INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING



Similar documents
EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

INFORMATION PROCEDURE

Records Management Policy. EPA Classification No.: CIO CIO Approval Date: 02/10/2015. CIO Transmittal No.: Review Date: 02/10/2018

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: Review Date: 04/04/2017

EPA Classification No.: CIO P-11.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Department of the Interior Privacy Impact Assessment Template

National Geospatial Data Policy Procedure for Geospatial Metadata Management

I. U.S. Government Privacy Laws

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

INFORMATION PROCEDURE

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

PRIVACY IMPACT ASSESSMENT

NASA Information Technology Requirement

U.S. Department of Energy Washington, D.C.

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Department of the Interior Privacy Impact Assessment

Federally Mandated Training for Federal Employees

PRIVACY IMPACT ASSESSMENT TEMPLATE

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

INFORMATION PROCEDURE

Integrated Financial Management Information System (IFMIS) Merger

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment

U.S. Department of Education. Office of the Chief Information Officer

Crew Member Self Defense Training (CMSDT) Program

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

NASA Information Technology Requirement

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

Name of System/Application: Customer Relationship Management (CRM) Program Office: Office of the Chief Information Officer (CIO)

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Student Administration and Scheduling System

FSIS DIRECTIVE

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information:

Privacy Impact Assessment. For Personnel Development Program Data Collection System (DCS) Date: June 1, 2014

Audit of the Department of State Information Security Program

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE

White Paper. Understanding NIST FISMA Requirements

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Department of Veterans Affairs VA Handbook Information Security Program

How To Control A System

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

DEPARTMENTAL DIRECTIVE

Review of the SEC s Systems Certification and Accreditation Process

U.S. Department of Transportation. Privacy Impact Assessment (Update) National Registry of Certified Medical Examiners (National Registry)

Information Security and Privacy Policy Handbook

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET Data Administration and Management (Public)

U.S. Nuclear Regulatory Commission

U.S. Department of Energy Washington, D.C.

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

U.S. Department of the Interior PRIVACY IMPACT ASSESSMENT

Department of the Interior Privacy Impact Assessment

Subject: Information Technology Configuration Management Manual

OWA/2-Factor Authentication VPN FAQ. Outlook Web Access (OWA) QUESTIONS

PRIVACY IMPACT ASSESSMENT

Department of Homeland Security Management Directives System MD Number: Issue Date: 03/01/2003 DHS USAGE

Bank Secrecy Act E-Filing. Privacy Impact Assessment (PIA) Bank Secrecy Act E-Filing. Version 1.5

Canine Website System (CWS System) DHS/TSA/PIA-036 January 13, 2012

IT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

The Bureau of the Fiscal Service. Privacy Impact Assessment

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

December 8, 2009 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

5 FAM 1060 INFORMATION ASSURANCE MANAGEMENT

A. This Directive applies throughout DHS, unless exempted by statutory authority.

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

PROCEDURES FOR ELECTRONIC MANAGEMENT OF RULEMAKING AND OTHER DOCKETED RECORDS IN THE FEDERAL DOCKET MANAGEMENT SYSTEM

INFORMATION PROCEDURE

Standards for Security Categorization of Federal Information and Information Systems

Background Check Service

Legislative Language

U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT INFORMATION TECHNOLOGY SECURITY POLICY. HUD Handbook REV4.1

Business Associate Agreement

Transcription:

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19,dated 07/07/2005 GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING 1. PURPOSE The purpose of this guidance is to provide an alternative manual process for disseminating Environmental Protection Agency Information Security Awareness Training (ISAT) materials and collecting results from EPA users who elect to complete the ISAT manually. 2. SCOPE AND APPLICABILITY This guidance covers all EPA information and information systems, to include those used, managed, or operated by a contractor, another agency, or other organization on behalf of EPA. This guidance applies to all EPA employees, contractors, and all other users of EPA information and information systems that support the operations and assets of EPA. 3. AUDIENCE Supervisors, managers, Contracting Officer s Representatives (CORs), Information Security Officers (ISO), that may use this method and users that may request to complete the ISAT using this alternative method. 4. BACKGROUND Based on federal requirements and mandates, the EPA is responsible for ensuring that all EPA employees successfully complete the ISAT with a passing score of 85% or above as part of their initial hiring requirements and annually, thereafter. All EPA users shall meet this security requirement to maintain access to the EPA s information and information systems. This guidance provides an alternative manual process to the primary online process for EPA users to manually complete the ISAT and exam when the primary online process is unavailable or impractical. Page 1 of 8

