, and relevant third parties must complete information security training as part of the onboarding process.
   • Existing employees must complete annual (12 Months) security awareness training.
2. Role-Based Training:
   • Employees in roles with elevated access to sensitive systems or data (e.g., IT staff, data owners) must complete additional, role-specific security training.
   • Examples: (HIPPA, PCI DSS, NYS SHIELD)
3. Periodic Updates:
   • Security training materials will be reviewed and updated periodically to reflect changes in the threat landscape and updates to university policies or regulatory requirements. No period greater than 12 months shall pass between updates.
4. Specialized Training:
   • Ad-hoc training sessions will be conducted in response to emerging threats or significant changes in university systems and policies.
5. Documentation and Tracking:
   • Completion of training will be documented and tracked by the Information Security Office.
   • Departments must ensure their staff comply with training requirements and follow up with non-compliant individuals.

RESPONSIBILITY:

• Information Security Officer (ISO): Responsible for developing, updating, and delivering training content, as well as tracking participation and compliance. (May be delegated to Assistant Director of TSS and Training)
• Supervisors and Department Heads: Ensure that all staff under their supervision complete mandatory training and adhere to information security best practices.
• Employees, Contractors, and Third Parties: Responsible for completing required training and applying learned practices to their daily activities.

ENFORCEMENT:

Failure to comply with this policy may result in disciplinary action, including suspension of access to university systems, termination of employment, or termination of contracts for third parties. The Information Security Office will report non-compliance to the relevant department heads or supervisors for further action.

RESOURCES/QUESTIONS:

For more information, contact the Utica University IITS Help Desk, which can be reached via telephone at (315) 792-3115. See also the Responsible Use of University Computing Resources policy.

Please note that other Utica University policies may apply or be related to this policy. To search for related policies, use the Keyword Search function of the online policy manual.