Annual Cybersecurity Training - Frequently Asked Questions

Description:

The purpose of this document is to address frequent questions about the required annual cybersecurity training from campus IT Directors, Managers, and the CSU IT Community.

Content:

Campus Community

IT Directors and Managers

Campus Community:

Why are we doing this? What is the purpose of implementing a security training program across campus?

New federal regulations on Cybersecurity require us to complete annual training as a first line of defense against attacks.
The training covers a variety of topics that every individual should know in order to safeguard our information.
This training is part of the IT Strategic Plan to enhance our Cybersecurity profile.

Who is required to participate in this training program?

All faculty, staff, and researchers (Faculty, AP, SC, NSH, Other Salaried, Associates, Temporary) who work in the CSU System.
Students, student hourly, Graduate Assistants, emeritus, and retirees are out of scope and not included in the requirement at this time.
Employees on Extended Leave are out of the scope of this requirement until they return to their duties.

How often is this training program conducted?

The training is required to be completed annually.
New employees are invited to complete the training as part of their onboarding process and annually after. The New Employee Welcome Packet has been updated to reflect this change.

How are employees notified?

Faculty, staff, researchers and associates will find out from a variety of sources that include department and campus leadership, IT Managers and Directors, and the new employee manual.
Employees should receive an email from the IT manager as well as from the department or division leadership.
Multiple follow-up emails will be sent to those who are required to complete the training from the Division of IT.
Emails will be sent from the Division of IT Security Training email address, division_of_it_security_training@colostate.edu.

What happens if required users fail to complete the training by the deadline?

Users who do not complete the training on time risk having their MFA access paused, preventing access to OUR systems and resources.

How is the completion of the training program tracked?

Each employee's progress is tracked electronically through our learning management system, and completion status is monitored by our Information Security Training Specialist.

Who should I direct users to who have questions or concerns with the training materials?

Employees can contact the Division of IT help desk or email the security and privacy team at Division of IT Security Training email with any questions or concerns related to accessing or interacting with the training material.

What actions should individuals take?

Researchers, associates, faculty, and staff members are required to complete the training annually.
The training is already assigned through the LMS.
The training will take approximately 20 minutes to complete.
Users can also access the training from the Division of IT cybersecurity webpage.

When is the deadline to complete it?

All required individuals must complete the training by the third Friday in December.
This training will occur on an annual basis.

What if I have student employees who need to be security trained because of the systems they work with or data they have access to?

At this time, students, including student employees and GRAs, are not included in the cybersecurity awareness training.
Please reach out to work with the Information Security Training Specialist through the Division of IT Security Training email if you have concerns about student employees who are working with sensitive data or systems.

IT Directors/Managers

Why are we doing this? What is the purpose of implementing a security training program across campus?

This training is part of the IT Strategic Plan to enhance our Cybersecurity profile.

How are employees notified?

Faculty and staff will find out from a variety of sources that include department and campus leadership, IT Managers and Directors, and the new employee manual.
Employees should receive an email from the IT manager as well as from the department or division leadership.
Multiple follow-up emails will be sent to those who are required to complete the training from the Division of IT.
Emails are sent from the Division of IT Security Training email address, division_of_it_security_training@colostate.edu.
Message will not be sent to email addresses outside of M365.

Will I receive reports about completion rates for my department or division?

Yes. IT directors and managers will receive monthly reports throughout the year, with more frequent reporting toward the annual deadline.

What if my department already requires security training for our employees?

As this program and content has been approved by campus leadership based on compliance and security requirements for all campus users, all faculty and staff will be required to complete the Annual cybersecurity training, in addition to or in lieu of departmental security training.
The Annual cybersecurity training does not cover topics like HIPAA or FERPA. For those topics, you should continue to rely on departmental-specific training.

What authority do I have as the IT Director or Manager to remove access to CSU resources once the user's MFA access is disabled?

The Division of IT is responsible for the authentication and identification of our campus users. Access to resources beyond the campus identifier and M365 services is controlled and managed by each College or Division and their respective IT departments. Access to these services is at the sole discretion of the College or Division and their IT departments.

What is expected of me as an IT Director or Manager?

As your department's IT Leader, we ask that you share this information with your faculty, staff, and researchers.
Please customize it to fit the culture of your organization.
Let your executive leadership know that this is a high priority for our CSU System, and we will be encouraging our community to complete the training.