Information Security Awareness Education Standard


This standard defines the university’s requirements for information security awareness training and education.

Information Security Awareness Education is a requirement for all new faculty and staff hires and is part of the new hire orientation checklist.

All employees are required to complete an annual security awareness training course each year and certain categories of employees must complete additional security awareness training annually, as defined in this standard.


The university conducts multiple training courses as part of its overall security awareness education program.  The overall program includes, at a minimum, the following training courses or components:

New Hire Security Awareness Training

All new faculty and staff hires must complete an initial Security Awareness Training course.  This course is conducted through the HR Knowledge Center system and is included on the new hire orientation checklist.  HR instructs employees that the New Hire Security Awareness course must be completed within 30 days of new hire orientation.

Annual Employee Security Awareness Training

Effective January, 2011, an Annual Employee Security Awareness training course will be added to the HR Knowledge Center system.  For the first annual training cycle, all employees will be required to complete Annual Employee Security Awareness training by March 31, 2011.  Once implemented, the Knowledge Center will send automatic email reminders to employees 12 months after course completion, alerting employees to annual refresher training completion deadlines.

IT Employee Security Awareness Training

Each year, all employees in the Information Technologies division will be required to attend training regarding UMW’s comprehensive Information Security Program.  This training will review all Information Security Program related policies, standards and procedures.  IT Employee Security Awareness Training course completion records will be maintained the university’s ISO.

Data Stewardship and Data Security Contact Training

At least once annually, Data Stewards and Data Security Contacts will be required to attend training that reviews the Administrative Data Access Policy, the Electronic Storage of Highly Sensitive Data Policy, the Data Classification Standard and the roles and responsibilities of Data Stewards and Data Security Contacts in regard to these policies and standards.


Information Security Program Policy


Approved:  November 10, 2010 by Vice President for Information Technologies & CIO