Information Assurance and Awareness Training Standard

This Standard supports and supplements the University of Central Oklahoma’s Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.
The University of Central Oklahoma (“University” or “UCO”) systems, employees, and the data with which they interact are the cornerstone of UCO’s commitment to excellence. Protecting the confidentiality, integrity, and availability of our systems and our data is essential to the work of the University, and it is the shared responsibility of UCO and all of its employees.
Confidentiality, integrity, and availability of our systems and data can be achieved only through our collaborative effort, communication, and education. All UCO employees, departments, and units play a role in supporting and protecting UCO’s most sensitive institutional information assets.
By participating in information assurance awareness, training and education, members of the UCO community will help reduce the risk of data breaches; ensure awareness of and compliance with applicable laws, regulations, and contractual agreements; and ultimately help support and protect UCO systems and data. Information assurance education and awareness will also provide individuals with the knowledge and skills they need to help protect their own devices and data.

Information Assurance and Awareness Training Standard

Purpose

This Standard supports and supplements the University of Central Oklahoma’s Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

The University of Central Oklahoma (“University” or “UCO”) systems, employees, and the data with which they interact are the cornerstone of UCO’s commitment to excellence. Protecting the confidentiality, integrity, and availability of our systems and our data is essential to the work of the University, and it is the shared responsibility of UCO and all of its employees.

Confidentiality, integrity, and availability of our systems and data can be achieved only through our collaborative effort, communication, and education. All UCO employees, departments, and units play a role in supporting and protecting UCO’s most sensitive institutional information assets.

By participating in information assurance awareness, training and education, members of the UCO community will help reduce the risk of data breaches; ensure awareness of and compliance with applicable laws, regulations, and contractual agreements; and ultimately help support and protect UCO systems and data. Information assurance education and awareness will also provide individuals with the knowledge and skills they need to help protect their own devices and data.

Scope

This Standard applies to:

  1. This standard applies to all divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.

  2. This standard applies to University computer and telecommunications systems; faculty, staff, and students; academic and administrative units; affiliated entities,

agents, contractors, and volunteers of the University, members of the community who use and/or administer such systems, or any information asset (as defined in this policy) that connects directly or indirectly to any UCO owned, leased, contracted, or operated computer or telecommunication system.

Standard Details

UCO is committed to providing an information assurance awareness, education, and training program that enables employees to support the protection of its most sensitive institutional information assets. Users are the single most important group of people that can help to reduce unintentional errors and IT vulnerabilities.

Users, as defined by the information security policy, include employees (faculty, researchers, clinicians, researchers, and staff), affiliates, contractors and other third parties, alumni, and students. UCO employees are expected to engage in periodic data protection awareness, education, and training courses and campaigns. In addition, certain job functions or jobs that work with specific types of data may require additional specialized training or education.

To ensure that UCO employees stay up-to-date on required training, participation in information assurance training and awareness, managers will include required training in staff work plans and include in performance evaluations.

The following table lists examples of currently required role-based information assurance training and education:

  1. ROLES AND RESPONSIBILITIES:

    Role/Position

    Responsibilities

    Chief Information Security Officer

     

    • Establish a university-wide awareness and training program strategy and advocate for adequate funding
    • Collaborate with other institutional officials to ensure that personnel are trained to support compliance with laws and regulations

     

    Information Security Department

     

    • Responsible for day-to-day information assurance awareness and related communications to the campus community
    • Maintain Security website
     

     
    Deans and Administrative Officers
    • Communicate with faculty and staff regarding training and awareness activities
    • Ensure that all users (including contractors) of their unit’s systems receive appropriate training
    ​​​​​
    Unit IT Managers & Security Liaison
    • Work with the Director of Information Security to meet shared awareness and training responsibilities
    • Confirm that all users (including contractors) of their systems and applications have received appropriate training before allowing them access.
    UCO Community
    • Understand and comply with UCO information security policies, guidelines, standards, practices, and procedures.
    • Be aware of actions they can take to better protect UCO information resources for which they are responsible as well as their own information.

     

    The table below highlights the roles and responsibilities that UCO, Information Security Department, and all of UCO’s employees share in education and protection of the confidentiality, integrity, and availability of our systems and our data.

The following table lists examples of currently required role-based information assurance training and education:

Employee Role

Training

Frequency

Department/Owner

UCO Faculty and Staff

 

Online

Mandatory 1-time, within 30 days of access being granted; Annual afterwards as appropriate

 

ISD

UCO employees who have access to enterprise administrative and data systems

 

Online

Mandatory 1-time, within 30 days of access being granted; Annual afterwards as appropriate

 

ISD

UCO employees who have access to Protected Health Information

HIPAA

(unit specific)

 

Annual

Identified HIPAA Covered Components

UCO application and software developers creating or maintaining business applications; as well as faculty, staff, or student developers creating or maintaining applications that interact with information classified as Restricted or Confidential

Secure Coding and Application Development

 ​​​​Mandatory 1-time, within 30 days of access being granted; Annual afterwards as appropriate

ISD
UCO employees who come into contact with customer credit card data and merchant contacts Online Annually ISD

Note: this list is illustrative and not comprehensive. EXCEPTIONS:

Exceptions to this Standard are expected to be generally in line with the provisions of Exceptions to Information Security Policy Request Standard.

Standard Violations

  1. Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these policies, standards, and guidelines are applicable, as stated above, are responsible for adhering to these rules.
  2. All supervisory personnel are responsible for ensuring that these policies, standards, and guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using UCOMMENT.

Change Log

 

Version

Date

New

Original

 

Approvals

 

Approved By

Date

Description

Jeff Miller

February 9, 2023

Initial Policy Release
Print Article