Ñý¼§Ö±²¥

UM Information Systems User Security Standard

UM Information Security Office - Area: Information Security Policy

Document History

Approvals

Introduction

The Ñý¼§Ö±²¥ System owns or controls, or acts as custodian for, a broad array of information, including Confidential and Restricted Data protected by law and regulation. To safeguard this University Data, this standard establishes information security awareness training requirements for all University employees (including student employees) and all other persons authorized to access this material.

All authorized users should gain a broad understanding of information security threats, risks, and best practices to assist the University in protecting the confidentiality, integrity, and availability of University Data and the University’s Information Technology Resources.

STANDARD

Information Security Awareness Training Program

Through the UM Information Security Office, the Chief Information Security Officer (CISO) will establish and maintain an information security awareness training program that will include testing to assess and help ensure basic knowledge and comprehension of information security issues. To demonstrate basic competency in information security best practices, all faculty, staff, and other Authorized Users of University Information or IT Resources must complete this training as part of the onboarding process, annually thereafter, or as may be required by the CISO.

The Information Security Office will:

• Develop or acquire appropriate information security training content and test materials
• Update and revise training content, test materials, and delivery methods annually to reflect current threats and emerging information security best practices
• Ensure a mechanism exists for feedback regarding the content and efficacy of the training program
• Track and record testing completion rates and other useful program statistics
• Report completion rates and follow-up with units not completing the mandatory training

Learning Objectives

The basic information security awareness training for all employees or agents will include:

• General information security awareness best practices
• Mobile device and wireless networking best practices
• Data confidentiality, integrity, and availability
• University IT Resource appropriate use and information security policies
• Individual employee information security roles and responsibilities
• Data classification and handling requirements, including the need to protect of Sensitive Information
• How to identify suspicious or risky activities
• Cybersecurity threat reporting requirements
• Insider threat detection and reporting
• IT security terms and definitions
• Authentication awareness and best practices

Additionally, role-based security training will be provided by subject-matter experts to employees and affiliates having unique, specific, or highly technical security responsibilities (such as roles involving financial transactions, health record processing, payment card transactions, and secure software development for web developers) as may be deemed appropriate for their roles or level of expertise. Students will have the option, but not the requirement, to complete the information security awareness training program.

System access privileges may be revoked for employees or other Authorized Users (for whom training is required) who do not complete required information security awareness training within specified timelines, which shall not exceed sixty (60) days past onboarding, annually recurring, or other established training deadlines.

Procedures

The UM Information Security Advisory Council will review and, if necessary, revise the UM Information Technology Procurement Policy annually.

References

• UM Appropriate Use of Technology Resources Policy
• UM Information Security Policy
• UM Data Governance Policy