Security Awareness Program (PS-08-010)

PS-08-010.02 Security Awareness Program

Effective Date: 12/15/2014

Review Date: 12/01/2023

PURPOSE

One of the State Information Security Program's goals is to increase the workforce's awareness through a security awareness program. Organizations cannot protect the integrity, confidentiality, and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

NIST Special Publication 800-50, developed by the National Institute of Standards and Technology (NIST), in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, states “the people factor - not technology - is key to providing an adequate and appropriate level of security”. If people are the key, but are also a weak link, “a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.”

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

POLICY

The state’s workforce (full/part-time employees and contractors) shall be made aware of their basic information security responsibilities through an awareness program. All state agencies shall provide annual information security awareness training. The training shall include information regarding the state’s and the agency’s information security policies and standards, and where to find them. The program shall also include any training required by applicable information owners. Attendance shall be mandatory and documented in personnel and contractor records for all state employees and engagement contractors who have unescorted logical or physical access to state information resources not explicitly designated as public access resources.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Information Security Infrastructure SS-08-005

Security Education and Awareness SS-08-012

REFERENCES

NIST Computer Security Resource Center- http://csrc.nist.gov/ 

SP 800-16: IT Security Training Requirements: A Role and Performance Based Model 

SP 800-50: Building an IT Security Awareness and Training Program 

SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations 

AT 1-4 Awareness and Training