Policy
Original Issuance Date: September 14, 2016
Last Revision Date: December 20, 2023
Effective Date: July 1, 2024
1. Policy Purpose
To ensure that individuals who interact with non-public information technology (IT) resources under the control of the University of Wisconsin (UW) System are exposed to information security awareness materials commensurate with their role.
2. Responsible UW System Officer
UW System Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to authorized users who are issued digital credentials to access non-public IT resources under the control of the UW System including but not limited to: employees, currently enrolled students, and other authorized users as determined by UW institutions.
4. Background
The President of the University of Wisconsin System is empowered to establish information security policies under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security awareness training described within this policy is designed to help ensure satisfactory and consistent information security awareness throughout all UW System institutions.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Digital Credentials
- Employee
- Institution
- Non-public Information Technology Resources
6. Policy Statement
A. Security Awareness Training
UW System Administration must make available to institutions systemwide information security awareness training materials which promote information security as an integral part of day-to-day activities. The following are security awareness training requirements based on a user’s relationship with UW System:
I. EMPLOYEES
1. All UW System employees must:
-
-
- Upon hire and annually thereafter, review Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and any supplemental institution acceptable use policies, if applicable.
- Complete information security awareness training, as assigned, that provides information security best practices and explains the individual’s role in protecting the institution’s systems and data. Employees must be assigned security awareness training on an annual basis. Security awareness training must be completed within the timeframe prescribed.
-
2. Supplemental Training and Awareness Activities
-
When appropriate, institutions should supplement the systemwide information security awareness training with role-based training commensurate with an employee’s roles within the organization. Institutions may also foster additional broad-based information security awareness activities as they deem necessary through methods such as:
-
-
- Websites
- Social media
- In-person or online training sessions
- Conferences or events
- New employee orientation
- Social engineering campaigns
-
-
-
3. Training Enforcement
-
Institutions are responsible for ensuring that employees have access to, and have completed, information security training as prescribed. For any employee who fails to take security awareness training within the timeframe prescribed, the institution may take steps to reduce the risk associated with the employee’s continued access to institution resources, up to and including the suspension of the employee’s network account.
II. STUDENTS
On an annual basis, institutions must:
-
- Send notification of Regent Policy Document 25-3, Acceptable Use of Information Technology Resources to students.
- Provide access to information security awareness training to students that includes information security best practices and their role in protecting the university’s systems and data. Institutions are encouraged to incorporate Information Security training within the student onboarding process.
III. OTHER UW USER GROUPS
-
- Institutions shall maintain written expectations pertaining to what security awareness training requirements, if any, are necessary for consultants, contractors, vendors, emeritus, alumni, and volunteers based on their affiliation with the institution, resources accessed, and anticipated length of affiliation. Fulfillment and tracking of training for these groups is further the responsibility of the institution.
- Where possible, institutions should incorporate into contracts and agreements with third parties, whose employees will directly access UW System data and resources, language such that employees will complete security awareness training provided by their employer, prior to accessing UW System data and resources.
B. Security Awareness Training Content
Security awareness training content should be reviewed and updated on an annual basis to reflect changes to the threat landscape and include:
- a basic understanding of the need for information security
- user actions to maintain security and how to respond to suspected security incidents
C. Phishing Simulations
Phishing simulation campaigns must be conducted for all employees to increase awareness and test employee knowledge of the tactics and techniques used by malicious actors. Employees must not take actions intended specifically to prevent receipt of phishing simulations.
Employees may be enrolled in supplemental phishing training following failed phishing simulations. Failure to take this supplemental training within 30 days of assignment may result in employee risk mitigation, up to and including network account suspension.
7. Related Documents
Regent Policy Document 25-3, Acceptable Use of Information Technology Resources
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program
8. Policy History
Revision 5: December 20, 2023
Revision 4: July 14, 2021
Revision 3: November 13, 2020
Revision 2: April 11, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review
December 2027