| Title: | Security Awareness Training Policy, Information Technology |
|---|---|
| Policy Owner: | Information Technology Services / Chief Information Security Officer |
| Applies to: | University Workforce Members |
| Campus Applicability: | All UConn Campuses, except UConn Health |
| Approval Date: | March 4, 2026 |
| Effective Date: | March 9, 2026 |
| For More Information, Contact: | UConn Information Security Office |
| Contact Information: | techsupport@uconn.edu or security@uconn.edu |
| Official Website: | https://security.uconn.edu |
PURPOSE
The Information Security Office (ISO) maintains an active Security Awareness Training program available to all faculty, staff, and student employees. This policy establishes the authority of the ISO to mandate Security Awareness training as needed and outlines the expectations for individuals and departments in assisting with ensuring the confidentiality, integrity, and availability of university systems, services, and data.
APPLIES TO
This policy applies to all University workforce members who regularly interact with or have access to confidential or protected information within the university.
DEFINITIONS
Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of the Data Classification Policy.
Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public.
POLICY STATEMENT
While the Information Security Office maintains an active information security program, faculty and staff members’ knowledge of the threats and risks to the University’s systems and data is a critical component in helping to defend the University from attack.
The ISO maintains an Information Security Awareness program that supports University employees’ and students’ needs for regular training. Training on important information security topics is available or communicated in multiple ways including:
- Online training systems with a variety of topics relevant to Information Security.
- Communications to targeted groups of ongoing or imminent threats
- Postings on various web-based systems across the university.
- Availability of ISO staff for in-person discussions on information security.
As part of their ongoing operations and employee development, all academic and administrative departments must identify opportunities to engage faculty, staff, and student employees in Security Awareness training. These opportunities may include those offerings from the ISO or a tailored program for specific threats against departments or systems, which may also be included in procedural manuals or scheduled as group training opportunities.
The ISO is authorized to mandate Security Awareness training. In some areas, Security Awareness training may be mandatory based on federal or industry regulations. Training for these programs must be coordinated with the ISO to ensure regulatory requirements are met.
ENFORCEMENT
Failure to comply with mandatory Security Awareness training, or to coordinate training with the ISO, may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.
PROCEDURES/FORMS
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
REFERENCES
Compliance Training Policy
Data Classification Policy
POLICY HISTORY
Policy created: May 16, 2012
Revisions:
August 30, 2021 (Approved by the President’s Senior Team)
March 4, 2026 (Approved by the Senior Policy Council and President)