December 9, 1994
Appendix E - Personnel Security and Security Awareness
In any organization, people are the greatest asset in maintaining an effective level of security. At the same time, people represent the greatest threats to information security. No security program can be effective without maintaining employee awareness and motivation.
Employee Requirements
Every employee is responsible for systems security to the degree that the job requires the use of information and associated systems. Fulfillment of security responsibilities is mandatory and violations of security requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, and criminal penalties.
Positions in Sensitive Locations or of Special Trust or Responsibility
Individual positions must be analyzed to determine the potential vulnerabilities associated with work in those positions. In some cases, it may be appropriate for departments, with the approval of the Human Resources Department, to designate classes of employment as being positions of special trust or responsibility. It may also be appropriate to designate locations as sensitive and to require appropriate procedures and safeguards for all employees whose duties include access to those areas.
Security Awareness and Training
An effective level of awareness and training is essential to a viable information security program. Employees who are not informed of risks or of management's policies and interest in security are not likely to take steps to prevent the occurrence of violations.
Departments shall provide an ongoing awareness and training program in information security and in the protection of Information Resources for all personnel whose duties bring them into contact with critical or sensitive University Information Resources. A suggested ethics statement is contained in the Appendix I, CIS Computer Ethics Statement.
Acknowledgment of Rights and Responsibilities
Employees with access to administrative application systems acknowledge the security requirements of the systems and their responsibility to maintain the security of the systems before access to the system is granted. This acknowledgment occurs by signing the application statement of security responsibility during mandatory training sessions, and by presentation of an on-line statement when the application is accessed. The statements of security responsibility for the BPP, FAMIS, and SIMS applications are contained in other appendices.
Hiring and Termination Procedures
University departments should take advantage of opportunities arising through hiring and termination of employees to reinforce security awareness and to indoctrinate them regarding their obligations in University security policies and procedures.
Upon termination of a person who occupies a position of special trust or responsibility, or is working in a sensitive area, management should revoke all access authorizations to Information Resources.