Defining the University’s approach to information security training and awareness
This control procedure defines the University’s approach to information security training and awareness, and directly supports the following policy statement from the Information Security Policy:
The university’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities.
Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.
Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans.
This procedure is intended to be read and understood by all users accessing University information in electronic or paper format, IT systems, networks or software using any University or personally owned device.
An information security training and awareness programme should ensure that all users of University information attain a minimum level of understanding of information security matters, such as individual responsibilities under various information security policies and procedures, and guidelines they must follow to help protect the University’s information assets.
Information Security training and awareness activities should commence as soon as possible once an employee joins the institution, with responsibilities covered in the staff induction programme and associated eLearning packages. This includes the need to complete Data Protection training.
The ISDS intranet site will be the focal point for information security awareness material including information security policies, procedures and guidance documentation.
Different user groups have different levels of awareness of their responsibilities for protecting data and preserving information security. In most cases, the mandatory basic training through the existing Information Security and Data Protection eLearning tools will be sufficient to give staff the knowledge they require.
Some job roles are more likely to have access to sensitive information. Further training might be required to minimise the risk to University information and systems where this is the case. Line managers should regularly discuss training needs with their staff to ensure staff feel appropriately supported in accessing training they require. Where beneficial and practical, security awareness and training materials will be tailored to suit intended audiences.
In order to maintain a good understanding of information governance practices across the institution, mandatory refresher training will be rolled out to all staff on an annual basis, or sooner if changes in good practice or legislation require it. Refresher training may also be recommended by the Information Security Team in response to security incidents or identification of capability issues.
All users of University information have a responsibility to maintain a good understanding of their information security responsibilities.
The Information Security Team are responsible for the creation and running of an effective training and awareness programme that informs all employees of their responsibilities with respect to information security. The Legal team are responsible for Data Protection training.
Information Asset Owners and Information Asset Managers are responsible for promoting staff engagement with the information security training and awareness programme. Information Asset Managers are also responsible for monitoring attendance and engagement within their teams.
The Information Security team will monitor the completion and efficacy of training and awareness activities. Where possible, statistics on completion of electronic training will be reviewed, and quarterly reports on training compliance will be provided to the Information Asset Owners and Managers across the University. Updates on overall compliance will be provided to the Senior Information Risk Owner (SIRO) and Information Security Board six-monthly or more frequently as required.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.