Last reviewed: June 2017

Below are some guidelines in FAQ format on how to work with staff to understand and mitigate the risks to sensitive data in the realm of academia.

Where do I start in developing an information security plan for staff?
  • Establish a relationship with administrative office heads and other senior-level staff, and introduce your ideas for outreach to the staff community.
  • Convene a steering committee, cybersecurity awareness committee, or working group consisting of a diverse group of staff (including representatives from your IT/information security department) to discuss the best approach to use for this outreach, common issues regarding information security in the staff space, and elements that could become a barrier between you and the staff during outreach. Work with the group to identify a limited number of information security topics to focus on each year.
  • Obtain buy-in from the administration leadership and senior managers and work with those individuals to issue a message to staff confirming the institution's commitment to protecting its data.
What are some outreach venues?
  • Invite staff to join the Information Security awareness or steering committee mentioned above.
  • Utilize existing events and initiatives such as National Cyber Security Awareness Month, Data Privacy Month, etc., as launch pads for your InfoSec awareness program or new initiatives such as lunch-n-learn cybersecurity awareness events. Invite staff from departments across campus to help coordinate/facilitate events.
  • Convene events that cater to staff specifically such as campus-wide staff conferences, meetings, or new employee orientations
  • Hold administrative department governance meetings
  • Circulate a staff newsletter
  • Hold meetings or conferences specifically developed by the information security department
  • Send out cybersecurity tips monthly on selected topics
  • Create a cybersecurity awareness blog containing tips and other important information
What are some messages to include in outreach communications?

The messages for your staff will heavily depend on the senior-level staff and your IT/information security department. However, you may want to add these general points to your messages:

  • Information security is everyone’s responsibility, not just campus IT/information security.
  • Data breaches can financially impact colleges and universities, possibly resulting in the loss of donations.
  • Data breaches can happen in the academic space. Staff can reduce this risk by preventing loss of data and not waiting until a mistake occurs to learn prevention techniques.
  • Protecting data is a collaborative effort between faculty and staff.

  • Student information is considered confidential and needs to be protected by anyone accessing or using it for academic purposes.

  • Federal laws such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), GLBA (Gramm-Leach-Bliley Act), and the HITECH (Health Information Technology for Economic and Clinical Health) Act all have requirements regarding the protection of specific categories of data.

  • To date, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have state breach notification laws. It is the responsibility of each college and university to adhere to the laws that affect its student population.

How do I maintain access to staff for outreach purposes?
  • Establish a list of staff representatives for each department and meet with them on a regular basis to discuss hot topics, alerts, and issues of concern.
  • Create an information security web presence using a traditional web page, social media sites, and/or a course in your college/university’s LMS with opportunities for staff to give feedback and stay abreast of educational opportunities and alerts.

  • Work with department representatives in order to make information security a part of traditional business processes (i.e., purchasing, data storage and transfer, hardware and data disposal). Making information security a part of the checklist in completing these processes will generate and retain relationships with department representatives.

Additional Resources

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).