The data that allows CU to deliver on our academic and research missions is critical to our success and protecting it from compromise is a priority for the CU Board of Regents, administration, and campus chancellors. For that reason, a new requirement has been implemented. 

New Training Requirement Effective Oct. 2, 2023

All CU employees (faculty, staff, and student employees) must complete the university’s Information Security Awareness training course within the first 60 days of employment and every two years thereafter.

Supervisors are key in helping the university reach our training compliance goals by ensuring employees in their departments follow the new requirement.

The Information Security Awareness training course provides an overview of security principles as they apply to data at CU. The course takes about 30 minutes to complete. After completing the training, you will be able to:

  • Identify Confidential and Highly Confidential data that requires special handling
  • Recognize and report phishing scams
  • Choose strong credentials for logging into your accounts
  • Protect data on portable devices
  • Recognize signs of an insider threat

Which CU policy supports required security training?

The APS 6005 IT Security Program policy provides the following requirements for employee training.

  • All university employees, including associates and other individuals, who require the use of university IT resources to perform their duties, will receive initial training and periodic refresher training relevant to their IT security responsibilities.
  • Supervisors will ensure employees are trained to fulfill their IT security responsibilities.
  • Employees with elevated computing privileges (e.g., server support technicians, user account managers, or web page administrators) may require specialized training for fulfilling their IT security responsibilities effectively. 

What constitutes an employee and student employee?

An employee is anyone who is paid through Employees Services. A student employee is any student who is paid through Employee Services. This includes graduate, work-study, and international students.

Retirees are not required to complete the course.

How long does it take to complete the course?

It takes approximately 30 minutes to complete the course and pass the quiz. 

How do I access Skillsoft training?

This link should take you directly to the course after passing the portal authentication. If you experience an issue, try any of the following processes.

Launch the course from the Library and not from the link found in your Learning Transcript. The course can be found by searching for it at the top of the Skillsoft screen, or in the Information Security and Technology folder located on the left side of the screen after you select your campus as shown below:

Screenshot of Skillsoft Course Access

 

You may also visit the Employee Services Skillsoft Help webpage for instructions. 

If you have technical difficulties while taking the course (e.g., frozen screen, continuous buffering), Skillsoft Support recommends relaunching the course using your browser’s incognito feature. You should be able to restart the course and click “next” until you reach your previous endpoint.

For questions or further help, contact system.training@cu.edu.

I cannot recall when I last completed the training course. How do I view my record of training completions?

To view your real-time record in Skillsoft:

  • Log on to your campus portal (https://my.cu.edu).
  • Go to Learning Transcript.
  • Select Add Filters.
  • Choose a Status (All, Started, Completed).
  • Apply more filters, if wanted (Type or data range).
  • Click Apply.

Employees may also access training records from their portal by using the Training Summary.

What happens if I am currently noncompliant and do not complete the training by Nov 30, 2023?

Beginning Dec 1, 2023, Skillsoft's automated reminder emails will be sent to those who have not completed the training course in the previous two years. The reminders will be sent once a week for up to eight weeks. If the training is still not completed, weekly overdue notices will be emailed until completion.

Your supervisor is also expected to run a training completion report.

I am affiliated with the university but am not paid as an employee (often referred to as a person of interest or POI). Does the training requirement apply to me?

At this time, university volunteers and affiliates, or persons of interest (POIs), are not required to complete the training; however, it is highly recommended that POIs with access to CU’s Confidential or Highly Confidential data or information systems complete the training.

POIs include volunteer faculty, off-campus Work-Study employers, employees of University Physicians, Inc. (UPI) and visiting scholars.

Automated Reminder Emails

Beginning Dec 1, 2023, Skillsoft will send automated reminders and overdue emails to those who are noncompliant regardless of your role.  

If you are a POI that is not required to complete the training, we suggest setting up an Outlook Rule to delete the ongoing notices using the email subject lines.

  • Subject line text for the reminder email: Training Plan Reminder Notice: CU: Information Security Awareness due [enter the due date from your email]
  • Subject line text for the overdue notice email: SkillSoft Learning Plan Overdue Notice: CU: Information Security Awareness due [enter the due date from your email]

IMPORTANT: Do not delete reminder emails based on the sender, which is "system.training@cu.edu." If you set up the Outlook Rule to delete emails based on the sender, you will no longer receive important email messaging from the CU System Training team.

I received automatic email reminders to complete the training; however, I am compliant. What should I do?

Forward the reminder email to system.training@cu.edu and ask them to confirm your completion.

For POIs that departments determine are not required to complete the training, we suggest setting up an Outlook Rule to delete the reminder emails. (See the previous FAQ for more information about Outlook Rules.) 

I recently completed the Information Security and Privacy Awareness training course. Is this course different than the Information Security Awareness course?

No. Only the course title was changed. The subject matter is still the same.

Are there any other security training courses that I am expected to complete?

CU’s Office of Information Security (OIS) highly recommends that employees, students, contractors, and POIs with elevated computing privileges complete the Information Security for IT Service Providers (u00064) training course.

The course:

  • Provides an overview of security practices and policies for IT services providers.
  • Has a target audience that includes employees, students, contractors, and POIs who serve as programmers, server/workstation support, account administrators, webmasters, and others.
  • Covers policy, security management, access management, physical and environmental security, and incident detection and reporting.
  • Includes a 10-question quiz that learners must pass with 100% to receive credit.
  • Requires learners to acknowledge they will uphold confidentiality and agree to access data only as needed for authorized tasks.

OIS also recommends that departments establish the training as an annual requirement for those within the targeted audience since the course is updated annually.

Note: This course replaces the IT Confidentiality Agreement (u00087) training course, which was retired on July 14, 2023, and is no longer available.

Visit Available Training to learn about other security courses.

For Supervisors: How do I check training completions for my team?

Download the step-by-step guide, Running a Training Completion Report. It explains how to run a student or employee completion report out of CU-Data (Cognos).

For Supervisors: What about employees on leave of absence?

Employees on leave do not need to complete the training until they have returned to work. If you have any questions, please contact your campus HR.

For Supervisors: Are POIs required to complete the Information Security Awareness training course?

At this time, people employed as persons of interest (POIs) are not required to take the training course; however, it is highly recommended that POIs with access to CU’s Confidential or Highly Confidential data or information systems complete the training.

POIs include volunteer faculty, off-campus Work-Study employers, employees of University Physicians, Inc. (UPI) and visiting scholars.

Who should I contact for more information or questions?

Send an email to system.training@cu.edu