This guidance incorporates and meets the EPA National Rules of Behavior (RoB) which indicates both electronic and manual methods are provided to users to acknowledge they have read, understand, and comply with these rules. 5. AUTHORITY E-Government Act of 2002, Public Law 107-347, Title III, Federal Information Security Management Act (FISMA) as amended Freedom of Information Act (FOIA), 5 U.S.C. 552, as amended by Public Law 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996 Clinger-Cohen Act of 1996, Public Law 104-106 Paperwork Reduction Act of 1995 (44 USC 3501-3519) Privacy Act of 1974 (5 USC 552a) as amended USA PATRIOT Act of 2001, Public Law 107-56 Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C Employees Responsible for the Management or Use of Federal Computer Systems, Section 930.301 through 930.305 (5 C.F.R 930.301-305) OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 2000 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 National Archives and Records Administration, 36 CFR Chapter XII, Subchapter B - Records Management (Parts 1220-1238) EPA Information Policy EPA Information Security Program Plan EPA Information Security Awareness and Training Procedures EPA Information Security Roles and Responsibilities Procedures EPA Information Security Continuous Monitoring Strategic Plan 6. GUIDANCE General Guidance When EPA employees and contractors find that they are unable to take the primary online ISAT due to the inaccessibility of the training, travel, attending off-site training or for other reasons, EPA employees must obtain approval to take the ISAT manually. EPA employees must receive approval from their program office or regional ISO and notify their supervisor, manager or COR. Once approval is granted, the EPA employee can take the ISAT manually. Page 2 of 8

New employees who have not yet gained access to the EPA system can also take the ISAT manually. 1) EPA employees are responsible for: a. Requesting approval from their ISO, and then notifying their manager, supervisor or COR in order to take the ISAT manually. b. Successfully completing the ISAT annually and within the determined deadline. They must meet the ISAT requirement, which includes reading each page, making a passing score of 85% and signing the RoB. 2) Managers and Supervisors are responsible for: a. Ensuring that users successfully complete the ISAT prior to initial access to EPA systems and information and at least annually thereafter to maintain access. b. Ensuring that the RoB are annually reviewed and signed or acknowledged electronically or manually by all information and information system users who support the operations and assets for which EPA is responsible. c. Ensuring EPA systems and information access is removed for users who do not comply with the annual ISAT and RoB. 3) Contracting Officer s Representatives (COR) are responsible for: a. Ensuring contracts contain information security clauses and language for safeguarding Agency interests through its contractual relationships. i) Ensuring initial and annual security awareness and RoB requirements are included in clauses and language when contractors access agency information or information systems. b. Assisting the Contracting Officer in the technical monitoring and administration of contract. i) Ensuring that users successfully complete ISAT prior to initial access to EPA systems and information and at least annually thereafter to maintain access. ii) Ensuring that the RoB are reviewed and signed or acknowledged electronically or manually on an annual basis by all information and information system users who support the operations and assets for which EPA is responsible. iii) Ensuring EPA systems and information access is removed for users who do not comply with the annual ISAT and RoB. ISA Training Dissemination and Collection and Grading Page 3 of 8

