Purpose The purpose of this policy is to establish the minimum requirements for the University's Security Awareness and Training Program. The Security Awareness and Training Program aims to strengthen the University's overall security posture through the education of basic cybersecurity best practices, informing and highlighting the responsibilities of Employees regarding their Information Security obligations, and raising awareness around University Information Security policies, procedures, and standards. As members of the UMGC community, Employees have an obligation to demonstrate an understanding of security awareness as it applies to their unique role and responsibility as the best defense to ensure the protection of the University's information, data, and reputation.
Scope and Applicability This policy and its supporting standards and procedures apply to all Employees that use University Information Systems and Information Resources.
Definitions Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.
Data Steward: The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty
Information Resource: Anything that is intended to generate, store, or transmit Information.
Information Security: The protection of Information and Information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security Program: Provides a formal structure for (1) developing and maintaining University-wide security policies, (2) defines security principles that safeguard University computing resources, and (3) ensures compliance with internal and external regulations.
Information Systems: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.
Privileged User: A user that is authorized to perform security-relevant functions that ordinary users are not authorized to perform.
Supervisor: An individual who directly manages an Employee or Contractor; may approve access to non-Critical Information Systems, and may request access for Critical Information Systems.
University: University of Maryland Global Campus
User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
Information Security Awareness & Training
The University Information Security Program is responsible for the information security awareness program, training, education, and awareness communication for the University.
Employees and Contractors must take security awareness training within 90 days of their hire date when required by information system changes, and at least annually or as determined by the Senior Director, Information Security thereafter.
Supervisors shall ensure Employees and Contractors complete their Security Awareness Training requirements.
Additional specialized or role-based security training may be required for Users who:
Have Privileged User access
Have access to Confidential Data
The University Information Security Program will coordinate, monitor, and track completion of the required Security Awareness Program.
Program training will be reviewed annually to assure content trains on relevant and evolving information security.
Exceptions Exceptions to this policy must be submitted to secops@umgc.edu for review and approval.
Enforcement
Suspected violations will be investigated and may result in disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:
Suspension or termination of access
Removal of devices determined to be using the University's Information Resources inappropriately or in violation of UMGC Policy X-1.12 Acceptable Use
Disciplinary action, up to and including termination of employment
Termination of contract
Student discipline in accordance with applicable University policies
Civil or criminal penalties
Report suspected violations of this policy to infosec@umgc.edu, or to the appropriate Data Steward. Reports of violations are considered Confidential Data until otherwise classified.
UMGC reserves the right to disconnect any resource from UMGC networks until suspected Security Incidents are resolved.
Standards Referenced
USM IT Security Standards, v.5, dated July 2022
NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
Effective Date: This policy is effective as of the Version Effective Date set forth above and supersedes all prior policies on the subject matter hereof.
By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our Privacy Policy.