Tarleton OITS Security Awareness Training Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Security Awareness Training Standard

Effective: February 11, 2020

Revised: May 29, 2026

Procedure Summary

Understanding the importance of information security and individual responsibilities and accountability pertaining to information security are paramount to achieving organization security goals. This can be accomplished with a combination of general information security awareness training and targeted, product-specific training. The security awareness and training information should to be ongoing and updated as needed.

Tarleton information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. The purpose of this standard is to describe the requirements for ensuring that each user of university information resources receives adequate training related to information security issues. This standard applies to all users of Tarleton State University information resources, including, but not limited to: full-time employees (faculty and staff), student workers, third-party contractors, vendors, Tarleton Today teachers, etc..

The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer.

Please see the Tarleton Security Controls Catalog, specifically the Awareness and Training (AT) family, for additional information and requirements.

Procedures and Responsibilities

The Security Awareness Training Policy and associated controls, in the Tarleton Security Controls Catalog, specifically the Awareness and Training (AT) family, are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76, §202.74, Texas Government Code §2054.519, §2054.5191, §2054.5192, Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, and Tarleton’s Rule 29.01.99.T1, Information Resources.
As stated in Tarleton Security Control AT-2, Literacy Training and Awareness, all Tarleton employees who use information resources and third-party vendors that require a Tarleton account are required to comply with the policy and procedures related to Information Security Awareness (ISA) training and must acknowledge they have read, understand, and will comply with university requirements regarding computer security policies and procedures.
- Tarleton employees must complete ISA training within 30 days of their hire date.
- Third-party vendors and contractors requiring a Tarleton vendor account must complete training prior to receiving their account credentials.
- Tarleton requires employees and applicable third-party vendors to complete TAMUS and/or DIR approved ISA training annually.
Departments may require additional incidental, role-based training and require acknowledgement as determined by the department in accordance with Tarleton Security Control AT-3, Role-Based Training.
Departmental information technology personnel shall establish and maintain a process to communicate new security program information, security bulletin information, and security items of interest to departmental personnel, as needed.

Definitions

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.