Information Security Awareness Training Resources

  1. Password Security
  2. Staying safe online
  3. Social Engineering
  4. Phishing
  5. Regulations
  6. Policies
  7. Handling sensitive information
  8. Mobile device security
  9. Physical information security
  10. What to do if there’s an information security incident

Password Security

Do not share your password with anyone. The university's information security policies prohibit password sharing. Don't use the same password more than once. For example, your BearPass password should be different than your Netflix password or your Facebook password. You should make your password complex by combining uppercase letters, lowercase letters, numbers and symbols into a fairly long password that’s difficult to guess.

Staying safe online

Be aware that some malicious sites will attempt to impersonate legitimate sites in order to trick you into giving up sensitive information like your username and password. Malware is often spread through email, so never open an attachment that you're not expecting. Also, be aware that all university computers must have antivirus installed and running.

Social Engineering

Cyber-criminals may attempt to manipulate you into revealing confidential information or performing an action. Social engineering comes in many forms including email and web (also known as phishing), by telephone, or in person. It's very important that you be suspicious of this type of attempt and not provide confidential information to cyber criminals.


Phishing usually involves an email from a cyber-criminal attempting to impersonate an organization, or another individual. They will attempt to make you click on a link, open an attachment, or respond to the email. Doing any of these can lead to an information security incident.

Regulations and policies

Missouri State must comply with a number of regulations that prohibit disclosing certain information. These include:

  • FERPA: Family Educational Rights and Privacy Act, which covers students and disciplinary records.
  • HIPAA: Health Insurance Portability and Accountability Act, which covers medical records.
  • GLBA: Gramm-Leach-Bliley Act, which covers financial information.
  • PCI DSS: Payment Card Industry Data Security Standard which covers credit and debit card information.

If you handle with data covered by these regulations in your job, see your supervisor or My Learning Connection for additional compliance training.


Missouri State has a comprehensive set of information security policies available for review in the policy library.

One of these policies is the Information Security Data Classification Policy. This breaks down all the information the university holds into one of three classifications:

  • Public information: Information the university makes publicly available, like the course catalog and directory information.
  • Private information: Information the university keeps confidential but that is not subject to regulation. This includes information like BearPass numbers and vendor documentation.
  • Restricted information: Information that law or contract requires the university to keep confidential. This includes things like academic records.
  • Highly Restricted information: Information that the university has a special obligation to protect, including Social Security Numbers, Credit Card Numbers, and Protected Health Information.

Handling sensitive information

Sending private, restricted, or highly restricted information off campus requires that an approved Sensitive university Data Export Request System (SUDERS) request. SUDERS can be found online at My Missouri State. Be conscious of where you store private or restricted information. According to the Information Management Policy, it must be stored in an appropriate place and encrypted.

Mobile device security

Set a passcode for your device. On most modern smartphones, this will encrypt the device. Also, set up a device locator tool.

Physical information security

Paper documents that contain restricted or private university information must be locked up when not in use. This could be a locking file cabinet or in a locked office. Securely shred paper documents that are no longer needed.

What to do if there’s an information security incident

Information security incidents must be reported to the information security office. An Information security incident is an event that adversely affects the Confidentiality, Integrity, or Availability of a university system, or information. Examples of information security incidents include unauthorized access to, or modification of, university systems or information, or the loss or theft of equipment used to store private or restricted university information.