PURPOSE:
This User Awareness and Training Policy outline the requirements and framework for establishing and maintaining a comprehensive user security awareness and training program at Idaho College of Osteopathic Medicine (ICOM). The purpose of this policy is to cultivate a security-conscious culture, reduce human-related security risks, and ensure that all users understand their roles and responsibilities in protecting institutional information assets and systems. Effective user awareness and training are critical for mitigating threats such as phishing, malware, social engineering, data breaches, and policy violations. This policy is designed to support compliance with applicable regulations, institutional security policies, and ethical standards.
SCOPE:
This policy applies to all users of ICOM's information systems and resources, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Any individual with access to institutional information assets or systems.
This policy may also apply to these users as necessary
- Affiliates
- Volunteers
- Contractors
- Vendors
This policy covers all aspects of security awareness and training related to:
- Information security policies and procedures
- Data security and privacy
- Password security and account management
- Phishing and social engineering awareness
- Malware and virus prevention
- Secure use of email and internet
- Mobile device security
- Remote access security
- Physical security awareness
- Compliance with relevant regulations (e.g., FERPA, HIPAA, GLBA)
- Acceptable Use Policy
- Incident reporting procedures
DEFINITIONS:
- Data Breach: A security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
- Information Assets and Systems: All ICOM’s valuable information, data, and the technology used to store, process, and transmit that information. This includes things like student records, financial data, research, software, computers, and networks.
- Malware (Malicious Software): Software designed to intentionally cause harm or disruption to computer systems, networks, or data. This is a broad term encompassing various types of threats, including viruses, worms, Trojans, ransomware, spyware, adware, and rootkits.
- Phishing: A type of social engineering attack, typically delivered via email, text message, or website, designed to trick individuals into revealing sensitive information, such as usernames, passwords, credit card details, or Protected Health Information. Phishing attacks often impersonate legitimate organizations or individuals.
- Policy Violation: Any action or inaction that is contrary to the requirements, standards, or guidelines outlined in ICOM's security policies and procedures.
- Protected Health Information (PHI): Individually identifiable health information protected by HIPAA regulations, as further defined by HIPAA.
- Security Awareness Training: A structured program designed to educate users about information security risks, threats, ICOM's security policies, and best practices for protecting information assets and systems. The goal of security awareness training is to change user behavior and create a more security conscious culture.
- Social Engineering: Psychological manipulation techniques used to trick individuals into divulging confidential information, performing actions, or granting access to systems or data. Phishing is a common form of social engineering.
- User: Any individual who is authorized to access or use ICOM information systems or resources, as defined in the Scope of the User Awareness and Training Policy.
POLICY:
Mandatory Security Awareness Training: All users, as defined in the Scope, are required to complete mandatory security awareness training upon initial onboarding/affiliation with ICOM and on an ongoing basis thereafter, as specified in this policy.
Annual Security Awareness Training Requirement: All users must complete annual security awareness training. Refresher training or supplemental training may be required more frequently for specific user groups or based on evolving threats and institutional risk assessments.
Training Content and Curriculum: The Information Technology Office, in collaboration with relevant departments (e.g., Human Resources, Academic Affairs, Student Affairs), will develop and maintain a comprehensive security awareness training curriculum. Training content will:
- Be relevant to the user's roles and responsibilities within the institution.
- Cover the key security awareness topics outlined in the Scope of this policy.
- Be updated regularly to address current threats, vulnerabilities, and changes in institutional policies.
- Be engaging and interactive, utilizing various training methods (see section Training Delivery Methods).
- Be accessible to users with disabilities, in accordance with accessibility standards.
- Address relevant compliance requirements (e.g., FERPA, HIPAA, GLBA) as applicable to different user groups.
- Clearly communicate user responsibilities for information security.
Differentiated Training Based on Roles and Risk: Security awareness training will be differentiated based on user roles, access levels, and the sensitivity of data and systems they handle. Users with higher levels of access or responsibility for sensitive data may require more in-depth or specialized training.
Specific training modules may be developed for:
- Faculty (addressing research data security, student data privacy, etc.)
