Security Awareness Training Policy
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
All Florida Tech Employees and Identified Users | August 2024 | August 2024 | Dr. John Nicklow, President |
Policy Owner: Information Security Officer
Policy Purpose
The purpose of this policy is to ensure that all Florida Institute of Technology (Florida Tech) employees and affiliates with access to institutional data receive mandatory cybersecurity awareness training. This training is crucial for understanding the importance of safeguarding the university’s data and promoting a culture that prioritizes information security. The policy and its associated procedures define the minimum requirements for Security Awareness and Training controls.
Policy Scope
This policy applies to all Florida Tech employees, faculty, staff, and identified university affiliates.
Policy Statement
All Florida Tech employees, faculty, staff, and identified affiliates must complete mandatory cybersecurity awareness training as part of their onboarding process and annually thereafter. This training is essential for understanding the safe and responsible use and handling of information and for protecting university-owned and personal devices containing university electronic information and records.
Procedures/Guidelines
- Training Requirements:
- Onboarding Training: All new full-time staff and faculty must complete cybersecurity awareness training as part of their onboarding process.
- Annual Training: All full-time staff and faculty must complete cybersecurity awareness training annually.
- Temporary Employees: Temporary employees with access to PII must complete cybersecurity awareness training prior to gaining access to university records.
- Non-Compliance:
- Failure to complete the required training within the specified timeframes will result in non-compliance with this policy and may lead to disciplinary action.
- Training Content:
- The security awareness training program will be reviewed and updated annually to reflect changes in the information security landscape and to ensure it remains relevant and effective.
Definitions
- Security Awareness Training: A formal process designed to educate employees about internet and computer security practices, informing them about institutional policies and procedures regarding the use of information technology (IT).
- University Affiliate or Contractor: An individual who is formally associated with Florida Tech but is not a student or employee, including contractors, vendors, interns, temporary staff, and volunteers.
- Personally Identifiable Information (PII): Any data that could potentially identify an individual, distinguishing one person from another and de-anonymizing anonymous data.
- Education Records: Records directly related to a student and maintained by Florida Tech, as defined by the Family Educational Rights and Privacy Act (FERPA).
- Family Educational Rights and Privacy Act (FERPA): A federal law that protects the privacy of student education records.
- Health Insurance Portability and Accountability Act (HIPAA): A federal law requiring entities to prevent unauthorized access to Protected Health Information (PHI).
- Gramm-Leach-Bliley Act (GLBA): A law requiring financial institutions to disclose their information-sharing practices and safeguard sensitive data.
- Data Owner: An individual responsible for managing and ensuring the quality and integrity of data elements.
Compliance Reference
This policy ensures compliance with the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA).
Responsibilities
The Information Security Officer is responsible for implementing and managing this policy. All employees, faculty, staff, and affiliates are responsible for completing the required training and adhering to this policy.
Enforcement
Non-compliance with this policy may result in disciplinary action, including but not limited to loss of access to university IT resources. All stakeholders are expected to uphold the policy within their areas of responsibility.