103.1 Georgetown University Cybersecurity Training Policy
In support of UIS.103 Georgetown University Information Security Policy
Georgetown University has adopted the cybersecurity training principles established in NIST SP 800-50 “Building a Cybersecurity and Privacy Awareness and Training Program” publication that informs this security domain. Each University community member affiliated as active staff, faculty or matriculating student must adhere to the guidelines and procedures associated with this standard in order to support and be compliant with the University information security framework.
Scope
Cybersecurity training and the awareness of technology threats, risks, and vulnerabilities are a primary defense against those elements that can cause harm to us as individuals and to the University as a whole. As outlined in the Acceptable Use Policy, Employee Handbook, Faculty Handbook, Student Handbook, and various departmental and academic policies, each member of the University community has a responsibility to appropriately use, maintain, and protect the technology resources available at Georgetown.
Cybersecurity Awareness and Training
General Training
Cybersecurity and data privacy training courses are required for all active NetID account holders designated by the University Data Stewards as defined by this Standard. This includes staff augmentation resources provided by third-party contractors or other faculty/staff with courtesy appointments. Completion of the designated cybersecurity awareness course materials is required for all current-term students and instructors as well as all staff/AAP positions. Content may vary, but will minimally include a general understanding of cybersecurity best practice and methodologies to maintain security and respond to suspected cybersecurity incidents.
The CISO is responsible for supporting university-wide security and privacy awareness through training, informative websites, literature, technology forums and awareness campaigns, and other methods. Training includes online courses and activities and simulations to raise awareness of Phishing, Disaster Recovery and Business Continuity, Risk Management, Vulnerability Management, Incident Management, Elevated Privileges, Research Compliance, Regulated Data Protections, Insider Threat, and other specific topics related to prevailing threats.
- Faculty – Deans and Department Chairs are responsible for ensuring all appointed or contracted faculty and adjuncts with access to IT resources receive required information security and privacy training.
- Staff – Managers and Department Heads are responsible for ensuring all full- and part-time staff, and contractors/contingents with access to IT resources receive required information security and privacy training.
- System Administrators/Developers/Analysts/Engineers – Technology workers must complete security and privacy training to ensure competency in their positions, including training on the requirements of IT policies and standards. Technology workers granted administrative rights for IT resources must be properly trained and authorized based on job duties and responsibilities.
As verification of participation, the UIS Office of Cybersecurity Risk Management will maintain rosters of accountholders who have completed required training. Rosters shall be made available upon request.
Enhanced and Role-based Training
In coordination with the respective CIOs, data stewards, and technology administrators across the University campuses, additional relevant role-based training may be introduced to complement the general information presented via the institution-wide materials.
Access to information classified as High Risk or Moderate Risk data as defined by the UIS Data Classification table requires additional training. Prior to being granted access to High Risk or Moderate Risk data, users, security personnel and administrators may be required to complete additional role-based security training based on the information systems for which they are granted access. Training is based on elevated access and skill levels required to perform information duties and tasks in a manner that complies with university security and privacy requirements.
Targeted role-based training must be completed based on the classification of the data being accessed or shared, including regulatory requirements related to FERPA/GLBA, HIPAA, PCI-DSS, CUI, NRC, DPS, etc.
As verification of participation, the UIS Office of Cybersecurity Risk Management will maintain rosters of accountholders who have completed required training. Rosters shall be made available upon request.
Corrective/Remediation Training
There may be instances where policy violations, demonstrated susceptibility to fraudulent requests, counsel by leadership, or other situations that require a repeated or greater-than-annual participation in the specified cybersecurity training activities. Any accountholder that is asked to take “corrective” training will be notified via UISO in collaboration with the appropriate departmental management or academic advisor.
Cybersecurity and Data Protection Training Requirements
| Role/Target Audience | Required Training | Frequency | Responsibility for Training |
|---|---|---|---|
| Existing End-Users | Cybersecurity & Privacy Awareness Training | Mandatory, annually | Compliance: UIS |
| New Students – Orientation | Cybersecurity & Privacy Awareness Training | Mandatory, one-time during Orientation | Compliance: Dean of Students |
| New Hires (Staff, Faculty, Contingents – Onboarding | Cybersecurity & Privacy Awareness Training | Mandatory, annually | Compliance: Department Mgr |
| Users with access to protected health information | HIPAA course | Mandatory, annually | Compliance: Data Mgr |
| Users with access to protected student data | FERPA course | Mandatory, annually | Compliance: Registrars |
| Users with access to protected Payment Card Information (PCI) | PCI-DSS course | Mandatory, annually | Compliance: Payment Systems Mgr, FA |
Resources
Information and resources supporting this policy and its standards include:
- NIST Cybersecurity Framework – Protect: Awareness and Training (PR.AT)
- NIST SP 800-53; NIST SP 800-171
- HIPAA Security Rule 45
- NSPM-33: Research Security_Section 4(g)
- Payment Card Industry-Data Security Standard
- Center for Internet Security Critical Controls
- DoE C2M2 Workforce Domain
- DoD Cybersecurity Maturity Model Certification – Awareness and Training Domain (AT)
Approval
Douglas Little, Chief Information Officer
Micah Czigan, Chief Information Security Officer
This policy will be reviewed and updated as needed unless changes in institutional policy or relevant law or regulation dictate otherwise.
Last reviewed and approved: May 2025
- Chief Information Security Officer
- Office of Cyber Risk Management