Skip Navigation
Skip to Menu Toggle Button

UMGC Policy X-1.05 Information Security Awareness and Training

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerMarch 27, 2023Every 3 yearsInformation Security
  1. Purpose
    The purpose of this policy is to establish the minimum requirements for the University's Security Awareness and Training Program. The Security Awareness and Training Program aims to strengthen the University's overall security posture through the education of basic cybersecurity best practices, informing and highlighting the responsibilities of Employees regarding their Information Security obligations, and raising awareness around University Information Security policies, procedures, and standards. As members of the UMGC community, Employees have an obligation to demonstrate an understanding of security awareness as it applies to their unique role and responsibility as the best defense to ensure the protection of the University's information, data, and reputation.
  2. Scope and Applicability
    This policy and its supporting standards and procedures apply to all Employees that use University Information Systems and Information Resources.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Information Security Awareness & Training
    1. The University Information Security Program is responsible for the information security awareness program, training, education, and awareness communication for the University.
    2. Employees and Contractors must take security awareness training within 90 days of their hire date when required by information system changes, and at least annually or as determined by the Senior Director, Information Security thereafter.
    3. Supervisors shall ensure Employees and Contractors complete their Security Awareness Training requirements.
    4. Additional specialized or role-based security training may be required for Users who:
      1. Have Privileged User access
      2. Have access to Confidential Data
    5. The University Information Security Program will coordinate, monitor, and track completion of the required Security Awareness Program.
    6. Training Records shall be retained for a period as defined by the University's records retention policy. For more information, visit UMGC Policy X-1.03 Records and Information Management or contact the University Records Manager at
    7. Program training will be reviewed annually to assure content trains on relevant and evolving information security.
  5. Exceptions
    Exceptions to this policy must be submitted to for review and approval.
  6. Enforcement
    1. Suspected violations will be investigated and may result in disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:
      1. Suspension or termination of access
      2. Removal of devices determined to be using the University's Information Resources inappropriately or in violation of UMGC Policy X-1.12 Acceptable Use
      3. Disciplinary action, up to and including termination of employment
      4. Termination of contract
      5. Student discipline in accordance with applicable University policies
      6. Civil or criminal penalties
    2. Report suspected violations of this policy to, or to the appropriate Data Steward. Reports of violations are considered Confidential Data until otherwise classified.
    3. UMGC reserves the right to disconnect any resource from UMGC networks until suspected Security Incidents are resolved.
  7. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
    3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
  8. Related Policies
    1. UMGC Policy X-1.02 Data Classification
    2. UMGC Policy X-1.04 Information Security
    3. UMGC Policy X-1.06 Information Security Incident Response
    4. UMGC Policy X-1.12 Acceptable Use
    5. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
    6. UMGC Policy X-1.19B Account Management (UMGC Workforce)
  9. Effective Date: This policy is effective as of the Version Effective Date set forth above and supersedes all prior policies on the subject matter hereof.