Information Security Awareness Policy

Purpose

The purpose of this policy is to raise the awareness of information security, and to inform and highlight the responsibilities faculty, staff, and certain student workers, third party contractors and volunteers have regarding their information security obligations. Formal information security awareness will aid in the protection of data, personal, intellectual property, financial, or restricted and sensitive information, networked systems, and applications entrusted to and utilized by the University, by providing a broad understanding of information security threats, risks and best practices.

 

Scope

Faculty, Staff and Student Workers:

This policy applies to all faculty, staff and student workers as they may access, store, process, transmit or manage University data, systems, or applications.  As members of the Villanova University community faculty, staff and student workers are accountable, and have an obligation to demonstrate an understanding of their unique role and responsibility, as the best defense to ensure the protection of the University’s information, data, and reputation.

 

Third Party Contractors (defined as vendors, consultants – non-Villanova employees) and Volunteers:

Third Party Contractors and volunteers who have access to University Data or systems in the course of their employment or volunteer activities are also covered by this policy. Except under narrow circumstances described in Section IV. Policy Statement below, volunteers may not have access to University Data or systems. When working or providing services on behalf of Villanova, Third Party Contractors and volunteers are accountable and have an obligation to demonstrate an understanding of their unique role and responsibility as the best defense to ensure the protection of the University’s information, data, and reputation.

 

Definitions

1.     University Data: University Data is any data or information that is created, owned, received, stored, or managed by Villanova University.

2.     Third Party Contractors: defined as vendors or consultant(s), and not University employees.

 

Policy Statement

The University Information Security Office is responsible for the information security awareness program, training, education, and awareness communication for the University. The program will include an enhanced understanding and appreciation of information risks; services that the University Information Security Office provides; information about the threats, techniques, and consequences to the University; information on reporting incidents; guidance and resources to protect information and  devices at work and at home.

 

Faculty, Staff and Student Workers:

Formal participation and review of the security awareness program (available via the University LMS) is mandatory for all full time and part time faculty and staff, every three years. Newly hired faculty and staff are required to complete the training within thirty days of their hire date. The requirement for a review every three years shall be superseded by an incident or information indicating a need for immediate intervention and training by a specific department, or the entire University. Additional topic specific training may be required, based on role, information type access/use (e.g. PCI-DSS, Research, HIPAA, etc.), or identified increased risk. Student workers who may have access to, or the ability to store, process, transmit or manage University Data are also required to complete this training within thirty days of their hire date. It is the responsibility of the student worker’s supervisor to ensure that the student worker completes this requirement.   

The University Information Security Office will coordinate, monitor, and track the completion of the required Security Awareness program. University Vice Presidents and Deans are required to ensure adherence to the policy, and completion of the required program. Program content will be updated yearly, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.

Failure to comply with this policy may result in denial or removal of access privileges to the University’s electronic systems (e-mail, eLearning, wireless, and Villanova network).

Third Party Contractors and Volunteers:                                                              Formal participation and review of the security awareness program for Third Party Contractors who have access to University Data or systems in the course of their academic, employment, or service activities is mandatory as a condition of Third Party Contractor engagement. This program will be delivered through University created videos within thirty days after access is permitted. Volunteers may not have access to University Data or systems except in those instances in which it is strictly necessary in the performance of their volunteer or service activities.  Any such access must be requested by the University administrator, faculty or staff who is overseeing the volunteers and authorized by UnIT before such access is granted.

University Vice Presidents and Deans overseeing Third Party Contractors and volunteers with access to University Data are required to ensure adherence to the policy, and completion of the required program. Program content will be updated yearly, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.

Failure to comply with this policy may result in denial or removal of access privileges to the University’s electronic systems (e-mail, eLearning, wireless, and Villanova network).

Contact Us

University Helpdesk

Call Us: 610-519-7777
M-Th 8am-7pm
F 8am-5pm

Walk-ins: Vasey Hall Rm 101
M-Th 9am-7pm
F 9am-5pm

School of Law Helpdesk

Call Us: 610-519-7700
Walk-ins: Law Library Rm 104
M-F 9am-5pm

College of Engineering Support

Walk-ins: College of Engineering
and Research Rm 209
M-F 9am-5pm

Classroom Technologies Hotline

610-519-5631