Example: dental hygienist

Information Security – Awareness and Training …

Information PROCEDURE Information Security Awareness and Training Procedures EPA Classification No.: CIO CIO Approval Date: 02/16/2016 CIO Transmittal No.: 16-006 Review Date: 02/16/2019 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 Information Security Awareness AND Training PROCEDURES 1. PURPOSE To implement the Security control requirements for the Awareness and Training (AT) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

To implement the security control requirements for the Awareness and Training (AT) control family, as identified in National Institute of …

Tags:

  Training, Information, Security, Awareness, Information security awareness and training

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Information Security – Awareness and Training …

1 Information PROCEDURE Information Security Awareness and Training Procedures EPA Classification No.: CIO CIO Approval Date: 02/16/2016 CIO Transmittal No.: 16-006 Review Date: 02/16/2019 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 Information Security Awareness AND Training PROCEDURES 1. PURPOSE To implement the Security control requirements for the Awareness and Training (AT) control family, as identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

2 2. SCOPE AND APPLICABILITY The procedures cover all EPA Information and Information systems to include Information and Information systems used, managed, or operated by a contractor, another agency, or other organization on behalf of the EPA. The procedures apply to all EPA employees, contractors and all other users of EPA Information and Information systems that support the operation and assets of the EPA. 3. AUDIENCE The audience is all EPA employees, contractors and all other users of EPA Information and Information systems that support the operations and assets of the EPA.

3 4. BACKGROUND Based on federal requirements and mandates, the EPA is responsible for ensuring that all offices within the Agency meet the minimum Security requirements defined in the Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems. All EPA Information systems must meet the Security requirements through the use of the Security controls defined in the NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This document addresses the procedures and standards set forth by the EPA, and complies with the family of Awareness and Training controls.

4 5. AUTHORITY E-Government Act of 2002, Public Law 107-347, Title III, Federal Information Security Management Act (FISMA) as amended Federal Information Security Modernization Act of 2014, Public Law 113-283, chapter 35 of title 44, United States Code ( ) Page 1 Information Security Awareness and Training Procedures EPA Classification No.: CIO CIO Approval Date: 02/16/2016 CIO Transmittal No.: 16-006 Review Date: 02/16/2019 Freedom of Information Act (FOIA), 5 552, as amended by Public Law 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996 Clinger-Cohen Act of 1996, Public Law 104-106 Paperwork Reduction Act of 1995 (44 USC 3501-3519) Privacy Act of 1974 (5 USC 552a) as amended USA PATRIOT Act of 2001, Public Law 107-56 Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C Employees Responsible for the Management or Use of Federal Computer Systems, Section through (5 ) Office of Management and Budget (OMB)

5 Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Information Resources, November 2000 Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004 Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 EPA Contracts Management Manual EPA Information Security Program Plan EPA Information Security Policy EPA Roles and Responsibilities Procedures EPA Information Security Continuous Monitoring Strategic Plan CIO Policy Framework and Numbering System 6.

6 PROCEDURES The "AT" designator identified in each procedure represents the NIST-specified identifier for the Awareness and Training control family, as identified in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Abbreviations including acronyms are summarized in Appendix A. AT-2 Security Awareness Training For All Information Systems: 1) The Senior Agency Information Security Officer (SAISO), in coordination with Information Security Officers (ISO) for EPA-operated systems, shall; and Service Managers (SM), in coordination with the SAISO and ISOs, for systems operated on behalf of the EPA, shall ensure service providers: Develop, maintain and manage the EPA s Security Awareness program to ensure users receive adequate Training and user Awareness content.

7 Page 2 Information Security Awareness and Training Procedures EPA Classification No.: CIO CIO Approval Date: 02/16/2016 CIO Transmittal No.: 16-006 Review Date: 02/16/2019 i) The content of the basic Information system Security Awareness Training materials and Security Awareness techniques shall be determined based on specific requirements of the organization, federal regulations and the Information systems to which personnel have authorized access. (1) The content of EPA s Security Awareness program must include: (a) A basic understanding of the need for Information Security .

8 (b) User actions to maintain Security . (c) User actions to respond to suspected Security incidents1. (d) Awareness of the need for operations Security as it relates to the EPA s Information Security program. 2) System Owners (SO), in coordination with ISOs, Information Management Officers (IMO), Information Owners (IO), Managers and Supervisors and the SAISO for EPA-operated systems, shall; and SMs, in coordination with IOs, ISOs and IMOs, for systems operated on behalf of the EPA, shall ensure service providers: Provide all EPA Information system users (including managers, senior executive staff and contractors2) Information system Security Awareness Training for their respective systems as determined necessary to supplement the mandated Awareness Training provided by the SAISO: i) As part of initial Training for new users and before authorizing access to the system.

9 Ii) When required by system changes. iii) At least annually thereafter. Ensure Training is completed before Information system users are permitted access to an Information system or able to perform assigned duties. If the user fails to comply, user access shall be suspended. Ensure each Program Office, Region and Lab augments Security Awareness Training by mechanisms ( , message of the day, posters, special events, email notices) it deems necessary to address local or programmatic Information Security issues, incidents, policies and procedures. Note: Security Awareness techniques can include, for example, displaying posters, offering supplies inscribed with Security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages and conducting Information Security Awareness events.

10 AT-2(1) Security Awareness Training | Practical Exercises Not selected as part of the control baseline. 1 Refer to the latest version of the EPA Information Security Incident Response Procedures for requirements on responding to Security incidents. 2 Training or instruction for contractors should be identified or described in the Statement of Work (SOW) or Performance Work Statement (PWS). Refer to the latest version of the EPA Information Security System and Services Acquisition (SA) Procedures for requirements on contractor Training . Page 3 Information Security Awareness and Training Procedures EPA Classification No.


Related search queries