On March 25, 2020, President Cross approved SYS 1000-01, Interim: Information Security: Awareness Training Extension. This interim policy action extends the deadline for current employees with an annual training deadline during the COVID-19 pandemic by 3 months. See the interim policy for more details.

Original Issuance Date:  September 14, 2016
Last Revision Date: April 11, 2019

1. Policy Purpose

The purpose of this policy is to ensure that all employees and students that access University of Wisconsin (UW) System information technology assets are exposed to information security awareness materials commensurate with their role within the UW System.

2. Responsible UW System Officer

UW System Associate Vice President (AVP) for Information Security

3. Scope

This policy applies to authorized users who are issued digital credentials to access non-public information technology (IT) digital resources under the control of the University of Wisconsin (UW) System including but not limited to: currently enrolled students, employees, authorized contractors, vendors, volunteers, and other authorized users as determined by UW institutions.

4. Background

The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security awareness training described within this policy is designed to help ensure satisfactory and consistent information security awareness throughout all UW System institutions.

5. Definitions

Digital Credentials: A user’s identification and authentication information, typically a username and password.

Employee: Faculty, staff, or students who are employed by an institution, whether compensated or voluntary. 

Institutions: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.

Non-public information technology resources: Any information technology resource that is not intended to be accessed by the general public and requires authentication of the user using digital credentials.

6. Policy Statement

All employees shall:

  1. Upon hire and annually thereafter, review Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and any supplemental institution acceptable use policies, if applicable.
  2. Every fiscal year, complete information security awareness training that provides information security best practices and the individual’s role in protecting the university’s systems and data. All newly hired employees are required to complete information security awareness training within 30 days of their initial hire date.

Students shall on an annual basis:

  1. Receive notification of Regent Policy Document 25-3, Acceptable Use of Information Technology Resources.
  2. Be provided access to information security awareness training that includes information security best practices and their role in protecting the university’s systems and data.

The UW System AVP for Information Security shall make available to institutions systemwide information security awareness training which promotes information security as an integral part of day-to-day activities. Institutions may supplement the systemwide information security awareness training, as appropriate, for systems or data sets that have specific regulatory requirements or data security needs.

Institutions are responsible for ensuring that employees have access to, and have completed, information security training each fiscal year. Institutions may take appropriate action, including but not limited to the removal of access to UW System information assets for those who have not completed training requirements.

Employees who are concurrently employed at more than one UW institution, or who have transferred from one UW institution to another UW institution, are only obligated to complete security awareness training at one UW institution, of their choosing, in a given fiscal year. Institutions may require employees to provide proof that security awareness training has been completed at another UW institution, within a given fiscal year, to satisfy compliance with this policy.

Institutions shall foster additional broad-based information security awareness activities as they deem necessary through methods such as:

  • Websites
  • Email
  • Social media
  • In-person or online training sessions
  • Conferences or events
  • New employee or student orientations
  • Social engineering campaigns

7. Related Documents

Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and Computing Devices
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification and Protection

8. Policy History

Revision 2:         April 11, 2019
Revision 1:         July 31, 2017
First approved: September 14, 2016

9. Scheduled Review

April 2021