University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Security Awareness and Training

UPPM 87.21

For more information contact:
   Information Technology Services

1.0    Overview and Purpose

1.1    Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

  • Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
  • Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
  • Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

  • Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
  • Dictate which security controls are mandatory based upon the categorization level;
  • Define the strength, frequency, and formalization of those controls; and
  • Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2    Specific Policy Overview and Purpose

To support the integrity of WSU’s technology resources, all WSU personnel must have the knowledge and skills to identify, prevent, and respond to potential security risks. Users handling sensitive data are required to have additional training appropriate to their role.

The purpose of this policy is to ensure that all users of WSU email, applications, and other computing resources receive adequate training to understand and adhere to best practices in information security.

2.0    Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0   Roles and Responsibilities

3.1    Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2   Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation. 

3.3   Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0   Requirements

WSU Information Security Services (ISS), in consultation with HRS, is responsible for developing, implementing, and maintaining an information security and privacy awareness training program, as described below.

Supervisors are responsible for ensuring that all personnel within their supervisory authority have completed all mandatory training and for ensuring employee training history is documented.

4.1     General

All WSU personnel are required to go through an annual security and privacy awareness training session that addresses relevant security and privacy topics, including training to recognize and report potential indicators of insider threat. This training is provided and documented by HRS in Percipio.

Personnel whose responsibilities require elevated access, including access to restricted or sensitive information, must complete designated, additional role-based security and privacy training prior to accessing the information or system.

The applicable business unit is required to designate any necessary role-based training for its personnel and consult with ISS to ensure designated training meets the unit’s security and privacy requirements. Units should use existing training in Percipio when possible. If the additional training is not available within Percipio, units should consult with HRS to determine whether Percipio can be used for administering and tracking training.

ISS reviews information security and awareness training content on an annual or more frequent basis and updates as needed, incorporating lessons learned from internal or external security or privacy incidents.

For any additional training (for example, specialized or role-based training) needed at the unit level, WSU business units must consult with ISS to establish and update additional training content on a regular basis and following significant security or privacy-related incidents.

4.2     Moderate- and High-Impact Systems

Employees that access moderate- and high-impact systems must also complete designated training on recognizing and reporting potential and actual instances of social engineering and social mining. This training is currently included in the required cybersecurity training for all WSU personnel, which is provided annually and documented by HRS in Percipio.

5.0     Resources and Related Policies

_______________________
Revisions:  March 2026 (Rev. 654); Sept. 2025 – New policy (Rev. 648).