Information Security Training Policy
Purpose
The purpose of this policy is to establish the minimum requirements for an information security awareness and training program at W&M.
Scope
This policy applies to all William & Mary faculty and staff requiring access to the university’s information systems. Contractors are not covered by this policy.
Policy
Initial Training
All new employees will undergo mandatory information security training within the first 30 days of their work start date. The initial training will include an overview of William & Mary’s Information Security Policies, general information security concepts and best practices, and topic specific training focused on current or emerging threats.
Ongoing Annual Training
In addition, the W&M Information Security Office will administer a mandatory information security awareness and training program in the fall semester of each year to increase awareness about information security threats and risks. All assigned individuals are required to complete the training by the end of the fall semester. Assigned individuals who do not complete the training by the end of the fall semester will have their accounts locked until completion of the training.
Requests for exemptions from this policy can be made under the following circumstances (and others as reviewed and approved):
- An individual has been hired within the last year and was assigned the training at hire (no need to take twice in same year).
- An individual is on some type of leave from the university and not currently working (e.g., Adjunct Faculty not currently teaching a course, faculty member on sabbatical, medical leave, etc.…).
- An individual has completed equivalent information security training and has evidence of completion.
- An individual cannot access the online training due to technical circumstances.
- An individual has some other legitimate and approved reason for not being able to complete the training.
- Requests for exemptions can be submitted using the Security Training Exemption Request form or by emailing the Chief Information Security Officer directly.
Exemptions from this requirement must be approved by the Chief Information Security Officer or designee.
Role Based Training
- Individuals working with credit card transactions at the university are required to attend annual PCI DSS training in addition to the general annual training.
- University departments working with sensitive data must meet with the Chief Information Security Officer annually to assess risks to the sensitive data and the effectiveness of controls in place to mitigate those risks.
- All members of the Information Security Team are required to participate in some form of professional development activity annually.
Awareness Program
In addition to annual training, all faculty, staff, and students will undergo regularly scheduled simulated phishing exercises to increase and maintain awareness about trending threats.
Non-compliance
An employee’s failure to comply with any of the above policy statements may result in being disciplined, in accordance with general university employment policies and procedures that apply to the respective category of employees. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.
A student’s failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.