Training and awareness control procedure
Defining our approach to information security training and awareness.
Outline to training and awareness for information security
Contents
Policy statement
This control procedure defines the university’s approach to information security training and awareness, and directly supports the following policy statement from the Information Security Policy:
“The university’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities.”
“Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.”
“Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans.”
Audience
This procedure is intended to be read and understood by all users accessing University information in electronic or paper format, IT systems, networks or software using any university or personally owned device.
Control statements
An information assurance training and awareness programme should ensure that all users of university information attain a minimum level of understanding of information assurance matters, such as individual responsibilities under various information security policies and procedures, records management practices, appropriate use of IT systems and guidelines they must follow to help protect the university’s information assets.
Information security training and awareness activities should commence as soon as possible once an employee joins the institution, with responsibilities covered in the staff induction programme and associated eLearning packages. This includes the need to complete Data Protection training.
The IT & Digital intranet site will be the focal point for information security awareness material including information security policies, procedures and guidance documentation.
Training needs analysis
Different user groups have different levels of awareness of their responsibilities for protecting data and preserving information security. In most cases, the mandatory basic training through the existing information security and data protection eLearning tools will be sufficient to give staff the knowledge they require.
Some job roles are more likely to have access to sensitive information. Further training might be required to minimise the risk to university information and systems where this is the case. Line managers should regularly discuss training needs with their staff to ensure staff feel appropriately supported in accessing training they require. Where beneficial and practical, security awareness and training materials will be tailored to suit intended audiences.
Specialist training
Where roles are responsible for significant security practices, suitable training will be provided so that role holders can meet their responsibilities. This includes the specialist positions in the Information Security team as well as others whose work directly contributes to the security of key systems. The Chief Information Security Officer will assess and prioritise training needs for specialist roles.
Refresher training
To maintain a good understanding of information governance practices across the institution, mandatory refresher training will be rolled out to all staff on a biannual basis, or sooner if changes in good practice or legislation require it. Refresher training may also be recommended by the Information Security team in response to security incidents or identification of capability issues.
Responsibilities
All users of university information have a responsibility to maintain a good understanding of their information security responsibilities.
The Information Security team are responsible for the creation and running of an effective training and awareness programme that informs all employees of their responsibilities with respect to information security. The Legal team are responsible for data protection training.
Information Asset Owners and Information Asset Managers are responsible for promoting staff engagement with the information security training and awareness programme. Information Asset Managers are also responsible for monitoring attendance and engagement within their teams.
Reporting
The Information Security team will monitor the completion and efficacy of training and awareness activities. Where possible, statistics on completion of electronic training will be reviewed, and quarterly reports on training compliance will be provided to the Information Asset Owners and Managers across the university. Updates on overall compliance will be provided to the Senior Information Risk Owner (SIRO) and Information Governance Board six-monthly or more frequently as required.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.
Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required and will be approved by the Information Governance Board.
| Version: | 5.0 |
| Release date: | 19/09/2023 |
| Review date: | 19/08/2024 |