AT-2: Literacy Training and Awareness

NIST Baseline:  Low 

DIR Required By: 07/20/2023 

Review Date:  05/08/2024 

  • Tarleton State University (Tarleton) administers security and privacy awareness training in compliance with the requirements of Texas Administration Code (TAC) §2054.5191.5192 and Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, for all employees including mangers, senior executives, contractors, and other sponsored third-party vendors and/or guest users.   
  • For all Tarleton employees, training should be completed through the TAMUS-approved training system, currently TrainTraq, and recorded.  
    • All employees of Tarleton/TAMUS-owned information resources must complete a Tarleton approved Information Security Awareness (ISA) course immediately upon hire and annually thereafter.  
    • If the training material changes substantially, TAMUS or Tarleton’s Chief Information Security Officer (CISO) may choose to have all employees, or a specific segment of employees, retake the training out-of-cycle.  Additional ISA or other security-related training can be assigned to employees out-of-cycle per the Tarleton CISO’s discretion.  
  • For all third-party vendors that require a Tarleton account and/or will be accessing Tarleton/TAMUS information resources, training should be completed through the TAMUS-approved training system, currently TrainTraq, and/or through another DIR-approved ISA training course prior to receiving their Tarleton vendor account credentials and annually thereafter, as applicable for their continued contract work with Tarleton.  If ISA training is completed through another DIR-approved training course, proof of training completion must be provided to Tarleton’s Office of Innovative Technology Solutions (OITS) – Security Team or CISO.  It is up to the CISO’s discretion as to whether the vendor’s provided ISA training completion through another DIR-approved training course will be accepted or if Tarleton/TAMUS ISA training must be completed by the vendor.  
  • The CISO may use other communications channels (such as email and awareness campaigns such as National Cyber Security Awareness Month) to inform users of information security awareness topics.  
  • Training and awareness content will be updated periodically to incorporate lessons learned from internal or external security incidents. 

References/Additional Resources

Tex. Gov’t Code Section 2054.519 

Tex. Gov’t Code Section 2054.5191 

Tex. Gov’t Code Section 2054.5192 

TAMUS Regulation 29.01.03, Information Security