AT-1: Security Awareness and Training Policy and Procedures
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 05/08/2024
Purpose –
Tarleton State University (Tarleton) recognizes that security awareness training policies and procedures are vital to reducing information security risks. The Security Awareness Training Policy and associated controls document the requirements for training users to understand their responsibilities under State law and System policy, and their role in protecting Tarleton’s information resources by reducing information security risks.
Scope and Roles –
The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), information resource owners, information resource custodians, and all users of Tarleton information resources.
Compliance –
The Security Awareness Training Policy and associated controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76, §202.74, Texas Government Code §2054.519, §2054.5191, §2054.5192, and Texas A&M University System Regulation 29.01.03, Information Security.
Implementation
- The Security Awareness Training Policy and associated controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76, §202.74, Texas Government Code §2054.519, §2054.5191, §2054.5192, Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, and Tarleton’s Rule 29.01.99.T1, Information Resources.
- As stated in Control AT-2, Literacy Training and Awareness, all Tarleton employees who use information resources and third-party vendors that require a Tarleton account are required to comply with the policy and procedures related to Information Security Awareness (ISA) training and must acknowledge they have read, understand, and will comply with university requirements regarding computer security policies and procedures.
- Tarleton employees must complete ISA training within 30 days of their hire date.
- Third-party vendors and contractors requiring a Tarleton vendor account must complete training prior to receiving their account credentials.
- Tarleton requires employees and applicable third-party vendors to complete TAMUS and/or DIR approved ISA training annually.
- The Tarleton CISO or designee reviews and updates, as needed, the security awareness training policy and security awareness training procedures as needed. TAMUS assists with updates to TrainTraq Course No. 3001 – Information Security Awareness Training, which is the DIR approved course used by Tarleton for the training requirement as a member of the Texas A&M University System.
References/Additional Resources
Tex. Gov’t Code Section 2054.519