Cyber Security Employee Awareness Training Program

Similar documents
Security Awareness Compliance Requirements. Last Updated: Oct 01, 2015

Security Awareness Training Policy

Business Case. for an. Information Security Awareness Program

Security Incident Procedures Response and Reporting Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Executive Management of Information Security

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Health and Safety Policy and Procedures

Standard Operating Procedure Information Security Compliance Requirements under the cabig Program

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Security Controls What Works. Southside Virginia Community College: Security Awareness

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

PRIORITIZING CYBERSECURITY

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Breaches in the News. Check out Privacy Association site for latest news in PII data breaches to see the latest in the news

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Page 1 of 15. VISC Third Party Guideline

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Information Security Management System Policy

Data Management & Protection: Common Definitions

How To Protect Decd Information From Harm

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

MANAGED SECURITY SERVICES (MSS)

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TELEFÓNICA UK LTD. Introduction to Security Policy

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Standard CIP 004 3a Cyber Security Personnel and Training

Department of Veterans Affairs

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

A LIST OF PRIVACY AND DATA SECURITY TRAINING REQUIREMENTS

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

FACT SHEET: Ransomware and HIPAA

Payment Card Industry (PCI) Data Security Standards (DSS) The Prevailing Standard for Digital Transactions

Summary of CIP Version 5 Standards

HIPAA Compliance Evaluation Report

Click to edit Master title style

Who s Doing the Hacking?

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

STATE OF CYBER SECURITY IN ETHIOPIA

Information Shield Solution Matrix for CIP Security Standards

Information Security Management System Information Security Policy

I n f o r m a t i o n S e c u r i t y

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

PCI Data Security Standard 3.0

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

VENDOR MANAGEMENT. General Overview

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Wyoming Community College Commission Request for New, Pilot or Revised Degree or Certificate Program

Rulebook on Information Security Incident Management General Provisions Article 1

PROPOSED INTERPRETIVE NOTICE

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

INFORMATION SECURITY PROGRAM

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

REQUEST FOR BOARD ACTION

EC-Council. Certified Ethical Hacker. Program Brochure

How To Maintain A Security Awareness Program

How to implement an ISO/IEC information security management system

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Rowan University Data Governance Policy

Wyoming Community College Commission Request for New, Pilot or Revised Degree or Certificate Program

Information Security: Business Assurance Guidelines

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

How To Build A Cybersecurity Company

MANAGED SECURITY SERVICES (MSS)

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

Cybersecurity. Are you prepared?

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Security Regulations and Standards for SCADA and Industrial Controls

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring and Restoration Services

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

INFORMATION SECURITY FOR YOUR AGENCY

Information Technology Cyber Security Policy

Security and Privacy of Electronic Medical Records

DOE CYBER SECURITY EBK: CORE COMPETENCY TRAINING REQUIREMENTS Key Cyber Security Role: Authorizing Official (AO)

Privacy and Data Breach Protection Modular application form

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Security Overview. BlackBerry Corporate Infrastructure

Office of Inspector General

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

STATE OF NEW YORK PUBLIC SERVICE COMMISSION

AUDIT TAX SYSTEMS ADVISORY

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Cyberprivacy and Cybersecurity for Health Data

Information Security Services

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Achieving Security through Compliance

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

<COMPANY> P01 - Information Security Policy

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Transcription:

Cyber Security Employee Awareness Training Program

Acknowledgements This document and proposal was prepared by the Kentucky Association of Electric Cooperatives (KAEC) Information Technology (IT) Association - Cyber Security Subcommittee. The current sitting members of this committee are as follows: Scott Gentry, Kenergy, Project Chairman and acting Vice President of the KAEC IT Association Jonathan Grove, Cumberland Valley Electric Inc., acting President of the KAEC IT Association Jim Petreshock, Owen Electric, acting Secretary of the KAEC IT Association David Cox, Nolin Rural Electric Cooperative Corporation Gregg Brown, CISSP, Jackson Purchase Energy Corporation Tony Miller, Kenergy Eddie McNutt, East Kentucky Power Cooperative Bob Tegge, East Kentucky Power Cooperative George H. Walker, Technical Research Analyst, National Rural Electric Cooperatives Association These documents are provided for illustrative purposes only and may not be suitable for the individual needs of your company. The end user agrees to hold harmless the Kentucky Association of Electric Cooperatives IT Association from any claims arising out of misuse or the inappropriate use of these documents. Page i

