Search within:

Information Security Awareness & Training Standard

Purpose

In accordance with university policy 40.130 Employee Educational Program and Compliance Training, this standard outlines the responsibilities of university units in ensuring that their staff are appropriately trained to maintain on information security best practices and in compliance with regulations that protect sensitive data. 

Scope

This standard applies to all Ohio University faculty, staff, student employees, and any third-party affiliates who require access to university data.

Standard

Ohio University is required to protect the confidentiality, integrity, and availability of its data, and as such relies on its employees to be good data stewards and custodians. It is the responsibility of each department to ensure that their staff are appropriately trained in information security best practices for the type of data they process, store, transmit, or access. For example, some regulations, such as HIPAA and PCI-DSS, require annual information security training to maintain compliance. 

The Information Security Office ensures that general information security training is made available to faculty, staff, and student employees. Training can be accessed by visiting https://www.ohio.edu/oit/security/it-security-training. This training is very broad and is intended to be a foundation on which to build more specific skills in accordance with the classification of data a unit processes, stores, transmits, or accesses. On its own, this training does not meet the requirements set out by regulations such as HIPAA and PCI-DSS, therefore it is recommended this training be taken in addition to other specific regulatory compliance coursework.

Departments requesting guidance in identifying appropriate training for their staff may contact the data owner for that sensitive data element.       

FERPAContact the University Registrar

HIPAAContact the HIPAA Chief Privacy Officer

PCI-DSSContact the Office of the Bursar

Other sensitive dataContact the Information Security Office

References

  1. NIST 800 Series Publications
  2. Policy 93.001 Data Classification

Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer    

  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance    

  • Distributed IT: Rebecca Petty, IT Operations Manager (College of Arts & Sciences) 

  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)    

  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)    

  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)    

  • Finance: Julie Allison, Associate Vice President, Finance    

  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations    

  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security 

  • Distributed IT: Larry Tumblin, Director of IT Relationship Management  

  • Research: Kimberly Littlefield, Associate Vice President for Research Administration    

History

Draft versions of this policy were circulated for review and approved June 1, 2026.