UH Information Security Awareness Training (ISAT)

Administrative Procedure 2.215, Mandatory Training on Data Privacy and Security , requires ALL UH employees, including student and graduate assistants to complete the Information Security Awareness Training (ISAT) annually. A small group of employees, primarily from Bargaining Unit 1, may be exempt from the ISAT. UH Foundation employees and selected RCUH employees are also subject to the training.

To access the ISAT

  1. Go to https://www.hawaii.edu/its/acer/
  2. Click “Login,” then sign in using your UH username and password.
  3. Click on the “View ACER List” tab.
  4. On the Acknowledgements and Certifications (ACER) table, locate the UH Information Security Awareness Training Certification and click on the “Certify” or “Re-certify” button.
  5. Click on the Laulima link.
  6. Click on “UH Login.”
  7. You may see a message that says “Currently, you are not a member of the site called ISAT V3. Would you like to join and become a member of the site?” Click on “YES, ADD ME.” You will only need to do this once. You will be able to get in without being asked this question on subsequent returns.
  8. In Laulima, click on the tab “ISAT V3.”

Navigating through the ISAT Quizzes

Those who are unfamiliar with using Laulima may find the “Instructions on Navigating through the ISAT Quizzes ” helpful. You must be logged into your UH email account to access the Google Doc. Your personal email (Gmail or other) will not work.

How long is the ISAT?

The ISAT takes less than an hour to complete.

Do I need to complete the ISAT in one session or can I take it over multiple sessions?

You can complete the ISAT over multiple sessions. Your quiz answers may be saved and you may return at a later time to continue where you left off. Your ISAT will not register as complete, however, until you have completed all five quizzes within a 60-day window. You will need to retake any lessons beyond that timeframe.

How will I know if I passed the training?

You will need a total quiz score of at least 16 out of 20 (80%) across all five quizzes to pass the training.
Unfortunately, Laulima is unable to generate a message announcing whether you passed or not. To
check your score, select “Tests & Quizzes” on the left menu. In the table "Submitted Assessments,"
under each lesson, look for the date/time stamp when you took each quiz along with the "Individual
Score" associated with the quiz. Add up the five lesson scores. If your total score is less than 16, you will
need to retake one or more lessons to increase your total score.

How will I know when I need to retake my ISAT?

You will receive an automatic email reminder 30 and 7 days prior to the one-year anniversary date of when you last took the ISAT. Additionally, you will be reminded by those tasked with monitoring compliance.

What if I miss re-taking the ISAT within one year and am out of compliance?

Failure to complete the requirements by the specified due date should be reported to the supervisor. Extenuating circumstances affecting an employee’s ability to complete the requirements on time shall be taken into consideration by the supervisor. A reasonable timeframe to complete the requirements will be set by the supervisor and communicated to the employee. Department chairs may assist faculty with temporary workload adjustments, as needed, to accommodate the completion of their training requirements.

How will compliance be tracked?

Chancellors and VPs are asked to designate an ISAT Compliance Coordinator who will be responsible for
coordinating compliance requirements for your respective campus/UH System office. Chancellors and
VPs will decide whether the individual will be tasked with managing compliance centrally or delegating
the task out to the field (e.g., to the school/college or department level). ITS has developed a web
interface to track those with valid and invalid ISATs based on anniversary dates. Training for those
individuals on how to set up and use the web interface will be provided in January.

Why is ISAT training required?

The training is critical to raising the University community’s awareness on how to keep our institutional assets safe as the frequency and sophistication of cybersecurity threats continue to increase. We continue to have data exposures and breaches, many of which could have been prevented. By integrating best practices around privacy and security into our daily work, we can reduce the risk of further exposures and breaches from occurring. Additionally, the University is subject to federal regulatory requirements and industry standards, all of which are requiring stronger privacy and security measures for Title IV institutions and federally sponsored research. Employee training is a component in them. For example, the Gramm-Leach-Bliley Act (GLBA) is one such federal regulation that requires employee
training under its Safeguards Rule. It is also a mandatory annual requirement under UH
Administrative Procedure 2.215.

