Overview
Security awareness training is an important part of the University of Oregon's IT Security Program meant to increase users’ awareness of their information security responsibilities in protecting the confidentiality, integrity, and availability of university information resources. This training is delivered in three main ways:
- UO Cybersecurity Awareness Training: As part of the employee on boarding process, basic security awareness training is provided by Information Services to all employees. Training content includes security basics, common threats, and how to recognize and report suspected security incidents. This training should be completed with in 30 days of hire.
- Regular Training Updates: As part of ongoing education, security training updates are sent by Information Services to on a periodic basis, as well as when significant information system changes occur. Updates consist of relevant security topics including information on security threats, system updates, and how to recognize and report suspected security incidents.
- Role-Based Security Training: Employees with roles that include: traveling on official business; elevated access; or handling sensitive, confidential, or externally regulated data are provided additional training materials relevant to their specific job roles and functions
- Simulated Phishing Educational Campaigns: On a quarterly basis, the Information Security Office conducts a simulated phishing educational exercise for all university employees.
UO Cybersecurity Basics - recommended for all employees
As part of UO's efforts to address the increasing threats to the security of our information systems and data, we recommend UO employees take this short cybersecurity training assignment:
Employees required to take this training are contacted directly via email from infosectraining@uoregon.edu with instructions.
Every member of the university community has a responsibility to safeguard the information assets entrusted to us. This training program will better prepare all of us to fulfill this responsibility and to strengthen our defenses against future attacks. Adopting behaviors that protect information benefits the university, and can benefit you and your family, as well.
In-Depth Security Topics
The following pages are designed to supplement the above Information Security Awareness Training. They provide a more in-depth review of specific cybersecurity topics. They can be used together as a comprehensive supplemental curriculum or individually to address specific areas. Each page provides tools and information about what to do and what not to do to keep your computer and data safe and secure.
In-Person Training
To inquire about requesting a special in-person computer security awareness training for your department or unit, please send an email to infosectraining@uoregon.edu.
Role-Based Information Security Training
Information security training needs and requirements vary based on a person's role on campus. UO's Security Awareness Training Program currently offers these other training assignments based on the access that a UO community member has to sensitive or externally regulated data, or if the UO community member travels to a restricted country while performing official duties for the university.
Keeping Information Secure While Traveling Internationally
UO community members who travel to countries that have a high risk to information security on official university business must complete training. Individuals will be notified of this requirement by first receiving an email from Concur, the university's travel system, that notifies them of the training requirement. Secondly, the individual will receive an email from infosectraining@uregon.edu with directions on how to access the training.
Security Awareness Resources For Travel
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act of 1999, is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.
UO provides financial services to student customers. As such, UO falls within the definition of financial institution under GLBA and must comply with the law's requirements.
Individuals who process or have access to GLBA covered data must take this training annually, and will receive an email with instructions on how to access this training. Generally speaking, any employee, faculty, or staff that process customer information, including financial aid and student billing data, must take this training. Please talk to your supervisor or top-level administrator if you have questions about whether or not your position handles GLBA data.
If you are a supervisor or top-level administrator and have questions about whether or not GLBA applies to your department, please email infosectraining@uoregon.edu.
Security Awareness GLBA Resources
Health Information Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patent's consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
The following types of individuals and organizations are subject to the HIPAA Privacy Rule and considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process non-standard information they receive from another entity into a standard (e.g., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
Individuals who process or have access to HIPAA-covered data must take this training annually. If you need this training or think you need this training please talk to your supervisor or or top-level administrator about whether or not your position handles HIPAA-covered data. Individuals enrolled in this training will receive an email with directions to access the training platform.
If you are a supervisor or top-level administrator and have questions about whether or not HIPAA applies to your department, please email infosectraining@uoregon.edu.
Security Awareness HIPAA Resources
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), this standard aims to secure credit and debit card transactions against data theft and fraud. While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions.
Individuals who process or store credit card transactions must take this training annually. If you need this training or think you need this training please talk to your supervisor or or top-level administrator about whether or not your position handles PCI DSS covered data. Individuals enrolled in this training will receive an email with directions for accessing the training.
Security Awareness PCI DSS Resources
Simulated Phishing Educational Campaigns
The Information Security Office (ISO) carries out quarterly simulated phishing educational campaigns. These simulations will mimic real-world phishing attacks, which:
- request personal data (for example, passwords, credit card information, and bank account details);
- ask you to click on a malicious link or view/download a malicious attachment; and/or
- urge you to take an action that could compromise our organization in some way (for example, by executing a fraudulent wire transfer or sending sensitive data to a threat actor)
As is the case with real phishing emails, our simulations may include logos and brand identifiers from known and trusted organizations. Do not contact the external organization directly when you receive a suspicious email. Instead, use the "Report Phish" button in Outlook, or forward the message to phishing@uoregon.edu to report it to the ISO.
Additional Specialized Training Resources
Requesting Help
Please submit a ticket to the Security Awareness Training Support Service.