Security Awareness & Training Policy

Scope

This policy applies to all SUNY Geneseo employees (including CAS employees) and students. It applies regardless of whether an employee regularly uses computer systems and networks in their day-to-day work. All employees are expected to protect information assets, including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to all active students, who are expected to comply with our information security policies.

Procedure Statement

The State University of New York at Geneseo is committed to best practices in information security. This policy outlines the training obligation for faculty, staff, and students. The Geneseo information security awareness and training program is designed to inform and assess all employees and students regarding their information security obligation and aligns with NIST Security and Privacy Controls for Information Systems and Organizations (SP 800-53).

Definitions

• FERPA
• NIST
• PCI
• Phishing

Procedure

Annual Awareness Training

Each employee is required to complete Cybersecurity Awareness Training annually successfully. CIT staff select the topics covered in the training based on an understanding of current cybersecurity threats. Common topics include phishing, malware, and password management. Training may be offered as computer-based training (CBTs), videos, and/or instructor-led training. Employees will be given a reasonable amount of time (at least 30 days) to complete the training so as not to disrupt their work activities.

Similar training is made available to all active students annually. The training is encouraged but not required.

Specialized Training

Certain staff may be required to complete additional training depending on their specific job requirements. 

Individuals with sensitive access

Individuals with access to sensitive information or elevated permissions, such as the ability to change other users’ passwords, are required to take additional training annually that details why this access must not be abused.

PCI

Employees who conduct credit card transactions or otherwise handle credit card data must complete additional training annually, as prescribed by PCI standards.

Student Employees

Upon being hired, all student employees must complete mandatory information security training that covers FERPA regulations and NYS data protection laws, among other security topics.

Simulated Phishing Exercises

At minimum, all active employees and students receive one simulated phishing training email per month. Replying, clicking the link, or opening the attachment of the exercise email is considered a failure. Ignoring, deleting, or reporting the exercise email is considered a pass. The difficulty, topics, and types of simulated phishing emails are selected by CIT based on current threat trends and past exercise results, with input from the Information Security Program Team.

Security Training Records

Security training records on simulated phishing pass/fail scores and training completion are retained for three years. 

Compliance with Procedure

Employees who do not complete their training in the allotted time receive periodic reminders for two months after the due date, and supervisors receive a list of their direct reports who are overdue on their training. It is the supervisor’s responsibility to ensure the employee completes the training as soon as possible upon notification of an incomplete training module.