Security Awareness Program

PS-08-010.02 Security Awarness Program

Issue Date: 3/20/2008

Effective Date: 12/15/2014

Review Date: 7/1/2018

PURPOSE

One of the goals in the State Information Security Program is to increase the awareness of the workforce through a security awareness program. Organizations cannot protect the integrity, confidentiality, and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

NIST Special Publication 800-50, developed by the National Institute of Standards and Technology (NIST), in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, states “the people factor - not technology - is key to providing an adequate and appropriate level of security”. If people are the key, but are also a weak link, “a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.”

SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS

Enterprise Information Security Charter PS-08-005

POLICY

The state’s workforce (full/part-time employees and contractors) shall be made aware of their basic information security responsibilities through an awareness program. All state agencies shall provide annual information security awareness training. The training shall include information regarding the state’s and the agency’s information security policies and standards, and where to find them. The program shall also include any training required by applicable information owners. Attendance shall be mandatory and documented in personnel and contractor records for all state employees and engagement contractors who have unescorted logical or physical access to state information resources not explicitly designated as public access resources.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Information Security Infrastructure SS-08-005

Security Education and Awareness SS-08-012

REFERENCES

NIST Computer Security Resource Center- http://csrc.nist.gov/

SP 800-16: IT Security Training Requirements

SP 800-50: Building an IT Security Awareness and Training Program

SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

AT 1-4 Awareness and Training