Skip to main content
Close menu William & Mary
Popular Topics
Suggested Results
News Events
William & Mary
Resources FOR...
Resources FOR...
Compliance & Equity
Policy Library

Information Security Training and Awareness Policy

Title: Information Security Training and Awareness Policy
Effective Date: 2006
Responsible Office: Information Technology
Last Updated: April 15, 2025

Purpose

The purpose of this Information Security Training and Awareness Policy is to ensure that all personnel at William & Mary are equipped with the knowledge and skills necessary to protect the institution's information assets. This policy aims to promote a culture of security awareness and compliance in alignment with ISO/IEC 27001:2022 standards, tailored to meet the needs of the university, ensuring that everyone understands their roles and responsibilities regarding information security. 

Scope

This policy applies to all William & Mary faculty and staff requiring access to the university’s information systems. Contractors are not covered by this policy. 

Policy

Initial Training 

All new employees will undergo mandatory information security training within the first 30 days of their work start date.  The initial training will include an overview of William & Mary’s Information Security Policies, general information security concepts and best practices, and topic specific training focused on current or emerging threats. 

Ongoing Annual Training 

In addition, the W&M Information Security Office will deliver mandatory information security training to all active employees in the fall semester of each year.  Active employee is defined as any individual with an active job record in the university’s HR system.  All active employees assigned training are required to complete the training by the end of the fall semester.  Active employees assigned training who do not complete the training by the end of the fall semester will have their accounts locked until completion of the training.    

Exemptions to this policy include: 

  • Graduate students and student employees 
  • Facilities management employees working as custodians or other job roles not requiring use of a computer on a regular basis 
  • Athletic coaches not requiring use of a computer on a regular basis 
  • Outside admissions readers not requiring use of a computer on a regular basis 

In addition, requests for exemptions from this policy can be made under the following circumstances (and others as reviewed and approved): 

  • An individual has been hired within the last year and was assigned the training at hire (no need to take twice in same year). 
  • An individual has completed equivalent information security training and has evidence of completion. 
  • An individual has some other legitimate and approved reason for not being able to complete the training. 

Requests for exemptions can be submitted using the Security Training Exemption Request form or by emailing the Chief Information Security Officer directly. 

Requests for exemptions must be approved by the Chief Information Security Officer or equivalent designee. 

Role Based Training 

  • Individuals working with credit card transactions at the university are required to attend annual PCI DSS training in addition to the general annual training. 
  • Individuals working with data covered by the Graham Leach Bliley Act are required to attend annual GLBA training in addition to the general annual training. 
  • University departments working with sensitive data must meet with the Chief Information Security Officer annually to assess risks to the sensitive data and the effectiveness of controls in place to mitigate those risks.  
  • All members of the Information Security Team are required to participate in some form of professional development activity annually.   

Awareness Program 

In addition to annual training, all faculty, staff, and students will undergo regularly scheduled simulated phishing exercises to increase and maintain awareness about trending threats. 

Non-Compliance

An employee’s failure to comply with any of the above policy statements may result in being disciplined, in accordance with general university employment policies and procedures that apply to the respective category of employees. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition. 

A student’s failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition.