Skip to Main Content Skip to Footer Toggle Navigation Menu menu

Information Security Awareness Policy

1.0 Overview

Linfield University employees should understand the importance of information security and endeavor to protect University-owned data and resources. To facilitate appropriate information security practices, all Linfield employees who use University- owned information technology resources must complete Information Security Awareness training.

2.0 Purpose

The purpose of this document is to define Linfield University’s Information Security Awareness Policy and to assure ongoing compliance to the Policy.

3.0 Scope

The term "employees," as used in this policy, refers to all Faculty, Staff, Administrators and temporary workers accessing or using Linfield University’s information technology resources and services, wherever the employee is located.

Information technology resources and services include, but are not limited to, the following: host computers, file servers, workstations, standalone computers, laptops, tablets, smartphones, software, and internal or external communications networks (Internet, commercial online services, web sites, and e-mail systems).

4.0 Policy

Information Security Awareness training will include the following three components.

4.1 Information Security Training Videos

4.1.1 New Employees. The on-boarding process will include information security training for all new employees. The training will included a general knowledge information security video that must be viewed on the first day of employment.

4.1.2 Current Employees. Current employees must review the general knowledge information security video within three months of the effective date of this policy.

4.1.3 Employees who have access to confidential information as defined in the Data Classification Policy are required to participate in information security training at least once per year.

4.1.4 The Human Resource office will track the video training requirement within the Paycom system.

4.2 Email Phishing

4.2.1 ITS will conduct email phishing campaigns four times a year, at minimum.

4.2.2 Employees who fall for the phishing campaign will be required to view additional information security videos after each campaign.

4.2.3 Direct supervisors will be notified of the employee’s requirement to view additional training videos.

4.3 Review of the Acceptable Use and Data Classification policies

4.3.1 All employees must acknowledge that they have reviewed the Acceptable Use Policy and Data Classification Policy.

4.3.2 The Human Resource office will track the policy review requirement within the Paycom system.

5.0 Related Standards, Policies and Processes

5.1 Acceptable Use Policy

5.2 Data Classification Policy

6.0 Policy Compliance

When an employee is found to be in violation of this policy, access to University-owned information technology resources may be revoked and the University’s disciplinary process will be followed as outlined in the personnel handbooks. If the matter involves illegal action, law enforcement agencies may also become involved, as would occur for matters that do not involve information technologies or the Internet.

Linfield University will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and community feedback to the policy owner.