Security Awareness Program Policy

Approved by: Senior Staff

Approval Date: April 2017

Revision History: None

Primary Office Responsible for Administering this Policy:

Information Technology

Related Policies:

Policy Statement

This policy formalizes the Information Technology Security Awareness Program at Amherst College to help protect the College's digital and sensitive resources, including digital and non-digital data, network resources, and other services. Although some individuals must meet regulation or contractual agreements related to their security awareness, education, and training, this policy sets forth a requirement for all employees to participate in the Security Awareness Program.


This policy applies to all Amherst College faculty and staff.


Security Awareness – in the context of this policy, Security Awareness means documentation, training, and digital or personal communications that convey information and/or instructions about policies and procedures for working safely with digital and other sensitive resources. 


A. Topics Covered

The Security Awareness Program includes content about security risks, regulation, and Amherst College policies related with administrative, technical, and physical security of the College's digital and/or sensitive assets. Departmental managers may assign additional security awareness materials that are unique to each specific operation and will serve as a supplement to the core materials provided through the Security Awareness Program. Employees may contact Information Technology at any time for clarification or to ask specific questions about the materials provided through the IT Security Awareness Program.

B. Initial Participation

All employees are required to participate in the Security Awareness Program within two weeks after joining the College. Information Technology will provide details about how to participate via email to each new employee.

C. Frequency of Participation

All existing employees are required to participate in a Security Awareness Program refresher yearly. Each year, Information Technology will remind participants to complete the required refresher training within one month after receiving the reminder.

D. Delivery Methods

The primary method of participation is through a website. Participants can comply with the requirement for participation at their own pace, within the timeframes previously specified in this policy. Information Technology, from time to time, releases security notices and publications that are time-sensitive through other methods of contact. These notices are considered part of ongoing security awareness and inform employees about regulatory changes or imminent security threats. Other methods of contact include: e-mail messaging; on-site training such as custom, departmental training; print media such as newsletters, posters, or campus publications; text via direct messaging, phone texting, screen savers, or logon messages; and website resources through the Amherst College website.

E. Compliance

Senior Managers and Department Heads will be alerted about any employee in their division who does not participate in the Security Awareness Program within the timeframes previously specified in this policy. Supervisors will be expected to encourage compliance in a timely manner.

F. Contact Information

For any questions about this policy, please contact:

  • Chief Information Officer: extension 2180