Purpose
The purpose of this policy is to raise the awareness of information security and to inform and highlight the responsibilities employees and third-party contractors have regarding their information security obligations. Formal information security awareness will aid in the protection of data, personal, intellectual property, financial, or restricted and sensitive information, networked systems, and applications entrusted to and utilized by LEADx, by providing a broad understanding of information security threats, risks and best practices.
Scope
Employees:
This policy applies to all staff as they may access, store, process, transmit or manage LEADx data, systems, or applications. As members of the LEADx staff are accountable and have an obligation to demonstrate an understanding of their unique role and responsibility, as the best defense to ensure the protection of LEADx information, data, and reputation.
Third-Party Contractors (defined as vendors, consultants – non-LEADx employees):
Third-Party Contractors and volunteers who have access to LEADx Data or systems in the course of their employment or volunteer activities are also covered by this policy. Except under narrow circumstances described in Section IV. Policy Statement below, volunteers may not have access to LEADx or systems. When working or providing services on behalf of LEADx, Third Party Contractors and volunteers are accountable and have an obligation to demonstrate an understanding of their unique role and responsibility as the best defense to ensure the protection of the LEADx information, data, and reputation.
Definitions
1. LEADx Data: LEADx Data is any data or information that is created, owned, received, stored, or managed by LEADx.
2. Third-Party Contractors: defined as vendors or consultant(s), and not LEADx employees.
Policy Statement
The LEADx CTO is responsible for the information security awareness program, training, education, and awareness communication for LEADx. The program will include an enhanced understanding and appreciation of information risks; services that the LEADx CTO provides; information about the threats, techniques, and consequences to LEADx; information on reporting incidents; guidance and resources to protect information and devices at work and at home.
Staff
Formal participation and review of the security awareness program is mandatory for all full time and part time faculty and staff, every three years. Newly hired faculty and staff are required to complete the training within thirty days of their hire date. The requirement for a review every three years shall be superseded by an incident or information indicating a need for immediate intervention and training by a specific department, or LEADx. Additional topic specific training may be required, based on role, information type access/use (e.g. PCI-DSS, Research, HIPAA, etc.), or identified increased risk. Workers who may have access to, or the ability to store, process, transmit or manage LEADx Data are also required to complete this training within thirty days of their hire date. It is the responsibility of the worker’s supervisor to ensure that the worker completes this requirement.
The LEADx CTO will coordinate, monitor, and track the completion of the required Security Awareness program. LEADx executives are required to ensure adherence to the policy, and completion of the required program. Program content will be updated yearly, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.
Failure to comply with this policy may result in denial or removal of access privileges to LEADx's electronic systems (e-mail, wireless, and LEADx network).
Third Party Contractors and Volunteers: Formal participation and review of the security awareness program for Third Party Contractors who have access to LEADx Data or systems in the course of their employment is mandatory as a condition of Third Party Contractor engagement. This program will be delivered through LEADx created videos within thirty days after access is permitted. Volunteers may not have access to LEADx Data or systems except in those instances in which it is strictly necessary in the performance of their volunteer or service activities.
LEADx executives overseeing Third Party Contractors with access to LEADx Data are required to ensure adherence to the policy, and completion of the required program. Program content will be updated yearly, in order to reflect current security trends, threats, techniques, and the evolving environment of information security.
Failure to comply with this policy may result in denial or removal of access privileges to the LEADx electronic systems (e-mail, wireless, and LEADx network).
