Security Awareness Policy
The Commonwealth of Virginia has developed an Information Technology Security Standard upon which VMI Security Awareness Policy is based (Commonwealth of Virginia Standard).
New VMI computer users are required to complete security awareness training within 30 days of their engagement date. All users are required to participate in security awareness training at least once every year. See General Order 27.
Process: A VMI computer user is defined as anyone who has been issued a VMI network account.
VMI uses a highly modified and improved version of the James Madison University model for Security Awareness training. This training mechanism is approved by the VMI ISSO (Information Systems Security Officer). The training module for cadets is different from all other user training modules. The training URL is: http://www1.vmi.edu/sa
An email is automatically generated to each user as a notice to take or retake the training as appropriate. The first notice will be sent 30 days prior to the training completion deadline. A second notice will be sent 15 days prior to the training completion deadline. If the user has not completed the training within 10 days of their deadline a notice will be sent to them each day until they complete the training or the completion date has passed. Anytime a user completes the training, a new training deadline date is set 12 months into the future.
If a user fails to complete the required training by the deadline set for them, their network access will be disabled the morning of the following day-of-business. Disabling an account will not corrupt any user data and email messages will continue to be received. However, the user will not be able to access any of these services. To enable a network account the user must present him/herself, along with a photo ID, to the Help Desk. The Help Desk will reset training completion deadline by one additional business day so that the user may complete the Security Awareness Training.
A user history file is maintained in a secure access database where reports are generated upon request of an authorized user. Authorized users include the APA auditor, the Human Resources department, and the VMI ISSO. Upon separation of a VMI employee, the Human Resources department will print the employee’s training history to be placed in their permanent file. At that time the employee will be purged from the security awareness history file. All other user’s history will be purged when their network account is deleted.