Purpose

  • The Cybersecurity Awareness and Training standard defines the required training for University of Oregon ("University") employees aimed at raising awareness of various risks related to securing information resources and providing steps to protect these resources.
  • Training requirements identified herein reduce risks to the confidentiality, integrity, and availability of university data and systems (“information assets”) and protect the privacy of members of the University community.  
  • Protected data types are defined in the Information Asset Classification and Management Policy (IV.06.02).  

 

Applies To

This standard applies to all active University of Oregon faculty, staff, graduate and student employees who have been issued University email accounts (“employees”).

 

Definitions

ISO Glossary and Iconography 

 

Standard

Employees are required to complete baseline information security awareness training.

This training will help users safeguard their personal information as well as university data that they access. The training will cover essential topics necessary for university employees to perform their job functions securely.  

Additional training

The mandatory training provides a foundational baseline. Regular opportunities for microlearning are also available.  

Some operational and academic areas may have additional mandatory training to satisfy regulatory requirements. These trainings are managed in coordination with the respective employee units.

Furthermore, the Information Security Office (ISO) may mandate training as part of the remediation process to reduce users' risk of compromise. For example, the ISO may require additional training for a user during the remediation process for recovering an account compromised by a phishing incident.

Failure to complete required training may result in corrective or disciplinary action, consistent with applicable university policies and procedures and collective bargaining agreements.

Roles and Responsibilities

University Human Resources: Provide the Information Security Office with information on all staff, faculty, graduate, and student employees so the training can be assigned.

Information Security Office (ISO): Manage users within the training environments, including employee and supervisor notifications for non-completion of training. Provide training completion reports to appropriate administrators.

Employees: Responsible for completing the training.

Employee Supervisory Chain: Responsible for ensuring employee participation in the training.

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, employees may request an exception by completing the Information Security Standard Exception Request form. Users requesting exceptions must be ready to provide details as to why they are unable to adhere to the standard, the duration of the exception request, and mitigating controls being put in place to meet the standard.

Reporting inappropriate use of access

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System.  EthicsPoint is available here.

 

Implementation Guidelines

Guidelines related to the implementation of this standard can be found in the Guidelines Library on the Information Security Office website.

 

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at isrc@uoregon.edu.

Additional information can also be found visiting the following resources:

 

Revision History

Revision History
VersionPublishedAuthorDescription
1.005/06/2025Information Security Office (ISO)Original publication
Publication
Status:Standard
Published:05/06/2025
Last Reviewed: 
Last Updated: 
Approvals
Approval Block:
 Date DiscussedDate Approved
Information Security and Privacy - Governance Sub-Committee (ISP-GC)  
Chief Information Security Officer