Original Issuance Date: September 14, 2016
Last Revision Date: July 14, 2021
1. Policy Purpose
The purpose of this policy is to ensure that individuals who interact with non-public information technology (IT) resources under the control of the University of Wisconsin (UW) System are exposed to information security awareness materials commensurate with their role within the UW System.
2. Responsible UW System Officer
UW System Associate Vice President (AVP) for Information Security
This policy applies to authorized users who are issued digital credentials to access non-public IT resources under the control of the UW System including but not limited to: currently enrolled students, employees, authorized contractors, vendors, volunteers, and other authorized users as determined by UW institutions.
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security awareness training described within this policy is designed to help ensure satisfactory and consistent information security awareness throughout all UW System institutions.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Digital Credentials
- Non-public Information Technology Resources
6. Policy Statement
A. Security Awareness Training
The UW System Office of Information Security must make available to institutions systemwide information security awareness training materials which promotes information security as an integral part of day-to-day activities.
All employees must:
- Upon hire and annually thereafter, review Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and any supplemental institution acceptable use policies, if applicable.
- Complete information security awareness training, as assigned, that provides information security best practices and explains the individual’s role in protecting the university’s systems and data. Employees shall be assigned security awareness training on an annual basis. Security awareness training must be completed within the timeframe prescribed.
Students must on an annual basis:
- Receive notification of Regent Policy Document 25-3, Acceptable Use of Information Technology Resources.
- Be provided access to information security awareness training that includes information security best practices and their role in protecting the university’s systems and data.
Institutions are responsible for ensuring that employees have access to, and have completed, information security training as prescribed. For any employee who fails to take security awareness training within the timeframe prescribed, the university may take steps to reduce the risk associated with the employee’s continued access to university resources, up to and including the suspension of the employee’s network account.
When appropriate, institutions should supplement the systemwide information security awareness training with role-based training commensurate with an employee’s roles within the organization. Institutions may also foster additional broad-based information security awareness activities as they deem necessary through methods such as:
- Social media
- In-person or online training sessions
- Conferences or events
- New employee or student orientations
- Social engineering campaigns
Where possible, institutions must incorporate into contracts and agreements with third parties, whose employees will directly access UW System data and resources, language such that employees will complete security awareness training by their employer, prior to accessing UW System data and resources.
B. Phishing Simulations
Phishing simulation campaigns must be conducted for all employees to increase awareness and test employee knowledge of the tactics and techniques used by malicious actors. Employees must be enrolled in supplemental phishing training following three failed phishing simulations within a given calendar year. Failure to take this supplemental training within 30 days of assignment may result in employee risk mitigation, up to and including network account suspension.
7. Related Documents
8. Policy History
Revision 4: July 14, 2021
Revision 3: November 13, 2020
Revision 2: April 11, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review