Information Security Awareness Training
Information and Information Technology
- Policy Statement
- Background and Purpose
- Roles and Responsibilities
- Enforcement and Reporting
- Policy History
- Related Information
The purpose of this policy is to ensure that University faculty and staff are provided adequate and relevant information about information security risks and best practices associated with accessing and using University computing systems.
General Information Security Awareness Training
All users of University computing systems will be required to participate in information security awareness training on at least an annual basis. MSU Denver IT Services will ensure that this training is made available to all users, and will ensure that all users employed by the University are provided training materials and that all employees pass a basic test of information security awareness skills. MSU Denver IT Services is responsible for reviewing the content of this training on an annual basis, and for notifying users and their supervisors of minimum awareness training requirements.
Access to sensitive systems and permissions is dependent on completion of appropriate security awareness training. VPN access, ad-hoc access to Banner, and extended password aging require completion of the basic annual security awareness training.
Area-Specific Information Security Awareness Training
Users of sensitive systems, such as those containing confidential or regulated data, may require training specific to the system or the type of data that is contained in the system.
Background: MSU Denver's Information Security Policies were created by the IT Strategic Oversight Committee (ITSOC) Information and Instructional Technology Policies Subcommittee and reviewed by the University’s Policy Advisory Committee. Review of these policies will be made on an annual basis, with any changes or additions being submitted through the University’s policy review and approval process.
Purpose: MSU Denver’s Information Security Policies are focused on protecting critical data and information systems of Metropolitan State University of Denver from loss, damage or inappropriate modification or disclosure. The policies contained in this document are designed to ensure that the University adheres to security standards commensurate with the data and systems referenced, while maintaining appropriate functional access for students, faculty, and staff.
Scope: These policies apply to all individuals, including students, faculty, and staff, provided access to university data and information technology systems. Contractors and otherwise affiliated individuals must agree to abide by the Information Security Policies before accessing university systems and data. Role-based policies and procedures that apply to specific groups of users will be provided where applicable, in accordance with functional requirements and data classification.
Approval Authority: President
Responsible Executive: Chief Information Officer
Responsible Administrator: Chief Information Security Officer
Responsible Office: Information Technology Services
Policy Contact: IT Services, msudenver.edu/technology, 303-352-7548
Adherence to Information Security Policies is mandatory and may be based on State or Federal statute, contract language, or information security standards. These policies are not intended to unreasonably interfere with system utilization. Individuals should contact the IT Services Help Desk to report security risks, violations of policy, or to make requests for exceptions or amendments to the policies. The Chief Information Security Officer (CISO) and other IT Services staff will respond to all reported security issues and will work with the policy subcommittee to allow for development of appropriate updates to policies. Violations of these policies may result in fitting administrative action up to and including revocation of system privileges, employee termination, or student expulsion.
Information about the Information and Instructional Technology Policy subcommittee is available on the IT Governance website.
Effective: July 1, 2017
- CRS 24-37.5-404.5. Institutions of higher education - information security plans. Information security awareness training for employees of the institution of higher education to inform the employees, administrators, and users at the institution of higher education about the information security risks and the responsibility of employees, administrators, and users to comply with the institution's information security program and the policies, standards and procedures designed to reduce the security risks.