Both Awareness and Training are perhaps the most significant elements in an information security program. By definition, security awareness training is a formal process for educating employees about state, regulatory, and organizational policies, procedures, and the inherent risks for working with information technology.
A security awareness and training program is designed to help mitigate the risk of losing intellectual property, institutional data, and processing resources. For the program to be effective, this responsibility must be shared amongst each employee at EWU. As a systems and data user and to remain in compliance with EWU Policy 203-01 and Washington State Office of Chief Information Officer (OCIO) Policy and Standard 141.10, all employees will receive annual security awareness training. So, in coordination with EWU's Data Management Committee (DMC), Information Technology identified curriculum requirements, measurement, and the framework for iSATE "Go-Live".
- Employees recognize their responsibility for protecting the University's information and technology assets
- Employees understand the value of information security
- Employees recognize potential violations and understand how and who to contact
- The overall level of security awareness among employees increases and remains high
Three courses have been developed in Canvas, EWU's Learning Management System. Each course has been developed for a specific audience: Information Technology Staff, EWU Employees, & Employee's having access to systems housing sensitive information such as FERPA, PCI, and/or HIPAA.
- New Employees: Orientation
- Current Employees: Annually
- EWU faculty and staff (general)
- Information Technology staff
- Employees with access to sensitive information
- Who developed the curriculum?
Answer: The University partnered with the SANS organization and purchased a product, "SANS Securing the Human" training curriculum, which is also being used in hundred's of colleges and universities globally.
- How am I being measured and do I have to achieve a minimum score?
Answer: As the intent of the program is to encourage and promote a greater level of awareness, the focus is to promote the learning objectives. As a result, there is a quiz to at the end of each module to reinforce the content, but a minimum passing score has not been established.
- What topics will be covered in the training?
Answer: The training consists several specific modules, some of which cover social engineering, passwords, physical and mobile security, email, Internet use, and sensitive data handling
- When can I take the training and how long will it take?
Answer: You can begin your iSATE journey beginning October 1. The training needs to be completed by January 21st, 2019 and will take in total about 60 minutes.
- Is the training mandatory?
Answer: Yes; all EWU employees are required to take this training annually.