Close menu Resources for... William & Mary
W&M menu close William & Mary

Information Security Training Policy

Purpose

The purpose of this policy is to establish the minimum requirements for an information security awareness and training program at W&M. 

Scope

This policy applies to all William & Mary faculty, staff, and student employees requiring access to the university’s information systems. Contractors are not covered by this policy. 

Policy

The W&M Information Security Office will administer a mandatory information security awareness and training program in the fall semester of each year to increase awareness and train active university staff in the secure handling and use of the university’s information and information assets. All assigned faculty, staff, and student employees are required to complete the training by the end of the fall semester.  Individuals not completing the training by the end of the semester will be allowed a grace period to accommodate faculty that may not be teaching in the fall semester.  This grace period will extend to the beginning of the spring semester but no later than January 31 of the new year.  Assigned individuals without an exemption who do not complete the training within the grace period will have their accounts locked until completion of the training.   All new employees and student workers will be assigned mandatory training within 24 hours of account creation and will be allotted a limited time period to complete. If an individual fails to complete the training within the specified deadline access to IT services will be locked until the training is completed. 

Exemptions from this requirement must be approved by the Chief Information Security Officer or designee. 

Requests for exemptions from this policy should only be made under the following circumstances: 

  • An individual has been hired within the last year and was assigned the training at hire (no need to take twice in same year). 
  • An individual is on some type of leave from the university and not currently working (e.g., Adjunct Faculty not currently teaching a course, faculty member on sabbatical, medical leave, etc.…). 
  • An individual has completed equivalent information security training and has evidence of completion. 
  • An individual cannot access the online training due to technical circumstances. 
  • An individual has some other legitimate and approved reason for not being able to complete the training. 
  • Requests for exemptions can be submitted using the Security Training Exemption Request form. 
Non-compliance

An employee’s failure to comply with any of the above policy statements may result in being disciplined, in accordance with general university employment policies and procedures that apply to the respective category of employees. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition. 

A student’s failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition. 

Access the Exemption Form