| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Identity and User Security |
IN PLAIN LANGUAGE
Cybersecurity isn't just a technology problem — it's a people problem. This standard sets the expectation that everyone who accesses University systems or data must complete security awareness training when they start and at least once a year after that. The training covers the basics: how to recognize phishing, how to handle University data appropriately, how to use strong authentication, and how to report something suspicious. People in roles that handle sensitive data — like finance, health records, or system administration — have additional training requirements. Completing required training isn't optional; failure to do so can result in loss of system access.
1. Purpose
The purpose of this Standard is to establish minimum information security awareness, training, and user responsibility requirements for individuals who access University of Montana information systems or digital University Data. Informed and vigilant users are a critical component of the University's ability to protect confidentiality, integrity, and availability of information resources.
This Standard supports the University's Information Security Program by defining baseline user expectations and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
2. Scope
This Standard applies to:
- All University employees, including faculty, staff, and student employees
- Affiliates, contractors, and other authorized users of University information systems
- Users of University-owned or University-managed information technology resources
This Standard applies to digital University Data and systems and does not govern technical configuration controls, which are defined in other Information Security Standards.
3. Relationship to Other Standards
This Standard defines user-facing responsibilities and awareness expectations. It does not replace or duplicate requirements defined in the Account Security Standard, Identity Verification & Proofing Standard, Endpoint Management & Configuration Standard, or Clean Desk & Clear Screen Standard.
4. Information Security Awareness Training
4.1 Mandatory Training
The University must maintain an information security awareness training program administered by the Information Security Office.
- All employees and other designated Authorized Users must complete security awareness training as part of onboarding
- Training must be completed at least annually thereafter or as otherwise required by the CISO
Failure to complete required training within established timeframes may result in restriction or revocation of system access.
4.2 Training Program Responsibilities
The Information Security Office is responsible for:
- Developing or acquiring appropriate training content and assessments
- Updating training materials to reflect emerging threats and best practices
- Providing mechanisms for user feedback
- Tracking completion rates and reporting non-compliance to appropriate units
5. Learning Objectives
Baseline security awareness training must address, at a minimum:
- General information security best practices
- Protection of digital University Data
- Data classification and handling expectations
- Appropriate use of University technology resources
- Authentication and MFA awareness
- Identification of suspicious or risky activity (e.g., phishing, social engineering)
- Cybersecurity incident reporting requirements
- Insider threat awareness
6. Role-Based Security Training
Additional role-based security training must be provided to individuals with elevated or specialized responsibilities, including but not limited to financial and payment processing roles, health or research data handling roles, and system administrators and developers.
Students may be offered security awareness training but are not required to complete mandatory training unless otherwise designated.
7. User Responsibilities
All users are responsible for:
- Complying with information security policies and standards
- Protecting credentials and authentication factors
- Using University systems only for authorized purposes
- Promptly reporting suspected security incidents or weaknesses
8. Enforcement
Failure to comply with this Standard may result in:
- Required retraining
- Temporary or permanent restriction of system access
- Corrective action consistent with University policy
9. Exceptions
Exceptions to this Standard must:
- Be documented with justification
- Be approved by the CISO or designee
- Be reviewed periodically
10. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or institutional needs.
11. References
- UM Information Security Policy
- UM Account Security Standard
- UM Identity Verification & Proofing Standard
- UM Clean Desk & Clear Screen Standard
- UM Acceptable Use of Technology Resources Policy
- NIST Cybersecurity Framework (CSF) 2.0