Skip to main content

Information Security Awareness and Training Policy

Policy Number ITS-009
Effective Date October 08, 2025
Responsible Office/Person CITS and Human Resources
Related Policies

Acceptable Use of Info Technology Resources Policy

Information Security Policy

I. Introduction

The Information Security Awareness and Training Policy establishes the requirements to assist Information Technology (IT) system managers, administrators, and users of UMass Dartmouth systems and data, and the steps to ensure that university systems and data are appropriately safeguarded.  Our faculty, staff, and students are the frontline to protecting the university’s data assets and this policy will assist at providing consistent guidance and overall approach to security awareness.  

II. Policy Statement

All University individuals, as defined in Section III. A. below, who use UMass Dartmouth information technology resources to conduct university business and to transmit sensitive data in the performance of their roles must take security awareness training before using UMass Dartmouth systems, when required by information system changes, and annually thereafter.

III. To Whom This Policy Applies and Responsibilities

A. General Applicability:

This policy applies to every individual who uses UMass Dartmouth information technology resources, including but not limited to:

      1. Faculty, staff, and administrators (full-time, part-time, and temporary)
      2. Student employees
      3. Contractors, volunteers, vendors, and contingent workers

The University reserves the right to expand its definition of required participants at any time.

B. University Employees and other affiliated staff:

    1. Complete an annual online information security awareness training course every twelve (12) months. All newly hired employees are required to complete the training course within the first 30 days of their hire date or before receiving access to the University’s IT systems and data. Employees who are on a leave of absence during the annual training period must complete the training within one month of returning to work.
    2. Implicitly agree to adhere to the university’s “Acceptable Use of Information Technology Resources” and “Information Security Policies” when accessing UMass Dartmouth information technology resources.
    3. Maintain records of training completion.
    4. Employees with incomplete training or who have not taken the training may be subject to removal of system access and disciplinary action up to and including termination in accordance with collective bargaining agreements and University policies.

C. Supervisors:

Ensure each employee and student employee under their supervision completes information security awareness training at the established regular intervals.

D. System Administrators / System Owners:

In addition to awareness training, facilitate and participate in practical cybersecurity training exercises on an as-needed basis that simulate cyberattacks and threats to enhance situational and enterprise readiness.

E. Information Security Manager / Human Resources:

    1. Oversee UMass Dartmouth’s information security awareness and training program, including development, implementation, and testing.
    2. Coordinate, monitor, and track the completion of the security awareness training for all UMass Dartmouth faculty, staff, administrators, contractors, volunteers, vendors, and contingent workers, and report incomplete or non-compliant training to the respective senior administrator, manager, or accountable person.
    3. Human Resources, in coordination with managers, will address any incomplete or non-compliant training for faculty, staff, administrators, contractors, volunteers, and vendors in accordance with collective bargaining language and applicable
      University Policies.
    4. Maintain records of the program for a period of five years.

F. Student Employees with System Access

    1. Complete an annual online information security awareness training course every twelve (12) months.
    2. Implicitly agree to adhere to the university’s “Acceptable Use of Information Technology Resources” and “Information Security Policies” when accessing UMass Dartmouth information technology resources.
    3. Maintain records of training completion.
    4. Students with incomplete training or those who have not completed the training may be subject to the removal of system access and disciplinary action in accordance with University policies.

G. Student Affairs

Student Affairs will address any incomplete or non-compliant training for students in accordance with university policies.

IV. Standards/Compliance

To ensure compliance with the annual security awareness training, training will be documented and monitored for individual information system security training activities.  Individuals who fail to comply with the training may have their system access revoked and may be subject to disciplinary action.