- Staff (addressing administrative data security, financial data, etc.)
- Students (addressing responsible technology use, data privacy, academic integrity in the digital environment, etc.)
- IT Staff and System Administrators (addressing advanced technical security topics, incident response procedures, etc.)
- Executive Leadership (addressing cybersecurity governance, risk management, business continuity, etc.)
Training Delivery Methods: A variety of training delivery methods will be utilized to maximize user engagement and learning effectiveness. These methods may include:
- Online training modules and e-learning courses.
- Classroom-based training sessions and workshops.
- Simulated phishing exercises.
- Security awareness videos and presentations.
- Infographics and awareness posters.
- Regular security awareness communications (emails, newsletters, intranet postings).
- "Lunch and Learn" sessions or informal awareness events.
Tracking and Reporting Training Completion: A system will be implemented to track user completion of mandatory security awareness training. Reports on training completion rates will be generated and provided to relevant departments and institutional leadership upon request to monitor compliance and identify areas for improvement. Non-completion of mandatory training may result in temporary suspension of system access, required retraining, and supervisory notification.
Ongoing Security Awareness Communications: Beyond formal training, the institution will conduct ongoing security awareness communications throughout the year to reinforce key security messages, provide updates on emerging threats, and promote a culture of security awareness. These communications may include:
- Regular security awareness newsletters or email updates.
- Security tips and reminders posted on the institutional intranet or website.
- Security awareness campaigns focused on specific themes (e.g., Cybersecurity Awareness Month, Data Privacy Day).
- Real-time security alerts and advisories.
Phishing Simulation Program: A phishing simulation program will be implemented to regularly assess user susceptibility to phishing attacks and to reinforce phishing awareness training. Results of phishing simulations will be used to tailor training content and identify users who may require additional support. Phishing simulations are for training and awareness purposes, not punitive, and results will be handled sensitively and confidentially.
Responsibility for User Awareness and Training:
- Information Technology Office: The Information Technology Office is responsible for the overall development, coordination, implementation, and maintenance of the User Awareness and Training Program, including:
- Developing and updating the training curriculum and policy.
- Selecting and managing training platforms and content.
- Developing and deploying phishing simulations.
- Tracking and reporting training completion.
- Providing guidance and support to departments on user awareness and training.
- Department Heads and Supervisors: Department heads and supervisors are responsible for:
- Ensuring that all users within their departments complete mandatory security awareness training in a timely manner.
- Reinforcing security awareness messages within their teams.
- Supporting and promoting a security-conscious culture within their departments.
- Addressing any security awareness or training-related issues within their departments.
- Users: All users are responsible for:
- Actively participating in and completing all required security awareness training.
- Applying security awareness knowledge in their daily work and technology use.
- Staying informed about security threats and best practices.
- Reporting suspected security incidents or policy violations.
Policy Exceptions: Exceptions to the mandatory security awareness training requirements may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification and documented approval. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this User Awareness and Training Policy is the responsibility of all managers, supervisors, department heads, and users, under the overall direction of the Chief Information Officer and the Information Technology Office. Failure to complete mandatory security awareness training, or repeated disregard for security awareness principles and policies, may result in disciplinary actions, up to and including warnings, suspension of system access, and termination of employment or access privileges, depending on the nature and severity of the non-compliance, and consistent with other institutional policies and procedures. The Information Technology Office will monitor training completion and work with departments to address non-compliance issues.
POLICY REVIEW AND UPDATES:
This User Awareness and Training Policy and the associated training curriculum will be reviewed and updated at least annually, or as needed to reflect changes in security threats, regulations, institutional risk assessments, training methodologies, or best practices in user awareness. The Information Security Office is responsible for coordinating policy reviews and updates, in consultation with relevant stakeholders (e.g., Human Resources, Academic Affairs, Student Affairs).
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual
CROSS REFERENCE AND SUPPORTING DOCUMENTS:
Information and links to other policies or supporting documents referenced within this policy.
| Document/Resource | Location/Link |
| Information Security Program | Contact Chief Information Officer |