Table of Contents Acknowledgements... i Table of Contents... ii Introduction... 1 Cyber Security Employee Awareness Training Program... 2 Overview/Purpose... 2 Scope... 2 Standards and Legislative Requirements... 2 Program... 4 Roles and Responsibilities... 4 Training Needs Assessment... 7 Awareness Training... 8 Security Training... 8 New Employee Orientation Training... 8 Related Standards... 9 Definition of Terms... 9 Revision History... 9 Page ii

Introduction Effective Cyber Security begins with awareness. A comprehensive Cyber Security program not only focus on physical and technical security practices and methods, but also on the human aspects of cyber security threats and common methods employed by malicious parties to take advantage of the inherent weakness that humans with inadequate awareness and training represent. This document was prepared to provide resources to the individual cooperatives to aid in the development of an Employee Awareness Training Program. Each individual cooperative should seek to develop a policy and program that meets their individual needs and structure. Wherever possible, the documentation provided herein is open source without restriction on its use. Page 1

Cyber Security Employee Awareness Training Program Overview/Purpose <Cooperative Name> recognizes the need to protect <Cooperative Name>, our members, employees and cooperative data, and systems, from growing cybersecurity threats. This document establishes a formal program for ongoing Employee Awareness Training within <Cooperative Name> to ensure employees are adequately trained to recognize, appropriately act upon, and mitigate threats and protect those member, employee and company resources Scope All full time and temporary employees and other workers at <Cooperative Name> and its subsidiaries must receive identified introductory and ongoing Cyber Security Awareness Training. Standards and Regulatory Requirements A formal Cyber Security Training program is required for compliance with many standards, regulatory requirements, and Cyber Security Best Practices. Requirements applicable to <Cooperative Name> are listed below, along with NERC CIP standards. <Cooperative Name>, at this time, is not bound by NERC CIP standards but they are included herein for reference and consideration of use. Other standards and regulations may be developed and/or implemented subsequent to this program acceptance and should be adopted and implemented as necessary ISO/IEC 27001 & 27002 8.2.2 - All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. PCI DSS 12.6 - Make all employees aware of the importance of cardholder information security. Educate employees (for example, through posters, letters, memos, meetings and promotions). Require employees to acknowledge in writing that they have read and understood and will comply with the company s security policy and procedures Health Insurance Portability and Accountability Act (HIPPA) 164.308.(a).(5).(i) - Implement a security awareness and training program for all members of its workforce (including management). Red Flag Rules 16 CFR 681.1(d)-(e). Employees should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization s Identity Theft Page 2

Prevention Program. RUS Emergency Restoration Plan (ERP) Note relevant cyber security regulations. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard. CIP-004-3(B)(R1) - The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: Direct communications (e.g., emails, memos, computer based training, etc.); Indirect communications (e.g., posters, intranet, brochures, etc.); Management support and reinforcement (e.g., presentations, meetings, etc.). (Note: The cyber security CIP standards will be changing to Version 5 and likely 6 prior to forthcoming compliance dates of April 1, 2016 for high and medium category assets and April 1, 2017 for low category assets. Additional, under Version 3, CIP-002-3 must also be addressed by co-ops included in the NERC compliance registry.) Page 3

Program Roles and Responsibilities 1. Manager of Technical Services (and similar functions) Ensures that high priority is given to effective security awareness training for all employees. This will include implementation of a viable IT Cyber Security program with a strong awareness and training component. The Manager of Technical Services will: Assign responsibility for IT Security; Ensure that a <Cooperative Name> wide IT Cyber Security program is implemented, is well-supported by resources and budget, revised on a periodic basis (annually or a different basis) to reflect lessons learned, actual events, and available technology, and is effective; and Ensure that <Cooperative Name> has enough sufficiently trained personnel to protect its IT resources; Establish the overall strategy for the IT security awareness and training program; Ensure that the Board of Directors, President and CEO, Senior Vice Presidents, Managers, system and data owners, and others understand the concepts and strategy of the security awareness and training program, and are informed of the progress of the program s implementation; Ensure Board of Director meeting minutes reflect the ongoing discussion of cyber security issues; Promote the development and certification of the IT security program staff, full-time- or part-time security officers, and others with significant security responsibilities; Ensure that <Cooperative Name> s IT security awareness and training program is funded and staffed; Ensure that all users are sufficiently trained in their security responsibilities and only have access to the systems and information they need to perform their job; and Ensure that effective tracking and reporting mechanisms are in place. 2. Computer Systems Analyst Functions in the role of Information Technology Security Manager and has tactical level responsibility for the IT security and awareness training program. The Computer Systems Analyst will: Page 4

