Security Training Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes expectations for security awareness training and test exercises.听

REASON FOR STANDARD

Cybersecurity is a shared responsibility and VU community members are the first line of defense. Each member must be aware of cyber threats, the risks their actions introduce, and best practices for protecting themselves and the institution.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 国产原创 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥�).

DEFINITIONS

All Terms

Information Technology (IT) Asset: Devices, systems, and applications that enable the organization to achieve university business, academia, and research. IT assets include but are not limited to hardware assets (e.g., servers, laptops, printers, IoT devices) and software assets (e.g., operating systems, applications, cloud components).鈥�
Institutional Data: Consistent with the Data Classification Policy, institutional data is all data maintained to support delivery of 国产原创鈥檚 central mission of scholarly research, informed and creative teaching, and service to the society at large. For the purposes of this policy, this includes data to support 国产原创鈥檚 auxiliary services as well as research and teaching data.听
Social Engineering: The manipulation of people into performing actions or divulging confidential information.

STANDARD

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the security awareness program.听

A. CYBERSECURITY TRAINING

The Office of Cybersecurity will curate security training and include topics relevant to the risks associated with academic and research activities, ensuring that the material adequately captures the current threat landscape and uniqueness of a higher education setting. They will communicate training requirements to the VU community and make it easily accessible.听听

The Office of Cybersecurity will assign the following cybersecurity training types:

Table 1. Training Details

Training	Description	Target Audience	Requirement	Due Date	Renewal
Foundational	Basic awareness and essential hygiene	Staff, faculty, post-docs, contractors	Required upon hire	30 days	Annual
Foundational	Basic awareness and essential hygiene	All other VU community members	Recommended	-	-
Enhanced 鈥� Sensitive Data	Advanced protection and privacy topics	Those with access to Level 3 or 4 data	Required prior to data access	30 days	Annual
Compliance (e.g., CUI, GLBA)	Targeted topics related to regulatory compliance	Those involved with compliance activities	Required prior to data access	30 days	Annual

These are examples that may change over time based on the cybersecurity threat landscape, regulatory requirements, and institutional needs.听

VU Community Members are responsible for completing required training(s) by the established due date. The Office of Cybersecurity is authorized to impose sanctions until training is complete (e.g., notifying a trainee鈥檚 supervisor, mandatory password reset(s), withholding access, etc.).听听

Third-party contractors that are provided access to critical 国产原创 IT Assets or sensitive data may be required to complete cybersecurity training prior to access being given under the following circumstances:听

Access to 国产原创 IT Assets that are deemed critical, as identified by a Business Impact Assessment (BIA).听
Access to institutional data that is Level 3 Restricted or Level 4 Critical.听

An individual may be exempted from a training requirement (e.g., they have taken a comparable training elsewhere or hold an up-to-date security certification).

B. SOCIAL ENGINEERING EXERCISES

The Office of Cybersecurity will conduct social engineering test exercises (e.g., phishing simulations) to gauge the community鈥檚 resilience to attack. These exercises will be conducted quarterly, at a minimum. Exercise details such as timing, type, and scope are at the discretion of Cybersecurity.听听

Results may be used to measure the effectiveness of training initiatives and plan for future improvements. Aggregated results may be shared broadly; however, detailed, or individual results will only be shared with those appropriate approvals.听

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.

ENFORCEMENT

The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.听

FORMS AND TOOLS

How to report a suspected phishing email

FREQUENTLY ASKED QUESTIONS

How do I request training

Training is automatically assigned to the relevant populations based on the details listed in Table 1. or see this page for more informatio n.
Where can I find more information about phishing?

See this page for more information.

RELATED INFORMATION

听
Information Security Policy鈥�

HISTORY

Review Date	Summary of Changes
September 2023	Added a procedure, grammatical changes
February 2025	Added a review cadence