Information Security Awareness, Education and Training
Standard and Process
See the specific requirements in the Information Security Awareness, Education and Training Standard in the University Policy Library. The following supplements the requirements in University policy.
The University’s information security awareness program aims to deliver current information about risks and security practices so that University community members are enabled to protect the confidentiality, integrity, or availability of systems and data. This includes information about known threats, who to contact for security advice and the channels for reporting information security incidents.
The information security awareness objectives include reducing the risk of security breaches and maintaining compliance with applicable laws, regulations, contractual agreements, and University policies.
Those providing security awareness training need to periodically review the information security awareness course content and assess the need for including the following:
- management’s commitment to information security;
- general responsibilities for securing and protecting the University’s information;
- basic information security procedures (e.g., information security incident reporting);
- basic information for baseline controls (e.g., password security, malware, and clear desks);
- secure use of mobile devices;
- contacts for additional information.
When appropriate, additional information security training should be completed by individuals whose job functions (e.g, system administrators, developers, programmers, help desk, network engineers) require specialized skill or knowledge in information security. See your supervisor for details.
Community members are responsible for:
- completing assigned information security awareness course(s);
- following safe computing practices;
- reviewing University information security policies;
- participating in general information security awareness; and
- completing additional security training related to their job.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013.
- General Awareness/Periodic Reminders
- Mandatory Training
- University of Minnesota Policy Library