Information Security Awareness & Training Standard
Purpose
In accordance with university policy 40.130 Employee Educational Program and Compliance Training, this standard outlines the responsibilities of university units in ensuring that their staff are appropriately trained to maintain on information security best practices and in compliance with regulations that protect sensitive data.
Scope
This standard applies to all Ohio University faculty, staff, student employees, and any third-party affiliates who require access to university data.
Standard
Ohio University is required to protect the confidentiality, integrity, and availability of its data, and as such relies on its employees to be good data stewards and custodians. It is the responsibility of each department to ensure that their staff are appropriately trained in information security best practices for the type of data they process, store, transmit, or access. For example, some regulations, such as HIPAA and PCI-DSS, require annual information security training to maintain compliance.
The Information Security Office ensures that general information security training is made available to faculty, staff, and student employees. Training can be accessed by visiting https://www.ohio.edu/oit/security/it-security-training. This training is very broad and is intended to be a foundation on which to build more specific skills in accordance with the classification of data a unit processes, stores, transmits, or accesses. On its own, this training does not meet the requirements set out by regulations such as HIPAA and PCI-DSS, therefore it is recommended this training be taken in addition to other specific regulatory compliance coursework.
Departments requesting guidance in identifying appropriate training for their staff may contact the data owner for that sensitive data element.
FERPA: Contact the University Registrar
HIPAA: Contact the HIPAA Chief Privacy Officer
PCI-DSS: Contact the Office of the Bursar
Other sensitive data: Contact the Information Security Office
References
- NIST 800 Series Publications
- Policy 93.001 Data Classification
Governance
This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer
Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
Distributed IT: Rebecca Petty, IT Operations Manager (College of Arts & Sciences)
Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
Finance: Julie Allison, Associate Vice President, Finance
Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security
Distributed IT: Larry Tumblin, Director of IT Relationship Management
Research: Kimberly Littlefield, Associate Vice President for Research Administration
History
Draft versions of this policy were circulated for review and approved June 1, 2026.