Skip to main content

University Policy Manual

SECURITY AWARENESS

Effective: August 15, 2024

Purpose: To help reduce the risk of human error, theft, fraud, or misuse of Emporia State University’s information assets, all persons having access to those assets should be aware of the role they play in helping maintain the security of those assets. This policy sets out to ensure that everyone is aware of their role and to ESU’s overall commitment to protecting our information assets.

Scope: This policy applies to all persons that are granted access to any ESU information assets classified above the Public/Unclassified level.

Responsible Office: Information Technology

Policy Statement: The Information Security Officer (ISO) is responsible for:

  • Development or acquisition of relevant training courses, maintaining training records, and setting training deadlines.
  • Monitoring and reporting compliance with this policy.
  • Reviewing this policy on an annual basis.

Information Custodians are responsible for ensuring that third parties or vendors follow this policy.

Supervisors are responsible for ensuring employees under their supervision complete the Security Awareness training by the deadline set by the ISO.

It is the policy of ESU to ensure that all system account holders will receive security awareness training within the following requirements:

  • All employees must complete Security Awareness training within the first ninety (90) days of hire and on an annual basis thereafter.
  • Security Awareness training shall address the following topics at a minimum:
  • Passwords including creation, changing, aging, and confidentiality
  • Privacy and proper handling of sensitive information
  • Physical security
  • Social engineering
  • Identity theft avoidance and action
  • Email usage
  • Internet usage
  • Viruses and malware
  • Software usage, copyrights and file sharing
  • Portable Electronic Devices and Portable Electronic Media
  • Proper use of encryption devices
  • Reporting of suspicious activity and abuse

In addition:

  • The Information Security team shall retain a form of acknowledgment of training completion.
  • The Information Security team will review security awareness training materials annually or more frequently as needed.

Failure to complete Security Awareness training will result in user account suspension until training is completed.

The President or designee must approve any exceptions to this policy. Any exceptions must be documented and a copy maintained by the ISO.

Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.

Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.

[Information Technology procedures - coming soon]

Related Policy Information: [coming soon]

History and Revisions

Adoption Date:
09/20/2006 [FSB 06013 passed by Faculty Senate on 10/03/06, approved by President, and included in UPM as Policy 3J.07]
Revision Date:
04/17/2017 [FSB 16008 passed by Faculty Senate on 04/04/2017 and approved by President]
11/05/2019 [Policy updated by IS]
02/05/2020 [Policy approved by ISAC and removed from Faculty Senate on 02/18/2020]
08/15/2024 [Policy format revised as part of UPM Revision]