Skip to content

University Rule 4-004O: Security Awareness and Training Rev. 0

    1. The purpose of this Security Awareness and Training Rule is to outline the approach that the University will follow to provide Security education to Users of the University Information Systems. The education will consist of both Security Awareness education and Security Training.
    2. This Rule supports section O, titled Security Awareness and Training, of the University of Utah Information Security Policy 4-004.
    For the purposes of this Policy and any associated Regulations, these words and phrases have the following meanings:
    1. Information Asset - Data or knowledge stored in any electronic manner and recognized as having value for the purpose of enabling University to perform its business functions.
    2. Information System - An Application or group of Servers used for the electronic storage, processing, or transmitting of any University data or Information Asset.
    3. Restricted Data – Any data types classified as Restricted per the Data Classification and Encryption Rule.
    4. User – Any person, including students, staff, faculty, permanent and temporary employees, contractors, vendors, research collaborators, and third party agents, who accesses any University Electronic Resources, Information Systems, and/or IT Resources.
  3. RULE
    1. Security Awareness
      1. All Users will be provided with security awareness training. Awareness training will be provided through a number of different forums:
        1. New employee orientation
        2. Annual regulatory compliance training
        3. Security articles in various newsletters
        4. Periodic security reminders
        5. Email or other mass notification of substantial changes to University regulations.
      2. The purpose of the University's Security Awareness program is to educate its workforce to recognize key security concerns and to respond accordingly. Key security concerns include:
        1. Protecting the University Information Systems and Information Assets against malicious software and exploitation of vulnerabilities
        2. Identifying and reporting security incidents
        3. Understanding applicable regulatory compliance requirements
        4. Understanding on-going changes in technologies and security practices
      3. Information security program documentation will be available to all Users and will be stored in a location that can be easily accessed.
    2. Security Training
      1. The University's security training program and training materials will incorporate relevant security topics, will be reviewed periodically to ensure the training is current, and will be approved by the Chief Information Security Officer prior to being presented.
      2. Security training attendance and completion will be recorded.
      3. All Users must complete appropriate security training without unreasonable delay prior to accessing any University Information System containing Restricted data.
      4. The University will identify personnel that have significant Information System security roles and responsibilities, document those roles and responsibilities, and provide security training as necessary to these personnel in order to fulfill security responsibilities.
      5. Some positions may have specific security training and/or certification requirements.
        1. Any certification requirements or training requirements will be defined in the job description.
          1. For employees with specific security responsibilities, security skill competency may be measured during the annual performance evaluation.
        2. An action plan will be developed as necessary and may involve additional security training.
        3. Specific security training may be provided through a number of different forums, including but not limited to:
          1. User group meetings.
          2. Formal security education.
          3. Security publications.
      6. [Note: Parts IV-VII of this Rule (and all other University Regulations) are Regulations Resource Information--the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
    1. Rules [reserved]
    2. Procedures [reserved]
    3. Guidelines

G4-004B: Guidelines for Security and HIPAA Champs

    1. Forms [reserved]
    2. Other Related Resources Material [reserved]
      1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy
      2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)
      3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)
      4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls
      5. NIST 800 Series, Federal Information Security Standards
      6. Policy 3-070: Payment Card Acceptance
      7. Policy 4-001: University Institutional Data Management
      8. Policy 4-003: World Wide Web Resources Policy
      9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees
      10. Policy 6-400: Code of Student Rights and Responsibilities
      11. Policy 6-316: Code of Faculty Rights and Responsibilities
      12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
      13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
    1. The designated contact Officials for this Policy are:
      1. Policy Owner (primary contact person for questions and advice): Chief Information Security Officer, 801-213-3397
      2. Policy Officer; Chief Information Officer, 801-581-3100
    2. These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
    3. A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases...."
    4. "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library.... [and] bears the responsibility for determining -requirements of particular Policies...." University Rule 1-001-III-B & E
    1. Current version: Revision 1, effective date: April 4, 2016
      1. Approved by Academic Senate: May 4, 2015
      2. Approved by Board of Trustees: May 12, 2015
      3. Background information for this version

Rule: 4-004O Rev: 0
Date: April 4, 2016
Last Updated: 9/9/21