Skip to main content.
Information Technologies Security Program
IT Security Program Home > Information Technologies Security Program Home Page > Security Awareness

Security Awareness

Security Awareness refers to those practices, technologies and/or services used to promote user awareness, user training and user responsibility with regard to information technology security risks, vulnerabilities, methods, and procedures. A user is an individual or group with access to an information system or its data.

University users need to understand the sensitivity of the University's information resources and their responsibility in protecting those resources. They need to be aware of such threats as -- and the associated impacts of -- a compromised password, viruses transmitted over the Internet and corrupted databases.

Although responsibility to adhere to state and federal law and University policy and procedures is affirmed by personnel upon engagement, security awareness programs provide proactive mechanisms to foster deeper understanding of an individual's security responsibilities; to place security responsibilities in the context of specific job duties and case examples; and to reinforce the consequences of security failures on the University, its mission, its customers, and themselves.

The appropriate amount, depth, and timing of security awareness is a risk-based decision. Security awareness programs that use a combination of periodic training sessions (introductory/refresher) and on-going security awareness promotion (marketing) are most effective. In addition, where appropriate, the University does not grant certain access rights to personnel until the desired level of security awareness training has been successfully completed. Of course, as the business and technical environment changes, security awareness programs will need to be updated accordingly.

[Adapted from materials provided by the Virginia Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org )]

University Standards for Security Awareness

  • The University establishes and maintains information technology security awareness programs to ensure that all individuals are aware of their security responsibilities and know how to fulfill them.
  • Any University security awareness training program must:
    • be approved by the Agency's Information Security Officer (ISO),
    • specify timeframes for receiving training (initial, ongoing and/or refresher),
    • provide both general and job-duty-specific security awareness content, and
    • be documented on an auditable medium.
  • All new hires who use information resources or who have access to areas where information resources reside, must receive formal security awareness training as designed by the University within 30 calendar days of their start date.
  • Receipt of security awareness training must be documented in the employee's personnel file with employee's acknowledgement of receipt and understanding.
  • Security awareness refresher training must be provided to personnel annually at a minimum.