好色先生TV

好色先生TV
Office of the CIO  ›  Computing Services  ›  Secure Computing  ›  Training and Awareness  ›  Security 101

Security 101 Training

Protecting Carnegie Mellon’s digital landscape is a shared responsibility. Developed by the Information Security Office (ISO), this course provides the expertise to defend institutional and personal data against sophisticated cyber threats. You will master digital safety through core modules covering University Policy and DMCA regulations, Identity Defense (MFA and Passwords), and Threat Detection (Phishing and Malware).

Compliance & Access Requirements

  • Training must be completed within 63 days of assignment. Failure to do so will result in restricted access to Web Login services (Canvas, Google Workspace, Workday, VPN).
  • Restoring Access: Services are automatically restored within 90 minutes of training completion.
  • Need Immediate Access? If you are currently restricted, submit the  for a one-time, instant 7-day extension (activates within 5 minutes).

You will receive an email notification when it is time to take the course. Completion of the full course is required when you claim your account, and an annual refresher course is required each year. Both are  and offer a certificate of completion.

View Messages You May Receive 

Select Your Training

Security 101: Foundational Awareness

New community members take a one-time introductory course.

  • Time: Approximately 45 minutes.

  • Focus: A comprehensive look at computing policies, identity authentication, and malware defense to ensure full institutional compliance.

Security 101: Annual Refresher

Current community members — including alumni.

  • Time: Approximately 15 minutes.

  • Focus: A streamlined update on current threat scenarios and policy changes to keep your security skills sharp and your account access active.

FAQs

Cybersecurity awareness training satisfies multiple compliance requirements.  A list can be found under Additional Information. Further, CMU's CIO, with the support of senior leadership and the Board of Trustees, has made mandatory training a condition of using Carnegie Mellon's computing resources.

ZenGuide is Proofpoint’s advanced security awareness and human risk management platform.  The ISO will leverage ZenGuide to deliver Security 101 training as part of our mandatory education initiative.

Cybersecurity awareness training satisfies multiple compliance requirements. Further, CMU's CIO, with the support of senior leadership and the Board of Trustees, has made mandatory training a condition of using Carnegie Mellon's computing resources. Check out the ISOs' information on regulations requiring cybersecurity awareness training.

The following Cybersecurity regulations, rules and contracts require at least the basic security training provided by Security 101.  Additionally, topic-specific training may be required.

HEOA
The Higher Education Opportunity Act (HEOA) requires that students are made aware of federal copyright laws and the institutional policies and sanctions related to violations of copyright law.

GLBA
 is required through our  with the Department of Education to administer student financial aid.  This requirement applies to all users (staff and faculty) of S3 and PowerFAIDS.

“(e) Implement policies and procedures to ensure that personnel are able to enact your information security program by:
(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;”

NSPM-33
 requires that all US Government supported research and development comply with research security standards (among other requirements).  This requirement applies to all individuals (faculty, students, and staff) who work on any research that is funded in whole or in part by the US government (including subcontracts).

“Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.” (section 6)

NIST 800-171/CMMC
National Institute of Standards and Technology (NIST) Special Publication 800-171 () describes controls that must be in place to protect Controlled Unclassified Information (CUI).  Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program that requires third-party certification of compliance with NIST SP800-171. 好色先生TV is subject to CMMC and NIST SP 800-171 through contracts and subcontracts from the Department of Defense.  The specific training requirements (3.2.1, 3.2.2, 3.2.3) apply to all individuals (faculty, staff, and students) who work on any Department of Defense contract or subcontract.

“3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

In addition to the explicit requirements for training (3.2.1, 3.2.2, 3.2.3), there is a requirement that all employees of a defense contractor (of which we are one) understand what CUI is and how to report it if seen outside of protected environments (3.1.3).  

“3.1.3 Control the flow of CUI in accordance with approved authorizations.”

Research Contracts/Data Use Agreements
Many contracts and data-use agreements that researchers must sign to access sponsored data require cybersecurity awareness training, which our Security 101 course generally provides.  Any individual (faculty, staff, students) with access to such data are required to take cybersecurity awareness training.  This is very common language in contracts with private companies or involving sensitive data from public entities.

PCI-DSS

 (must agree to the License Agreement for access to the PCI-DSS source documents) requires that all individuals involved with the handling of credit cards or that can affect the security of cardholder data receive training on how to properly meet their responsibilities under the PCI-DSS.

“12.6.1 A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.”

“12.6.3 Personnel receive security awareness training as follows: 

  • Upon hire and at least once every 12 months. 
  • Multiple methods of communication are used. 
  • Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. “

Upcoming regulations that may affect cybersecurity training requirements

The Department of Education has  to require that all Federal student aid information will be subject to NIST 800-171, which includes a training requirement as described above.

If your access is restricted, it means your access to the central university login system has been temporarily blocked until you successfully complete the Security 101 requirement. This prevents you from signing in to any service that uses your CMU credentials for authentication.  If you're unable to log in via SSO, you will be restricted from accessing any service that requires CMU Web Login authentication. This includes, but is not limited to:


  • Google Workspace (Gmail, Google Drive, Docs, Calendar, etc.)
  • Canvas (course materials, assignments, grades)
  • Workday (payroll, benefits, HR services)
  • Zoom (CMU-hosted meetings and webinars)
  • Box (cloud file storage and sharing)
  • LinkedIn Learning (online training and development)
  • JIRA / Confluence (project management and documentation tools)
  • Library Services (online databases and journal access)
  • VPN Access (remote access to CMU network resources)
  • Software Licensing Portals (e.g., MATLAB, Adobe, etc.)
  • Student Information Online (SIO) (course registration, billing, transcripts)
  • Faculty Information Online (FIO) (class rosters, grading, evaluations)

Be advised that only one extension request is permitted. You acknowledged this when requesting your extension. Refer to your email to determine when you requested the extension. The email subject would be: Request Item RITM00XXXXX for Security 101 Training Extension is Completed.

Contact the Information Security Office (ISO) at iso-ir@andrew.cmu.edu or (412) 268-2044 with any concerns.

You are required to complete the training course, regardless of your affiliation, as long as you have an active Andrew account—even if you have deferred admission as a student. Completing this training is a condition for accessing Carnegie Mellon's computing resources.

You may still be showing as "In Progress" in the system. If you have completed the course, a completion certificate is emailed when the course is completed. If you have not received the email, please reopen the course and check the progress bar on the left side of the screen and confirm that all modules are showing with checkmarks to ensure they have been completed.  You can on how to verify completion.  If you have further questions or need further assistance, you can reach out to the iso at iso-ir@andrew.cmu.edu.

Alumni

Visit the Alumni page for questions specific to your Alumni account and Security 101.