ITS Security Awareness and Training Policy
Policy Statement
To ensure the education of all University employees, security awareness and security training sessions will be made available to all employees upon joining the University, prior to any major system and/or application change, and in accordance with regulatory and contractual obligations.
Entities Affected By This Policy
The policy affects the Information Security group as well as individuals and groups responsible for operating an information resource.
Contacts
EIU Information Security 217-581-1939
Principle
Security Awareness
- Employees of university information systems will receive basic security awareness
training within a short period of joining the university.
- Supervisors are responsible for ensuring that all new members of the University’s staff receives basic awareness training
- Additional awareness training for specific groups, departments and individuals will be provided upon request from the group, department, and/or individual
- The Information Security group with take advantage of internal University publications as part of the ongoing security awareness program
- Security awareness trainings mandated by local, State or Federal regulations and/or contractual obligations will take place in accordance with regulatory and contractual timetables for such activities
Security Training
- Any staff member with significant information resource responsibilities will receive
information system specific training to ensure the proper and secure operation of
the system
- Such individuals include, but are not limited to:
- System operators
- System administrators
- Network administrators
- Application programmers
- Technical support
- Customer support
- Information security managers
- Information security engineers
- Such individuals include, but are not limited to:
- Any individual responsible for the implementation of a new information resource and/or information resource change that significantly alters the handling of university information will train all intended users prior to system implementation.
Contractors and General Person(s) Training
All contractors and users established as general person(s) are required to complete security awareness essentials training. The purpose of this training is to educate users on the importance of information security and to help them understand the risks associated with unauthorized access or disclosure of university systems and data.
- This training requirement applies to all contractors and general person(s) who have access to university data or systems.
- The training must be completed within 30 days of being granted access to university data or systems. The training course will cover topics such as:
- The importance of information security.
- The risks associated with unauthorized access to or disclosure of university data.
- Security best practices, such as strong passwords, data encryption, and phishing prevention.
- Reporting: Contractors must report any suspected security incidents to the university immediately.
- Failure to comply with this policy may result in the removal of access to any university systems and data.
In addition to the above, the following are some specific security awareness tips for all EIU users:
- Use strong passwords and do not repeat previously used passwords.
- Do not share your passwords with anyone.
- Be careful about what information you click on in emails.
- Do not open attachments from unknown senders.
- Be aware of phishing scams.
Learn more on how to report phishing:
If you are a Contractor or General Person(s), and need to complete this training, follow the instructions in the email on how to complete your mandated security awareness training.
If you are considered a Staff or Faculty member, please visit:
External Security Contact
- The Information Security group will develop and maintain contacts with local, state
and national security-related groups to keep abreast of current security issues and
concerns. Such groups include, but are not limited to:
- EDUCAUSE Security Task Force
- InfraGard
- Research Educational Network Information Sharing and Analysis Center (REN-ISAC)
- Other security professionals at Illinois colleges and universities
- Local, State and Federal law enforcement cyber-crime units
- The Information Security group will disseminate security related news and alerts from external groups to the necessary University departments as needed
- Only the Information Security group staff members and University leadership are authorized to officially represent the University in dealings with external securityrelated groups
Related Documents
TBD
Supporting Policies, Procedures and Guidelines
Last Date Reviewed: 06/13/2024