Why is there an ISAT validation check (effective April 1, 2024) for account holders of selected
enterprise wide information systems? in Banner (Admin Pages), STAR (various – see below), KFS,
PeopleSoft, and myGRANT? Why those systems?

The ISAT validation check is part of the University’s ongoing efforts to increase compliance across the
UH System. The information systems chosen for these validation checks are widely accessed by the UH
community. The technical implementation requirements and timing were also factors in why these
information systems were selected. The check ensures that account holders with access to UH Protected
Data in these systems have passed the ISAT within one year of the current date. The intent is not to have
this validation check implemented for every UH enterprise wide
information system, however, selected information systemss that have a wide impact may be
considered in the future.

As of April 1, 2024, which enterprise wide information systems require a current ISAT to log
on?

Banner Admin Pages, KFS, PeopleSoft, myGRANT, and selected STAR services ( GPS Advisor, Balance, Cashiers, Scholarships Awarding/Management, Academic Logic,
Kama‘aina Admin, Service Opportunities Admin, and Degree Rules Admin).

Who are affected by this ISAT validation check?

UH and RCUH faculty and staff, graduate assistants, student employees, and UHF employees with access
to the above information systems.

Why are student employees subject to the ISAT?

Student employees who work with personally identifiable information (PII) as part of their employment
have the same requirements as other employees to protect the data they work with. The student
employee’s supervisor determines whether an ISAT is required for the position. Office positions will
likely involve the handling of PII, and many student employees have access privileges to UH enterprise
wide information systems.

What can I expect when I log onto an information system that is
subject to this ISAT validation check?

The validation check happens in the background during your login process. If your ISAT is less than a year
old, you will be able to log in normally. However, if your ISAT is more than a year old, or you have
never taken the ISAT, you will not be granted access to these systems. Instead, you will be redirected to
a webpage with instructions on where to take the training.

What happens if I have an expired ISAT but I need to access to my information system right away?

Normally, your access privileges will be restored the morning after you successfully complete the ISAT.
For urgent situations where you need immediate access, ACER contains a link that updates your ISAT
results on demand, allowing your access to be restored the same day.

I finished my ISAT. Why am I not able to regain access to my information system?

There may be various reasons why you are not able to log on. Please check the following possibilities:

  • Did you complete all five quizzes within a 60-day period?
  • Did you get a total of 16 out of 20 questions correct? The ISAT requires an 80% to pass. If you
    did not pass, repeat however many quizzes needed to attain 16 correct answers. To determine
    your score, refer to the question above, “How will I know if I passed the training?”
  • Did you take the ISAT and try to log onto your system on the same day? Normally, the ISAT
    credentials are updated overnight. However, there is a link on the ACER page that allows for on-
    demand updates.
  • If none of these apply, contact the ITS Help Desk for further assistance

Is an ISAT certificate of completion available?

If you have completed the ISAT, you may print a certificate of completion by going to the UH Acknowledgements and Certifications (ACER) website.

Who is exempt from taking the ISAT?

Employees who meet the all of the following criteria:

  1. Their duties are not office- or classroom-based;
  2. Their duties do not involve working with Protected Data; and,
  3. They have limited access to technology at work.

Is there a way to tell if an employee received an exemption

There is no official designation. The individual’s supervisor will determine if an employee is exempt. The supervisor will need to notify the ISAT Compliance Coordinator to exclude an individual from the ISAT group for their unit. The ISAT Compliance Coordinators
are generally the personnel officers for their campuses/units however the coordinator may be different at some campuses. Should you need assistance with identifying your ISAT Compliance Coordinator, contact the ITS Help Desk.

Do we still need to do the General Confidentiality Notice (GCN) acknowledgement?

No, the GCN will only need to be completed by new hires during the onboarding process. It was removed as an annual requirement to simplify the training requirement.

Is an ADA compliant version of the ISAT available?

Yes, here are the links:

You will need to answer at least 16/20 questions correctly on the quiz to pass. Your ISAT score will be manually updated in the system. There will be a one-day lag before your ISAT completion date will appear on the UH Acknowledgements and Certifications (ACER) website.