Security Standard 01: Security Training
Summary
The official Information Security Policy that is the parent to this standard is located in the Official IWU Policy Warehouse
Security Standard 01: Security Training
Summary:
This standard defines mandatory training requirements for all employees and affiliated personnel at Indiana Wesleyan University (IWU) to ensure awareness of security responsibilities, threats, and institutional policies. It supports the broader IWU Information Security Policy.
Corresponding Policy:
IWU Information Security Policy – Policy Warehouse
1.0 Purpose
To ensure all users of IWU information resources are equipped to recognize, prevent, and respond to security threats through recurring, role-specific, and compliance-driven training.
2.0 Scope
Applies to all IWU faculty, staff, adjuncts, contractors, and affiliates who access institutional data or systems.
3.0 Roles and Responsibilities
-
CISO – Oversees the development, delivery, and enforcement of training.
-
Supervisors – Ensure team participation and follow up on non-compliance.
-
Employees – Complete training on time and comply with all related standards
4.0 Standard
4.1 Initial and Recurring Training
-
Initial Training: Must be completed within 14 days of an individual’s start date (including full-time faculty, staff, and adjuncts).
-
Annual Recertification: Required for all employees each year.
Training must include, at minimum:
-
User responsibilities and acceptable use
-
Common cybersecurity threats
-
Handling of IWU Protected and Sensitive Data
-
Incident notification procedures
-
Regulatory/institutional compliance mandates
4.2 Annual Awareness Training
-
Delivered via the Proofpoint Security Education Platform.
-
Content includes:
-
Threat recognition (e.g., phishing, ransomware)
-
Data protection best practices
-
Risk-reducing behaviors
-
-
Scheduling is aligned with other university compliance training in coordination with Legal and Risk leadership.
Compliance Enforcement:
-
If not completed:
-
The user’s IWU account will be disabled.
-
Reinstatement requires contacting the IWU Support Center and opening a support case.
-
Continued failure will be escalated to the supervisor and Human Resources
-
4.3 Targeted Compliance Training
-
HIPAA and PCI-DSS training is required annually for employees who handle:
-
Protected Health Information (PHI)
-
Credit card data
-
-
This occurs concurrently with awareness training and follows the same deadlines and enforcement.
4.4 Technical Security Training
-
Required for all Technical Support Staff, including:
-
Support Center
-
Network Support
-
Server/Endpoint Teams
-
-
Training is tailored to role-specific risks and responsibilities and delivered through the awareness platform when available.
4.5 Policy Acknowledgement
-
Employees acknowledge their understanding and agreement to comply with all relevant IWU security policies during annual training.
-
This acknowledgment is logged and retained.
4.6 Email Phishing Simulations
-
Conducted periodically throughout the year.
-
Administered by the Information Security Office.
-
Includes:
-
Realistic threat simulations
-
Real-time feedback upon failure
-
Supplemental training for repeat failures
-
5.0 Enforcement
Failure to comply with training timelines and policy acknowledgement will result in account suspension and referral to Human Resources and the employee’s supervisor. Technical exceptions may be coordinated through the CISO’s office on a case-by-case basis.
6.0 Related Documents
Publication Tracking
Author | Michael Madl , Chief Information Security Officer |
---|---|
Revision Date: | Fri, 01 Aug 2025 - ver.27 |
Notes: |
Draft Version - Approved by CIO |