VII:01:29 Cybersecurity Awareness and Training Policy

Purpose

This policy provides guidance on the cybersecurity awareness, education, and training for all faculty and staff at all Volunteer State Community College locations. Compliance with this policy helps ensure the faculty and staff users of Vol State IT resources are trained on current cybersecurity threats and vulnerabilities. For example, it helps users recognize and react to phishing emails, smishing attempts, and malware-laden applications. This ultimately helps protect Vol State computer systems and IT resources from cyberattacks.

Definitions

For the purposes of this policy, the following definitions shall apply:

  1. Information Technology Resources – all Volunteer State Community College information technology hardware assets, software assets, computing systems, networks, network components, facilities, services, data, and information, regardless of location, provider, management, medium, or how the resource is provided/delivered, that exists for the purpose of conducting business or academic activities. This includes, but is not limited to, computers, servers, mobile devices, email systems, internet access, wi-fi access, cloud-based applications, databases, and any associated peripherals or support services.
  2. User – any person employed by Vol State who has authorized access to an IT resource. This includes, but is not limited to, full-time faculty and staff, part-time faculty and staff, temporary employees, and adjunct faculty.

Policy

  1. Mandatory Training
    1. The College’s Cybersecurity Team shall provide to all users, as defined above, cybersecurity awareness and training on a regular basis.
    2. Cybersecurity awareness and training shall be provided to each individual user in a manner that allows for tracking completion of the assigned training.
    3. It is the responsibility of every user to satisfactorily complete assigned mandatory training within the timeframe defined in the training notification. Failure to complete training by the required date may result in loss of access to IT resources, except for direct access to the required training, until such time as the training has been satisfactorily completed.
  2. The College’s Cybersecurity Team shall provide to all users, as defined above, phishing simulations and other appropriate stimuli on a regular basis.
  3. The CIO or their designee has the final authority to interpret the terms of this policy. The CIO or their designee may grant exceptions to this policy, in writing, based on an evaluation of the risks versus the benefits.

 

TBR Source:  none.

VSCC Source: August 13, 2025, President’s Cabinet.