not mobile

Information Technology Handbook

5.9 Security Awareness, Training, and Education

Print friendly Version date May 16, 2014

This directive establishes the Information Security Awareness, Training and Education Program for information resources supporting the USG’s mission. All USG information security organizations must implement information technology regulations regarding security of information and information resources. The Information Security Awareness program will address the information security concerns that apply to USG mission needs. For more information, refer to the Security Awareness, Training and Education Standard and Security Awareness Program Policy.

USG Information Security & ePrivacy will provide an Annual Security Awareness presentation for USG institutions, the USO, the GPLS, and the Georgia Archives. Each participant organization is welcome to use the presentation in whole or in part, or to create on in-house security awareness training for their environment. Also, the USG Information Security & ePrivacy team is ready, willing, and able to come to your location and present the Annual Security Awareness presentation to students, faculty, or staff. Please call or email infosec@usg.edu to schedule the annual presentation (first scheduled, first served).

5.9.1 Roles and Responsibilities

While it is important to understand the policies that drive USG institutions, the USO, the GPLS, and the Georgia Archives to develop and implement defense in depth, it is crucial that faculty and staff understand who has responsibility for information security defense in depth.

5.9.1.1 Organization Head

The USG Chancellor or his/her designee for the USO, the president of each USG institution, the GPLS state librarian, or the Georgia Archives leadership is responsible for:

  1. Leadership;
  2. Overall safety and security of the institution; and,
  3. Annual Security Plan, as noted in Section 5.1.2 of this Handbook.

5.9.1.2 Senior Leadership

Senior Leadership must ensure that high priority is given to effective security awareness and training for all students, faculty, and staff. This includes implementation of a viable IT security program with a strong awareness and training component. Senior Leadership should:

  1. Provide leadership;
  2. Assign responsibility for IT and IS (CISO or ISO for the institution, the USO, the GPLS, or the Georgia Archives);
  3. Ensure that an organization-wide IT and IS program is implemented, is well-supported by resources and budget, and is effective;
  4. Ensure there are sufficiently trained personnel to secure and protect critical and sensitive data through the use of secure processes, tools, and training;
  5. Assign responsibilities to management;
  6. Insist that management makes security investments and security improvements measurable, and monitors and reports on program effectiveness; and,
  7. Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

5.9.1.3 Information Security Officer (ISO)

The ISO is tasked to oversee security awareness and training through the application of secure processes, awareness, and technology. The ISO will work with the academic and administrative leadership and information technology management to:

  1. Provide leadership;
  2. Establish overall strategy for the IT and IS awareness and training program;
  3. Ensure that the senior leadership, senior managers, system and data owners, and others understand the concepts and strategy of the security awareness and training program, and are informed of the progress of the program’s implementation;
  4. Ensure that the institution, USO, GPLS, or Georgia Archives security awareness and training program is funded;
  5. Ensure the training of faculty and staff with significant security responsibilities;
  6. Ensure that all users are sufficiently trained in their security responsibilities; and,
  7. Ensure that effective tracking and reporting mechanisms are in place.

5.9.1.4 Users

Users are the largest audience and are the single most important group of people who can help to reduce unintentional errors and vulnerabilities. Users may include students, faculty, staff, contractors, foreign or domestic guest researchers, other institutional personnel, visitors, guests, and other collaborators or associates requiring access. Users must:

  1. Understand and comply with institutional security policies and procedures;
  2. Be appropriately trained in the acceptable use of the systems and applications to which they have access;
  3. Work with management to meet training needs;
  4. Keep software/applications updated with security patches; and,
  5. Be aware of actions they can take to better protect their institution’s information and information systems. These actions include, but are not limited to:
    • Proper password usage;
    • Data backup;
    • Proper antivirus protection;
    • Reporting any suspected incidents or violations of security policy; and,
    • Following established rules to avoid social engineering attacks and deter the spread of spam or viruses and worms.

5.9.2 Security Awareness, Training, and Education Standard

This section establishes requirement for the employees and contractors of all USG institutions, the USO, the GPLS, and the Georgia Archives to attend annual security awareness training.

5.9.2.1 Purpose

One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

5.9.2.2 Scope, Authority, Enforcement, and Exceptions

5.9.2.3 Standard

All USG institutions, the USO, the GPLS, and the Georgia Archives shall provide information security awareness training to their employees and engagement contractors who have unescorted logical or physical access to state facilities and/or information resources not designated as public access resources.

The training shall be conducted annually, attendance shall be mandatory, and training completion shall be documented in personnel/contractor training records. Awareness training shall provide practical and simple guidance pertaining to employee and contractor roles and responsibilities for protecting the state’s information assets, incident reporting and contingency preparedness. It shall provide updates to and reinforce security policies and procedures and highlight overall awareness.

Additional role-based security training shall be provided to IT specialists, developers, the security management organization, and others that have unique or specific information security responsibilities.

5.9.2.4 Related Policies, Standards, and Guidelines

5.9.2.5 References

  • Public Law 100-235
  • NIST SP 800-16 IT Security Training Requirements
  • NIST SP 800-50 Building an IT Security Awareness and Training Program

5.9.3 Security Awareness Program Policy

This section addresses the need to increase user security awareness through an awareness and training program at all USG institutions, the USO, the GPLS, and the Georgia Archives.

5.9.3.1 Purpose

One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

5.9.3.2 Scope, Authority, Enforcement, and Exceptions

5.9.3.3 Policy

The USG’s employees (full/part-time employees and contractors) shall be made aware of their basic information security responsibilities through an awareness program. The USO (Atlanta and Athens) shall provide annual, information security awareness training. Attendance shall be mandatory and documented in personnel/contractor records for all USO employees and engagement contractors who have logical or physical access to USG or state information resources, not explicitly designated as public access resources.

5.9.3.4 Related Enterprise Policies, Standards, and Guidelines

5.9.3.5 References


Return to Top