Skip to main contentSkip to footer content
 

Policies and Procedures
Cyber Security Awareness and Education Policy

The State University of New York College of Environmental Science and Forestry (ESF) will require all individuals who access ESF’s information assets and systems to complete regular cybersecurity awareness training. This occurs annually, at a minimum, and will be supplemented by periodic college-wide awareness campaigns to reinforce cybersecurity principles.

Elements of the awareness and education program include the following:

  • Selected modules from the campus training vendor based on a user’s role;
  • Articles and/or pertinent information shared using campus communications mechanisms;
  • Periodic social-engineering campaigns to reinforce vigilance and also provide an assessment of the program’s overall effectiveness so that adjustments can be made when necessary ;
  • New hires must complete their initial cybersecurity training within 60 days of their start date;
  • Additional training for those found to not be practicing good cyber hygiene practices; and
  • Training completion results will be maintained by the campus Information Security Officer (ISO) and ESF’s IT Department.

Reason for Policy

Data breaches are increasingly the result of human behaviors as attackers look to exploit these in order to access an organization’s systems and networks. Effective training helps ESF mitigate risk by equipping its workforce with the necessary knowledge and skills to uphold stringent security protocols.   This policy aims to establish a structured approach to cybersecurity awareness, ensuring that all personnel are informed, trained, and equipped to protect sensitive information and technology resources. It seeks to foster a culture of security awareness, minimize risks associated with human error, and support the organization’s overall security objectives by aligning with security regulations and industry best practices. By meeting these standards, the policy not only strengthens the organization’s security posture but also ensures compliance with relevant legal and regulatory requirements.

References

Policy Office: Executive Director for Administration 
Contact: [email protected]

Contacts

Specific questions should be directed to the following:

Policy Clarification and General Information Policy Development
Chief Information Security Officer
(315) 470-6642
[email protected]

Definitions

  • Individuals who access the College’s information assets and systems - Includes, but is not limited to, users with employee email and/or a network ID.
  • Gramm-Leach-Bliley Act (GLBA) - A federal law enacted in the United States to control the ways institutions deal with the private information of individuals. Civil and criminal penalties can be assessed for non-compliance.
  • National Institute of Standards and Technology (NIST):  800-53 and 800-171 - Agency of the U.S. Department of Commerce that provides recommended standards and controls to help organizations understand, manage, and reduce their cybersecurity risk and protect their networks and data.
  • Family Educational Rights and Privacy Act (FERPA) - A federal law enacted in 1974 that protects the privacy of student education records.
  • Payment Card Industry Data Security Standard (PCI DSS) - An information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
  • Information Security Officer (ISO) - As required by GLBA’s Safeguards Rule, this is the campus designee responsible for overseeing, implementing, and enforcing ESF’s information security program.
  • Information Security Committee (ISC) - ESF employees serving at the request of the President to assist the ISO and IT Department develop and manage the campus information security program by providing guidance and feedback on various cyber security compliance initiatives.

Roles and Responsibilities

The following summarizes the roles and responsibilities associated with this policy:

  • ISO and IT Department – have overall responsibility for ESF’s information security program, of which user awareness training is an important component.
  • Information Security Committee – provides guidance to the ISO and IT Department on various subject matters within the campus information security program, including feedback on awareness education and training topics.
  • Individuals who have access to ESF’s information assets and systems – responsible for timely completion of all assigned training within the stated deadlines.

Enforcement

Users of ESF’s information assets and systems designated to participate in mandatory training who fail to demonstrate a good faith effort to comply with the requirements within the stated deadline(s) will be required to change their passwords at more frequent intervals than normal and ultimately lose network access privileges until they take their training using a PC kiosk located in the IT Department.

Policy Details

Overview

Information security is more than keeping systems and networks secure. It is also about the people who use those systems and how they can be targeted by cyber criminals looking to exploit their trust in hopes of gaining access to ESF’s important information assets that we are required to safeguard. An effective awareness and education program helps mitigate the risk of a security incident or breach.

Awareness training and education must be ongoing due to the increasing variety and sophistication of cyber threats. These include but are not limited to spam, phishing, spoofing, malware, and ransomware, which can result in identity theft, data corruption, loss of intellectual property, operational disruption, and reputational damage. By law, ESF is liable for losses, fines and penalties caused by data breaches, as well as the internal costs of incident investigation and remediation.

Campus Policy

To comply with standards, policies, and regulations that are cited in the "References" and “Related Policies/Procedures” sections, ESF requires a baseline level of knowledge through participating in annual information security awareness training for all individuals who access ESF’s information assets and systems. The ISO and IT Department, with input from the Information Security Committee, will select training topics based on an understanding of current cybersecurity threats. Some common topics include phishing, malware, AI, and password management. Training may be offered as computer-based, videos, and/or instructor-led. Employees will be given a reasonable amount of time to complete the training not to disrupt their work activities.  This training must be completed:

  • Within 60 days of employment for new hires.
  • Annually thereafter within published deadlines.

Additional role-based training may be required based on an individual’s job function and the type of information assets they could access.  This may include information related to FERPA, PCI DSS, and/or other appropriate subject areas.

Awareness materials will also be made available to the campus community periodically. These may include posters and signage, email communications, events or activities, and optional training modules for specialized topics.

In addition to assigned training and informational materials, ESF will occasionally conduct simulated phishing exercises. The goal is to reinforce the training and provide data that allows the ISO and IT Department to assess the effectiveness of current training so that adjustments can be made where needed. These attacks will involve similar tactics to those used by real cybercriminals but will be carried out in a safe environment. Refresher training may be required for anyone who replies to the email, clicks a link, opens an attachment, or provides their credentials.

History

Procedure Revision Record

02/05/2026  Implementation Date

Policy Revision Record

02/05/2026  Policy Implementation