Platform X - Awareness and Training Policy
This is the policy for Platform X training requirements
- Purpose
- The purpose of this policy is to document the training requirements for Platform X (Px) Resources
- Reference
- 45 CFR Part 164
- Nist Special Publication 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations"
- Scope
- This policy applies to all researchers, support staff, and management registered with the Px Program. This policy is supplemented by security standards documented for Px SSP, SMPH Divisional Policies, Office of Compliance HIPAA Policies and UW-Madison security policies. This policy supersedes any lesser or conflicting requirements.
- Roles & Responsibilities
- CHI2 System Owner – Responsible for creating and providing role based Information Security training to Px IT support staff and maintaining training records.
- CHI2 Training & Privacy Official - Responsible for training the user base with Px-specific secure data handling methods and HIPAA aligned privacy preserving data methods and for ensuring UW-Madison annual HIPAA Privacy and Security training is completed by users of data in Platform-X
- Principal Primary Investigator – Responsible for providing supplemental role based training for their researchers including appropriate Human Subjects Research training.
- Policy
- The CHI2 must ensure access to, and completion of, appropriate training courses and related procedures covering information security awareness and HIPAA security and privacy regulations.
- All registered members of the Px Program, researchers with access to the Platform X services, CHI2 Px IT Support, and Px Management must participate, comprehend, and understand an Information Security Awareness training as part of the initial training for the UW Px program prior to being granted access to systems and data.
- Security Awareness training is to be completed annually as part of the annual refresher training to retain access to systems and data. All users are required to retrain after any major event including changes to HIPAA regulations, IT security changes, or after major security incidents.
- Records of training are processed and stored by the Px CHI2 Training & Privacy Official for at least seven years from the date of completion.
- Review
- This policy shall be reviewed at least every three years or after any major change to the Px Program. This policy is effective for three years from the date published.