UW-Whitewater Security Awareness Policy

Approved: March 27, 2017

Purpose

Threats to the confidentiality, integrity, and availability of information developed or used by the University of Wisconsin (UW) - Whitewater continue to evolve and increase in sophistication. Technical controls are implemented to help reduce the risk of the threats. These types of controls typically address the physical access or computing equipment and infrastructure, and are continually reviewed and enhanced as the threats evolve.

Of equal or greater importance in the reduction of risk is the human factor, as the people using the systems are both the weakest link in protecting the information, and the most powerful influence for improving the overall security posture to reduce the risk to the information. Security awareness training is critical to be able to help reduce the risk of information loss by providing UW - Whitewater users information related to current risks and vulnerabilities, providing knowledge and tools to be used to minimize the risks, and methods by which all users can keep current on new threats. The goal is to incorporate the security awareness knowledge into daily activities to reduce the overall risk to the information.

Scope

This policy applies to all individuals who have access to protected UW - Whitewater information and resources, and provides the minimum requirements for security awareness training for all individuals who access protected UW - Whitewater resources.

Definitions

Protected data: Any UW - Whitewater data and resources assigned a classification level other than public, as defined in the UW - Whitewater Instructional, Communication, and Information Technology (ICIT) Information Asset Classification Policy.

Security Awareness: Information provided to raise awareness of the risks of threats, effective counter measures, and the importance of cybersecurity, with the goal of reducing the risk of data loss and/or misuse.

University of Wisconsin System risk rating: Data classification levels based on risk, as defined by the University of Wisconsin System Administrative Information System Data Classification Policy (1031) and Procedure (1031.A).

UW - Whitewater credential: Authentication mechanism or identifier provided by the UW - Whitewater to an authorized individual which grants access to protected information resources. This includes, but is not limited to, Net-IDs, token, biometrics, proximity or access cards, etc.

Policy Statement

Security awareness training material will be made available to all individuals who have been provided a UW - Whitewater credential.
The content of the training will be reviewed at least annually, with updates to include any recent best practices.
Individuals will undergo information security awareness training appropriate to their role and the risk classification of the information they access.

  • All newly hired employees are required to complete the information security awareness training within 30 days of their initial hire date.
  • Any individual provided a UW - Whitewater credential and granted access to access to protected data, or data with a UW System risk rating classification other than low, must complete information security awareness training at least annually. 
  • UW - Whitewater students with access to only their own data will at least annually have access to information security awareness training, including security best practices and their role in protecting the University's systems and data.


Completion of the training acknowledges that the individual is aware of security best practices, and their roles in protecting the university's systems and data.

The UW - Whitewater ICIT Department will maintain a record of completion for all individuals assigned security awareness training. ICIT will notify the hiring units of the employees who have completed the training within the required timeframe to assist in ensuring compliance with this requirement.

Per the University of Wisconsin System Administrative Policy 1032 - Information Security: Awareness, "Any individual or entity who fails to complete the required annual training, may be subject to disciplinary action including but not limited to removal of access to UW System non-public data until such requirements have been met.".

Related Documents

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date Approver Action Decription
03/27/2017 New Policy. Created based on the requirements contained in the September 14, 2016 version of the University of Wisconsin System Administrative Information Security Awareness Policy (1032) and Procedure (1032.A) documents.
03/27/2017 Approved. New policy was approved.