OM 9.1.7 - Awareness and Training Plan

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Purpose

The purpose of this procedures is to convey the speciﬁc Information Standards adopted by Clarkson University, as well as the administrative, technical, and physical procedures by which Clarkson University carries out the implementation of these Information Standards. Providing these written procedures ensures that all personnel at Clarkson University who have a role in Information Security shall be informed and guided in the expectations of how they will carry out the operations of security procedures.

2 Scope

The scope of these procedures encompasses all physical locations, as well as all organizational staﬀ at Clarkson University (employees, contractors, and in some cases 3rd-party vendors). All information processing systems, devices, and networks at Clarkson University are in-scope for these procedures. Where applicable, paper records, tapes, detachable media, CDROMS and other forms of storage are considered in-scope.

3 Responsibility

The Board and Senior Management conveys management intent for information security. Control owners for each Information Security Standard have been determined and ratiﬁed by the Security Committee. These control owners are responsible for the authoring of the procedures and are accountable to ensure that the procedures, as shown in this document, are carried out. The Standards Owner is indicated with each Standard. Updates to the procedure are to be provided whenever a procedure needs to change. Annual review/updates/approvals shall always be performed.

The Oﬃce of Information Technology department is tasked with ensuring that the owners of the Standards provide timely and accurate updates as well as the mandated periodic approvals to this document.

4 Overview

Security Awareness Program

This program described herein will provide Clarkson University with a comprehensive and measurable awareness program. Based on the globally recognized NIST SP800-16 and NIST SP800-50 standard for Information Technology Security Training and industry recommended practices, the

program will help to ensure that Clarkson University is proactively identifying and addressing the security risks presented by human beings.

5 Scope

This program is designed to address the awareness and training needs of all Clarkson University employees. The program will assist Clarkson University with designing, planning and implementing a security awareness and training program. An awareness program should be aimed at all levels of the organization which also includes senior management.

A successful security awareness and training program identiﬁes and explains the proper behaviors when handling diﬀerent devices and information. Success also relies on security awareness and training becoming part of the organization’s culture. The program will communicate the guidelines, policies, and best practices that need to be followed.

6 Program Considerations

Clarkson University has taken then following areas into consideration when designing and implementing a security awareness program:

Is there a compliance or regulatory requirement to meet;
Frequency of training and testing (annually, quarterly, monthly);
The type of training content and methods in which it will be delivered;
Groups and individuals to include in the training;
Time constraints and availability;
Senior leadership buy-in to carry out training and testing; and
How non-compliance will be handled and enforced

This program will be delivered at commencement of employment and refreshed annually. The program consists of on-demand computer-based training, videos, quizzes, awareness activities and reporting].

While this program describes the collective awareness eﬀorts across all Clarkson University departments, it is anticipated that speciﬁc training and awareness may be required for each audience.

7 Roles and Responsibilities Deﬁnitions

An eﬀective information security awareness program requires eﬀort from a number of diﬀerent segments of the University.

Oﬃce of Information Technology – Responsible for developing and maintaining the overall Awareness Program for Clarkson
Oﬃce of Information technology – Responsible for monitoring the implementation of this awareness plan.
Human Resources – Responsible for tracking attendance to training sessions in personnel ﬁles and obtaining and ﬁling any attestations or post-training quizzes or

8 Awareness and Training

8.1 Awareness 101

The basic Awareness 101 training is provided electronically on-demand and is based on the NIST

SP800-16 (See References) standard and recommended practices. At a minimum, the training will cover:

Current Threats and Common Attacks
Data Protection
Policies and procedures
Privacy
Recommended Security Practices for:
Passwords
E-Mail
Web Browsing
Mobile Devices
Social Media
Wireless Networks
Antivirus
Social Engineering

Phishing Vishing

Physical Security
Identifying and Responding to Incidents

8.2 Additional Training Areas – Awareness

All additional Awareness courses are provided electronically based on a variety of relevant regulations, laws and commercial requirements targeting groups of people that have specialized roles, privileges or risks. At a minimum, the training will provide recommended security practices related to:

Health Insurance Portability and Accountability Act (HIPAA) – The course covers all topics required by the HIPAA Security Rule, including required practices for creating, storing, processing and

transmitti ng Electronic Protected Health Information (ePHI).

Payment Card Industry (PCI) for Cashiers – The course covers all topics relevant to cashiers and other individuals directly involved in conducting credit card
Family Education Rights and Privacy Act (FERPA) – The course covers topics related to FERPA, including best practices for handling educational
Data Classiﬁcation Handling Procedure – The course covers topics related to asset identiﬁcation, data classiﬁcation and protection. This course reviews and educates individuals about the Client’s Data Classiﬁcation Handling
Cybersecurity for IT – The course covers topics speciﬁc to Information Technology resources, including technology, controls and
Cybersecurity for Executives – The course covers topics relevant to management, leadership and executives building a cybersecurity program, including security policies, governance, management and best practices at the organizational
Cybersecurity for Travelers – The course covers topics related to protection of assets before, during and after traveling domestically or

