Security Awareness Program (PS-08-010)
Topics:
PS-08-010.02 Security Awareness Program
Effective Date: 12/15/2014
Review Date: 12/01/2023
PURPOSE
One of the State Information Security Program's goals is to increase the workforce's awareness through a security awareness program. Organizations cannot protect the integrity, confidentiality, and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.
NIST Special Publication 800-50, developed by the National Institute of Standards and Technology (NIST), in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, states “the people factor - not technology - is key to providing an adequate and appropriate level of security”. If people are the key, but are also a weak link, “a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.”
SCOPE and AUTHORITY
O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers
O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers
PM-04-001 – Information Technology Policies, Standards and Guidelines
PS-08-005 – Enterprise Information Security Charter
POLICY
The state’s workforce (full/part-time employees and contractors) shall be made aware of their basic information security responsibilities through an awareness program. All state agencies shall provide annual information security awareness training. The training shall include information regarding the state’s and the agency’s information security policies and standards, and where to find them. The program shall also include any training required by applicable information owners. Attendance shall be mandatory and documented in personnel and contractor records for all state employees and engagement contractors who have unescorted logical or physical access to state information resources not explicitly designated as public access resources.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Information Security Infrastructure SS-08-005
Security Education and Awareness SS-08-012
REFERENCES
NIST Computer Security Resource Center- http://csrc.nist.gov/
SP 800-16: IT Security Training Requirements: A Role and Performance Based Model
SP 800-50: Building an IT Security Awareness and Training Program
SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
AT 1-4 Awareness and Training