Purpose
This policy outlines the requirements that SUNY New Paltz has for information security awareness training. SUNY New Paltz recognizes the importance of our employees as an important line of defense against cyber-attack, and their valuable role in protecting the data we are entrusted with by our students, faculty, staff, alumni, donors, and community.
This policy is meant to ensure that our faculty and staff (including student employees in some situations) are made aware of the threats that we face from cyberattacks as well as inadvertent disclosure of sensitive information.
It also is to comply with both New York State Law (particularly the New York State Information Security Policy, and the SUNY Information Security Policy.
Scope
This policy applies to all employees of SUNY New Paltz, including Research Foundation staff as well as Campus Auxiliary Services (CAS) employees, and the Sodexo employees who have SUNY New Paltz computer accounts. It only applies to certain categories of student employees including but not limited to Teaching Assistants, Graduate Assistants, and other student employees with elevated access such as Service Desk staff or those with access to Banner or Argos.
Policy
To meet these requirements, SUNY New Paltz requires a baseline level of training, via annual information security awareness training for all employees, regardless of their level of access.
This training must be completed on an annual basis. Employees should be given time to complete that training during their regular work hours, as well as access to a computer to complete that training. If no computer is available in their regular work location, they should be allowed to complete training in an open computer lab. HRDI & ITS will coordinate to offer an in-person opportunity to complete these trainings.
The training assignments are determined by the Information Security Officer (ISO). They may include additional training modules for new faculty and staff. Supplemental training may be assigned based on an employee’s role or level of access within the University, as determined by the ISO.
Employees are automatically enrolled in the baseline training when they are activated as employees. Additional assignments may be given at a later date.
New employees are assigned training soon after they are first activated in our systems and will receive notice of that training via their University email. They will have one month from when it is assigned to complete the training.
For the annual training assigned to employees who are not new, the training should be completed within five months. This gives people flexibility to complete the training when they have more time available, such as before the Spring Semester, Spring Break, or after the Spring Semester.
In addition to assigned modules, the ISO will occasionally conduct simulated phishing exercises. The goal of these is to both reinforce the training and reduce the likelihood of people falling for real phishing attacks. These attacks will use similar tactics to real cybercriminals but in a safe environment (where passwords are not actually captured).
Note: if an employee at SUNY New Paltz is required to complete similar training by another employer or institution, they may submit evidence of training completion to InformationSecurity@newpaltz.edu. After review, the ISO may, their, discretion, mark the New Paltz training requirements as satisfied for the year.
Non-compliance
If faculty or staff do not complete the training by the due date, access to systems and services the University has deemed high risk (such as Banner, Argos, Starfish, VPN, or VDI), may be blocked until training is complete.
Your supervisor and/or division VP will also receive notification of non-compliant staff.
If you haven’t completed the training because you are having issues accessing it, or have trouble completing it you can contact InformationSecurity@newpaltz.edu for assistance before the due date
Accessing Training
If you have been assigned training, you can review it by going to www.newpaltz.edu/securitytraining. You will be asked to enter your University email address and will either be brought directly to the training platform (KnowBe4), or will be brought to the standard SUNY New Paltz login page (as if you were accessing my.newpaltz.edu, Office 365, or Brightspace).
Additional Policies & Documents
This policy is related to several SUNY, State, and Federal policies, including:
Additionally, this policy is meant to comply with: