Skip to main content

OM 9.1.7 - Awareness and Training Plan

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology


1 Purpose

The purpose of this procedures is to convey the specific Information Standards adopted by Clarkson University, as well as the administrative, technical, and physical procedures by which Clarkson University carries out the implementation of these Information Standards. Providing these written procedures ensures that all personnel at Clarkson University who have a role in Information Security shall be informed and guided in the expectations of how they will carry out the operations of security procedures.

2 Scope

The scope of these procedures encompasses all physical locations, as well as all organizational staff at Clarkson University (employees, contractors, and in some cases 3rd-party vendors). All information processing systems, devices, and networks at Clarkson University are in-scope for these procedures. Where applicable, paper records, tapes, detachable media, CDROMS and other forms of storage are considered in-scope.

3 Responsibility

The Board and Senior Management conveys management intent for information security. Control owners for each Information Security Standard have been determined and ratified by the Security Committee. These control owners are responsible for the authoring of the procedures and are accountable to ensure that the procedures, as shown in this document, are carried out. The Standards Owner is indicated with each Standard. Updates to the procedure are to be provided whenever a procedure needs to change. Annual review/updates/approvals shall always be performed.

The Office of Information Technology department is tasked with ensuring that the owners of the Standards provide timely and accurate updates as well as the mandated periodic approvals to this document.

4 Overview

Security Awareness Program

This program described herein will provide Clarkson University with a comprehensive and measurable awareness program. Based on the globally recognized NIST SP800-16 and NIST SP800-50 standard for Information Technology Security Training and industry recommended practices, the

program will help to ensure that Clarkson University is proactively identifying and addressing the security risks presented by human beings.

5 Scope

This program is designed to address the awareness and training needs of all Clarkson University employees. The program will assist Clarkson University with designing, planning and implementing a security awareness and training program. An awareness program should be aimed at all levels of the organization which also includes senior management.

A successful security awareness and training program identifies and explains the proper behaviors when handling different devices and information. Success also relies on security awareness and training becoming part of the organization’s culture. The program will communicate the guidelines, policies, and best practices that need to be followed.

6 Program Considerations

Clarkson University has taken then following areas into consideration when designing and implementing a security awareness program:

  • Is there a compliance or regulatory requirement to meet;
  • Frequency of training and testing (annually, quarterly, monthly);
  • The type of training content and methods in which it will be delivered;
  • Groups and individuals to include in the training;
  • Time constraints and availability;
  • Senior leadership buy-in to carry out training and testing; and
  • How non-compliance will be handled and enforced

This program will be delivered at commencement of employment and refreshed annually. The program consists of on-demand computer-based training, videos, quizzes, awareness activities and reporting].

While this program describes the collective awareness efforts across all Clarkson University departments, it is anticipated that specific training and awareness may be required for each audience.

7 Roles and Responsibilities Definitions

An effective information security awareness program requires effort from a number of different segments of the University.

  • Office of Information Technology – Responsible for developing and maintaining the overall Awareness Program for Clarkson
  • Office of Information technology – Responsible for monitoring the implementation of this awareness plan.
  • Human Resources – Responsible for tracking attendance to training sessions in personnel files and obtaining and filing any attestations or post-training quizzes or

8 Awareness and Training

8.1 Awareness 101

The basic Awareness 101 training is provided electronically on-demand and is based on the NIST

SP800-16 (See References) standard and recommended practices. At a minimum, the training will cover:

  • Current Threats and Common Attacks
  • Data Protection
  • Policies and procedures
  • Privacy
  • Recommended Security Practices for:
  • Passwords
  • E-Mail
  • Web Browsing
  • Mobile Devices
  • Social Media
  • Wireless Networks
  • Antivirus
  • Social Engineering

Phishing Vishing

  • Physical Security
  • Identifying and Responding to Incidents

8.2 Additional Training Areas – Awareness

All additional Awareness courses are provided electronically based on a variety of relevant regulations, laws and commercial requirements targeting groups of people that have specialized roles, privileges or risks. At a minimum, the training will provide recommended security practices related to:

  • Health Insurance Portability and Accountability Act (HIPAA) – The course covers all topics required by the HIPAA Security Rule, including required practices for creating, storing, processing and

transmitti ng Electronic Protected Health Information (ePHI).

  • Payment Card Industry (PCI) for Cashiers – The course covers all topics relevant to cashiers and other individuals directly involved in conducting credit card
  • Family Education Rights and Privacy Act (FERPA) – The course covers topics related to FERPA, including best practices for handling educational
  • Data Classification Handling Procedure – The course covers topics related to asset identification, data classification and protection. This course reviews and educates individuals about the Client’s Data Classification Handling
  • Cybersecurity for IT – The course covers topics specific to Information Technology resources, including technology, controls and
  • Cybersecurity for Executives – The course covers topics relevant to management, leadership and executives building a cybersecurity program, including security policies, governance, management and best practices at the organizational
  • Cybersecurity for Travelers – The course covers topics related to protection of assets before, during and after traveling domestically or

9 References

  • NIST SP 800-16 Information Technology Security Training

10 Revision History





Nature of Change



B. Huntley

Initial Draft - Awareness and Training Plan

2 6/14/2023 L Perry Presidential Approval