Technology Standard
|
|
Technology Standard
|
Personnel Security - Security Awareness and Training Program
Version: 1.0
Status: Approved: 02/21/07
Contact: Director, Technology Services
To provide guidelines in the development of an Information Technology Security Awareness and Training Program.
In accordance with the COV ITRM 501-01, a security awareness and training program must be implemented for all managers, administrators, and users to focus attention on security and produce relevant and needed security skills and competency. Further, the security awareness and training program must provide technical training for all VCCS employees involved in the management, administration, operation, development, or use of information systems.
The Security Awareness and Training Program is applicable to the System Office and all Colleges.
The standards developed in this document define minimum requirements and recommendations in improving information technology security awareness and developing the necessary skills and knowledge to assist all System Office and College users in performing their job responsibilities in a secure and accountable manner. The following requirements and recommendations are provided to assist with compliance of the Commonwealth of Virginia (COV) Information Technology Resource Management Standard, COV ITRM 501-01 standards for security awareness and training. The VCCS Information Security Officer and College Information Security Officers should be assigned the responsibility for developing, implementing, testing, training, monitoring attendance, and periodically updating the Security Awareness and Training Program. Administrative leadership, at the System Office and college level, should be provided to convey the importance of the Information Technology Security Awareness and Training Program. Security awareness focuses attention on a security issue or set of issues. Security training is more formal and the goal is to build knowledge and skills at the appropriate level to facilitate job performance. The combination of security awareness and training are implemented to support individual accountability which improves overall information technology security.
Requirement:
Develop a formal information security awareness and training program to include specific training requirements.
Requirement:
All System Office and college employees receive annual security awareness training. Refresher, updated, or special situational training as technology, System Office, or college environments change should be held as appropriate.
Requirement:
Monitor and document attendance at all security related training. This may also include electronic reporting such as is included in security awareness training packages (Managed Ongoing Awareness Tools (MOAT) for example) where the user has an assigned account.
Requirement:
Construct information security training programs so that all employees are aware of and understand the System Office and college policy for protecting information and information systems, separation of duties concepts, restriction of system access by employees engaged in key operating and programming activities, prescribed roles in incident response, configuration management, and continuity of operations, password management, the importance of monitoring log-in success/failure and reporting discrepancies, and handling of information types (in particular the handling of information classified as sensitive or critical) specific to the System Office or college.
Requirement:
New employees receive and complete security training within the first three months of employment.
Requirement:
Establish and maintain specialized or advanced training so that all individuals involved in the management, administration, operation, or design of information systems know how to incorporate proper security practices and how to fulfill their security responsibilities.
Requirement: Provide or make
available information technology security training programs that
commensurate to the level of expertise required for the system
components and information resources for which the System Office or
college personnel are responsible. The program shall include content
that enables the individual to identify and evaluate threats,
vulnerabilities, and risks specific to those components and resources.
The program must further include content regarding technical
alternatives, methods, and standards which represent best practices
appropriate to those components and resources, and which can be utilized
to effectively implement safeguards as appropriate.
Recommendation:
Recommend that all contractors and consultants receive security awareness training. The nature and length of the engagement should determine if training is required and the specific areas that should be addressed.
Security awareness for general users may include posters, emails, videos, internal newsletters, and similar media and can be aimed at all levels of users.
Most general users simply need to understand good computer security practices such as protecting their physical environment, protecting passwords, and reporting security violations. While you should keep your security training accurate and timely, do not over burden the general user with un-needed details. Security training for this group of users will contain skills that will enable them to perform their jobs more securely while teaching them what they should do and how they should, or can, do it. General users should be taught what their roles are for protecting System Office and college information and computer systems.
Specialized training may be required depending on the level, responsibility, and expertise of the individual. Examples may include:
Management They need to comprehend their leadership roles in ensuring full compliance by users within their departments or divisions.
Security Personnel (Information Security Officers) These individuals act as expert consultants for the VCCS and colleges and therefore must be well educated on security policy and accepted best practices.
System Owners Owners must have a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage.
System Administrators and IT Support Personnel Entrusted with a high degree of authority over support operations critical to a successful security program, these individuals need a higher degree of technical knowledge in effective security practices and implementation.
Operational Managers and System Users These individuals need a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations.
Professional Development training, activities, and information for IT professionals may include:
Subscriptions to technical publications to help technical personnel maintain their knowledge of current technology practices and emerging technologies. Suggested subscriptions could entail Microsoft TechNet, various monthly trade journals, and security related email distribution lists.
Contracting with external professional education organizations as necessary for security training needs (CISA, CISSP, etc.). These training opportunities should be documented upon successful completion and the documentation retained by the college.
Obtaining appropriate technical reference manuals and documentation to support hardware and software products used in the college.
Attending security related externally sponsored workshops and seminars. Suggested workshops to attend are the annual SANS conference, the CSI national conference held in Washington, D.C., or credit or non-credit network security training courses sponsored by various training vendors. The attendance of personnel at an externally sponsored workshop or seminar should be documented and retained by the agency.
Information Technology Employee Acceptable Use Agreement
Information Technology Student/Patron Acceptable Use Agreement
Information Technology Acceptable Use Standard
