Information Assurance Awareness, Training, and Education

Standard number: DS-16
Date issued: 7/1/2018
Date last updated: 10/29/2025
Date last reviewed: 10/29/2025
Date of next review: 10/29/2027
Version: 2.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance

This Standard supports and supplements the Information Security (SPG 601.27) policy. The Standard is mandatory and enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

I. Overview

Protecting the confidentiality, integrity, and availability of U-M systems and data is the responsibility of all members of the U-M community. By participating in information assurance awareness, training and education, members of the U-M community can help reduce the risk of data breaches, maintain compliance with applicable laws, regulations, contractual agreements, and U-M policies, and ultimately help protect U-M systems and data. As an additional benefit, information assurance education and awareness provides individuals with the knowledge and skills that help them protect their own devices and data.

II. Scope

This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates. The scope includes general and topic-specific awareness activities, training, and required access compliance for all users of U-M information resources. It does not include required or optional specialized training and certification courses for IT professionals.

III. Roles and Responsibilities

• Chief Information Security Officer (CISO)
  • Support a university-wide awareness, training, and education program and advocate for resources and funding;
  • Collaborate with other university stakeholders to ensure support and dissemination of communications are maintained;
  • Provide guidance on the strategic direction, planning, and prioritization.
• ITS Information Assurance (IA)
  • Promote information assurance awareness and related communications to the university community;
  • Maintain Safe Computing website with up-to-date guidance, tips, and how-to instructions;
  • Develop, manage, and/or support data protection, IT security, and compliance training;
  • Contribute to multiple repositories of compliance and security materials;
  • Ensure the program meets University and industry regulations, standards, and compliance requirements;
  • Integrate and support broader university-wide education and awareness efforts;
  • Assess current and planned education and awareness systems for consistency and improvement;
  • Coordinate and track education and awareness ongoing activities and projects;
  • Foster relationships with internal and external stakeholders and collaborate with them to understand and implement improvements;
  • Develop education and awareness materials and help support training needs.
• Unit IT Managers & Security Unit Liaisons
  • Collaborate with IA to meet shared awareness, training and educational needs;
  • Develop and implement ongoing unit-based awareness activities and training as needed;
  • Participate in the dissemination of educational and awareness materials to their units;
  • Ensure that all users (including vendors and contractors) of their systems and applications are appropriately trained before allowing them access to enterprise or unit-specific systems and applications.
• Users
  • Understand and comply with U-M information security policies, practices, and procedures, especially Responsible Use of Information Resources (SPG 601.07), Information Security Incident Reporting (SPG 601.25), and Information Security (SPG 601.27);
  • Be aware of actions they can take to better protect U-M information resources for which they are responsible, as well as their own information;
  • As appropriate, be knowledgeable about complying with federal and state regulations directed at protecting sensitive institutional and personal data.

IV. Standard

The university offers awareness, training, and education resources to help U-M community members protect the university’s valuable digital assets.

All faculty, staff and workforce members are required to complete annual data protection training to maintain access to the university's digital resources.

Certain job functions or working with specific types of data require additional specialized education. The university and its units may at their discretion mandate U-M faculty, staff, workforce members and sponsored affiliates to complete specific training and compliance activities.

To ensure that U-M employees and workforce members stay up-to-date on required training, it is recommended that participation in information assurance training and awareness be included, when appropriate, in staff work plans and be reflected in performance evaluations.

V. References

Safe Computing

VI. Related NIST Security Controls

• Building a Cybersecurity and Privacy Learning Program, NIST SP 800-50 Rev. 1 (September 2024)
• NIST SP 800-53 Revision 5:
  • AT-01 Security Awareness and Training Policy and Procedures
  • AT-02 Security Awareness Training
  • AT-03 Role-Based Security Training
  • AT-04 Security Training Records