9 References

NIST SP 800-16 Information Technology Security Training

10 Revision History

Revision	Date	Initiator	Nature of Change
1	1/31/2023	B. Huntley	Initial Draft - Awareness and Training Plan
2	6/14/2023	L Perry	Presidential Approval

OM 1.0.0 - History and Mission

OM 1.1.0 History

OM 1.2.0 Mission and Objectives

OM 2.00.0

OM 2.1.0 - Board of Trustees

OM 2.3.0 - Duties and Responsibilities of Provost, Vice Presidents, Deans and Other Officers of the University

OM 2.4.0 Duties and Responsibilities of Academic Department Chairs

OM 2.4.1 Appointment and Tenure of Department Chairs and Academic Program Directors Policy Statement

OM 2.5.0 Periods of Duty - Administrative Offices

OM 2.6.0 Clarkson University Policies Governing Organized Activity Units

OM 2.6.1 Duties and Responsibilities of Directors of Institutes and Centers

OM 2.6.2 Appointment and Tenure of Directors

OM 2.6.3 Director of Organized Activity Unit - Additional Operational/Management Guidance

OM 2.7.0 Operational Procedures for the Administrative Council

OM 2.8.0 Faculty Senate Constitution

OM 2.9.0 Paperflow for Senate and Administrative Council Actions

OM 2.10.0 Committees of the University

OM 2.10.1 Committees of the Faculty Senate

OM 2.10.2 Standing Administrative Committees

OM 2.10.3 University Committee Procedures

OM 2.11.0 Support Staff Policies and Procedures

OM 2.12.0 Professional and Supervisory Staff Policies and Procedures

OM 3.0.0 - Human Resources Policies

OM 3.1.0 Human Resources Policies - General

OM 3.1.1 Definition of Employee Groups

OM 3.1.2 Exempt and Non-Exempt Employee Categories

OM 3.1.3 - Affirmative Action and Equal Employment Opportunity Statement

OM 3.1.4 - Employment of Family Members at Clarkson

OM 3.1.5 - Harassment and Sexual Misconduct Policy

OM 3.1.6 - Employment of Minors

OM 3.1.7 Drug Abuse in the Workplace

OM 3.1.8 Orientation

OM 3.1.9 Change in Status

OM 3.1.10 Smoking Policy

OM 3.1.11 Nondiscrimination Policy

OM 3.1.12 Cultural Diversity Policy

OM 3.1.13 General Grievance Procedures

OM 3.1.14 Discrimination Grievance Procedure (Including Cases of Sexual Misconduct)

OM 3.1.15 Anti-Bullying Policy

OM 3.1.16 Clarkson University Exit Policy

OM 3.1.17 Recruitment and Selection Process

OM 3.1.18 Termination/Resignation Policy

OM 3.1.19 Flexible Work Schedule (flextime) and Working Remotely

OM 3.1.20 Background Check Policy

OM 3.1.21 No Contact Order Policy

OM 3.2.0 Human Resources Policies - Faculty

OM 3.2.1 Retirement Benefits

OM 3.3.0 Human Resources Policies - Administrative, Supervisory, and General Staff

OM 3.3.1 Job Posting

OM 3.3.2 Position Classification Procedures

OM 3.3.3 Disciplinary Procedure

OM 3.3.4 Termination of Employment

OM 3.3.5 Retirement Benefits

OM 3.4.0 Human Resources Policies - Employment and Working Conditions - General Staff

OM 3.4.1 The Four Types of Appointments

OM 3.4.2 Employment - Appointment of General Staff Personnel

OM 3.4.3 Probationary Period - General Staff (Non-Bargaining)

OM 3.4.4 Working Hours - General Staff

OM 3.4.5 Rest Periods - General Staff

OM 3.4.6 Promotions and Transfers - General Staff

OM 4.0.0 - Compensation Policies

OM 4.1.0 Compensation Policies - General

OM 4.1.1 Supplemental Compensation Procedures - Faculty

OM 4.2.0 Compensation Policies - Faculty

OM 4.2.1 Salary Plan

OM 4.2.2 Salary Continuance - Faculty

OM 4.3.0 Compensation Policies - Administrative, Supervisory, and General Staff

OM 4.3.1 Wage and Salary Administration

OM 4.3.2 Salary Plan - Administrative and Supervisory Staff

OM 4.3.3 Pay Periods and Payroll Deductions - General Staff

OM 4.3.4 Overtime Policy for Non-Exempt Employees

OM 4.3.5 Supplemental Compensation Procedures - Exempt Non-Faculty

OM 4.3.6 Policy on Compensation for Travel Time - Non-Exempt Employees

OM 5.0.0 - Faculty Definitions and Policies

OM 5.1.0 Titles, Status and Definitions

OM 5.2.0 Duties of a Faculty Member

OM 5.3.0 Standards for Faculty Evaluations

OM 5.4.0 Procedures and Documentation for the Appointment, Reappointment and Continuing Evaluation of Faculty

OM 5.5.0 Evaluation Procedures for Tenure - The Tenure Policy

OM 5.6.0 Evaluation Procedures for Promotion