Security Education and Awareness (SS-08-012)
SS-08-012.02 Security Education and Awareness
Issue Date: 3/31/2008
Revision Effective Date: 12/15/2014
Review Date: 7/1/2018
One of the goals of the State’s Information Security Program is to increase the awareness of the workforce through a security awareness program. Organizations cannot protect the integrity, confidentiality, and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them. NIST Special Publication 800-50, developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, states “the people factor - not technology - is key to providing an adequate and appropriate level of security”. If people are the key, but are also a weak link, “a robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.”
SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS
All state agencies shall provide information security awareness training to their employees and engagement contractors who have unescorted logical or physical access to state facilities and/or information resources not designated as public access resources.
The training shall be conducted annually, attendance shall be mandatory, and training completion shall be documented in personnel and contractor training records.
Awareness training shall provide practical and simple guidance pertaining to employee and contractor roles and responsibilities for protecting the state’s information assets, incident reporting and contingency preparedness. It shall provide updates to and reinforce security policies and procedures and highlight overall awareness. The training must include information regarding the state’s and the agency’s information security policies and standards, and where to find them. It must also include any training required by applicable information owners.
Additional role-based security training shall be provided to applicable information owners, IT specialists, developers, the security management organization, and others that have unique or specific information security responsibilities.
If engagement contractors provide training to their employees, agencies shall define the requirements for and review contractor training materials to ensure that all state and agency required training content are included and appropriate (such as state and agency policies and procedures, HIPAA, CJIS, FTI, etc). Agencies shall review training records of contractors to ensure that all engaged employees obtain the training annually.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
NIST Computer Security Resource Center- http://csrc.nist.gov/
SP 800-16: IT Security Training Requirements
SP 800-50: Building an IT Security Awareness and Training Program
SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
AT 1-4 Awareness and Training