Information Technology Standard 03.1.0

IT Security Awareness Program Guidelines


Date of Current Revision or Creation: December 1, 2020


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this guideline is to describe the information security awareness, training, and education program for Old Dominion University.

Definitions

Data Management Group (DMG) - The group is comprised of representatives of Data Owners and technical leads at the University who are responsible for the review and operational effectiveness of data management policies and procedures.

Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.

Information Technology Advisory Council (ITAC) is defined as the institutional committee of faculty and staff charged with the responsibility to advise review and recommend on matters related to information technology.

Security awareness training is comprised of formal and informal processes for educating employees and students about the University's policies and procedures for working with information technology.

Standards Statement

Security awareness, training and education programs at Old Dominion University are aimed at creating an attitude towards a commitment to good security practices and facilitating a climate that views security rules as beneficial to the protection of the University environment.

The Information Security Officer (ISO) is responsible for developing and maintaining an Information Security Program that includes oversight of a security awareness program to promote security awareness across the campus community.

Information Security Awareness Training Program

The IT security awareness program blends formal training with periodic reminders and promotional materials to increase the understanding of vulnerabilities and threats to the University's information systems. Information security training is directed on improving the security skills and competencies of all users and provide specific content based upon specific user roles

All users must participate in the security awareness program through training sessions that correspond to role, responsibilities and use of information technology resources. This requirement is a condition of use.

User Training for All Users

  • General Security Awareness/Initial Account Training
    This course is expected to increase user understanding and sensitivity to threats, vulnerabilities, and the need to protect University and personal information. All users are required to receive this training. This training is delivered on-line and is tied to account creation process.
  • Account Refresher Training
    This General Security Awarensss Awareness course is required annually, to refresh user understanding and sensitivity to threats, vulnerabilities, and the need to protect University and personal information. All users are required to receive refresher training and it is tied to account renewal process. Users may also elect to receive refresher training as desired.
  • General Community Awareness
    General awareness is broadly available through a variety of methods and media channels. Awareness is provided through guidelines and best practices on the Information Technology Services web site, posting of notices of phishing alerts and other advisories, through awareness messages, periodically in posters, brochures, email, newsletters, flyers, giveaways, on mouse pads in computer laboratories and by videos and telecasts on Monarch Vision TV. Efforts to increase awareness using social media are ongoing. Security policies and standards are published. An online awareness page shares best practice. Security staff provides presentations to groups upon requests. The ITS Help Desk staff incorporates security information into routine contacts with customers.
  • Instructor-led Topical Training
    Special topic presentations designed to address specific security training needs are provided. Sessions may be voluntary and are focused on a narrow topic, such as Internet Safety, Social Networking Security, 2-factor authentication, or Cyber Self Defense.
  • Cyber Security Event
    Along with other institutions, each October, Old Dominion University participates in the National Cyber Security Alliance's National Cyber Security Awareness Month campaign to raise awareness about cyber security and online safety by highlighting precautions users can take to help protect themselves online.

Training for Security Roles

  • IT Security Administrator Training
    Training for those who manage, administer, operate, and design IT systems, is conducted via conferences, formal training, or informal training opportunities annually as practicable and necessary.
  • Security Review and Consultation
    Staff from the IT Security office is available to consult with campus users on risk assessments, application reviews, vulnerability scans, rights managements and information on security best practices.

Employee Roles

  • Employee Security Awareness Training
    This course provides an overview of compliance and is designed to explain employee responsibilities to security. Attention to IT Security policy and standards is provided with special focus on handling of sensitive data. This training is usually delivered on-line and is tied to account management process.
  • New Employee Orientation
    Basic information and training materials are provided to new employees as a part of their orientation to the University.

Specialized Roles

  • New Student Orientation
    Basic information and training materials are provided to new students as a part of their orientation to the University.
  • Remote Users Security Training
    This course provides an overview of employee responsibilities when connecting to information resources from a remote location. Attention to IT Security policy and standards, securing the workstation, handling of sensitive data and incident reporting is provided. This training is delivered on-line and is tied to VPN account management process.
  • Restricted System Owner Training
    System owners for systems with sensitive data or business function have an annual meeting with the ITS Security Office to review their roles and responsibilities and to refresh their system risk assessment, which constitutes a role-based awareness opportunity for this role.
  • Disaster Recovery Team Training
    Annual table-top exercises, weather events or cyclical planning exercises are included in awareness efforts. Major storms, business continuity events, or Business Impact Analysis events allow for training and awareness for aspects of the Information Security Program, and related policies and procedures. These opportunities are designed to prepare the members of the Disaster Recover Team and broader audiences to effectively function in their roles by having a good understanding of the ODU IT Business Impact Analysis and Disaster Recovery Plan.
  • Specialized User Communication
    Formal distribution lists or other communication methods are used to dispense information to special user populations. Information is focused on policies, standards, procedures, skills, tools, etc. needed to perform their specific role or function. Specialized populations may include Campus Residents, System Administrators, Data Owners, System Owners, the Data Management Group and the Information Technology Advisory Council.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

March 2012

ITAC/CIO

Reaffirmed

December 2012

IT Policy Office

Numbering revision; departmental name update

August 2015 IT Policy Office/ISO Three year review, updated roles, groups, links.
December 2018 IT Policy Office Definitions and links checked
December 2020 IT Security Office Minor update for ensuring consistency with established practices