Ensure that awareness and training material developed and presented is appropriate and timely for the intended audiences; Ensure that awareness and training material is effectively deployed to reach the intended audiences; Ensure that users and managers have an effective way to provide feedback on the awareness and training material and its presentation; Ensure that awareness and training material is reviewed periodically and updated when necessary; and Assist in establishing a tracking and reporting strategy. 3. Mangers Have responsibility for complying with IT security awareness and training requirements established for their users. Managers will: Work with the Manager of Technical Services and Computer Systems Analyst to meet shared responsibilities; Serve in the role of system/data owner, where applicable; Consider developing individual development plans (IDP s) for users in roles with significant security responsibilities; Ensure that all users (including contractor s) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their security responsibilities before allowing them access; Ensure that users (including contractor s) understand specific rules of each system and application they use; and Work to reduce errors and omissions by users due to lack of awareness and/or training. 4. Users Users comprise the largest audience and are the single most important group of people that can help reduce unintentional errors and IT vulnerabilities. Users may include employees, contractors, other agency personnel, visitors, guests, and other collaborators or associates requiring access. Users must: Understand and comply with <Cooperative Name> security policies and procedures; Be appropriately trained in the rules of behavior for the systems and applications to which they have access; Work with management to meet training needs; Page 5

Be aware of actions they can take to better protect <Cooperative Name> s information. The actions include, but are not limited to: strong password usage, data backup, proper antivirus protection, reporting any suspected incidents or violations of security policy, and following rules established to avoid social engineering attacks and rules to deter spread of spam or viruses and worms. [Explanatory Note:] The cooperative should modify roles and responsibilities, and titles to match their structure. Page 6

Training Needs Assessment 1. A needs assessment will be conducted to determine <Cooperative Name> s awareness and training needs. As a minimum, the following roles will be involved and addressed to identify any special training needs: Executive Management Identify directives and laws (including data breach) that form the basis of the security program. Ensure comprehension of leadership roles in effecting full compliance by users within their departments; Identified Security Personnel Ensure cooperative staff and individuals who are acting as consultants to <Cooperative Name> are well educated on security policy and accepted best practices; System Owners Ensure a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage; System Administrators and IT Support Personnel Ensure a high degree of technical knowledge in effective security practices and implementation; Operational Managers and System Users Ensure a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations. Page 7

Awareness Training 1. IT security awareness will be used to focus attention on security and should not be confused with Security Training. Various methods will be utilized to promote awareness of security to include, but not be limited to the following methods: Utilization of security awareness posters and banners through-out all <Cooperative Name> campus ; Targeted email s with an Awareness message appropriate to the group; All employee emails with an appropriate message to the group; Presentations by IT security managers at employee meetings; and Scheduled online security awareness training. Security Training 1. All Technical Services staff involved with IT systems will attend security basics and literacy training courses relative to their areas of oversight and level of security responsibility. 2. <Cooperative Name> will seek to hire and/or to provide education for IT staff who hold, or to obtain, degrees from accredited universities, or industry recognized certifications in IT Security. Examples of such include but are not limited to: Bachelor s/master s Degree in Information Systems Security Certified Information Systems Security Professional (CISSP) Certified Ethical Hacker (CEH) Certification Global Information Assurance Certification (GIAC) New Employee Orientation Training Newly hired full-time and part-time employees, contractors and consultants, will be provided Cyber Security orientation training to consist of the following: 1. Overview of <Cooperative Name> employed computing technology. 2. Provision of <Cooperative Name> IT Cyber Security Policies Packet. This should include covering of major aspects of the policies with a signed acknowledgment that the employee has read and understood <Cooperative Name> s security policies and procedures. Page 8

Related Standards Adapted from NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training Program; http://csrc.nist.gov/publications/nistpubs/800-50/nist-sp800-50.pdf Reference PCI Security Standards. https://www.pcisecuritystandards.org/documenets/pci_dss_v1.0_bes t_practices_for_implementing_security_awareness_program.pdf Definition of Terms Revision History Date of Change(s) Revised by Summary of Change(s) Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information