1) A soft copy of the ISAT material must be provided in a timely manner to ensure all users successfully complete the training and sign the RoB by July 31 st each year or as otherwise specified by the Chief Information Officer and/or the Senior Agency Information Security Officer. The ISAT material must include the following documents for the most current fiscal year: Information Security Awareness Training word or text document, Information Security Awareness Training exam (excluding all answers), and EPA National Rules of Behavior. These documents are located on the website, http://intranet.epa.gov/oei/cybersecurity.html 2) Dissemination, collection and grading must be coordinated by the respective Program Offices and Regions. a. The ISOs will be responsible for coordinating the dissemination and collection of the ISAT material. i. The ISOs will disseminate the training material to the respective managers, supervisors and CORs. ii. The ISOs will coordinate with the Mission Investment Solutions Division (MISD) within the Office of Environmental Information to ensure the status tracking tool is updated correctly. b. Users managers and supervisors, and CORs for contractors, shall: i. Provide to all users that have not successfully completed the ISAT, the current ISAT and exam without answers and ensure they complete the ISAT and exam; ii. Provide to all users who have not signed the RoB, the current RoB and ensure they read and sign the RoB; iii. Review and grade users ISAT exams; iv. Notify ISO of users completion of the ISAT; v. Forward a copy of the exam including the results, and a signed copy of the RoB for each user to their ISO; vi. Maintain on file the original exams and results and signed RoB for each user; and vii. Provide for review the documents on file when requested. 3) ISOs will consolidate the results and provide to the MISD awareness training point of contact an email with all users names, exam grade, and indicate whether the user signed the RoB. a. MISD will be responsible for updating the EPA training tracking tool as requested. Page 4 of 8

Dissemination and Collection Options 1) The ISAT material shall be disseminated and collected using one of the options below: a. Dissemination: i. Hard copy a) The manager, supervisor, or COR sends a hard copy of the training material via fax, mail or other similar delivery method. ii. Soft copy a) The manager, supervisor, or COR sends a soft copy of the training material by email. This option provides an easy tracking method and can also provide an easy signature method. b. Collection: i. Hard copy a) Users send a hard copy of the completed ISAT exam and signed RoB materials via fax, mail or other similar delivery method to their managers, supervisors and CORs. b) After verifying that the managers, supervisors and CORs have completed their own exams, ISOs provide the exam answer guide to the managers, supervisors and CORs. c) The managers, supervisors and CORs grade employees exams and verify that RoBs are signed. d) Managers, supervisors and CORs maintain all graded training exams, results and signed RoBs on file. The exams, results and signed ROBs must remain on file in accordance with EPA Records Schedule 122, http://www.epa.gov/records/policy/schedule/sched/122.htm e) Managers and supervisors provide ISOs with training completion results with copies of graded exam, signed RoB via fax, mail or other similar delivery method. f) ISOs provide a completion memo / document to MISD. ii. Soft copy a) Users can attach the completed exam and a signed copy of the RoB acknowledgement in an email to their managers, supervisors, or CORs. b) The exam and exam results can be in the body of an email in addition to the RoB acknowledgement statement. Users can then digitally sign the email to their managers, supervisors, or CORs using the Microsoft Outlook s digital signature feature. If the signature fails, the users will need to contact their managers, supervisors, or CORs to obtain an electronic copy and follow the Page 5 of 8

process for sending the materials using another method listed in this guidance document. Note: With either method, the email, along with the appropriate attachments, can be maintained electronically by the supervisor utilizing a tracking mechanism of their choice. With either method the email can be forwarded to MISD with appropriate information for processing the users exam results and indication of receiving a signed RoB. 7. RELATED DOCUMENTS a. NIST Special Publication (SP) 800-53 Series 8. ROLES AND RESPONSIBILITIES Senior Agency Information Security Officer (SAISO) The SAISO has the following responsibilities with respect to the manual ISAT: a. Develops the ISAT material and sets the deadline for all users to successfully complete the training. b. Develops and disseminates the EPA Rules of Behavior to the ISOs. c. Coordinates with the ISOs to ensure all EPA users are provided with the appropriate ISAT material to complete the training. Information Security Officers (ISO) ISOs have the following responsibilities with respect to the manual ISAT: a. Disseminates training materials and RoB to and collects results from the respective managers, supervisors, and CORs. b. Coordinates to ensure the status tracking tool is updated correctly. c. Provides MISD with the appropriate training results and proof of signed RoB from managers, supervisors, and CORs. Managers, Supervisors, and Contracting Officer Representatives (CORs) Managers, supervisors, and CORs have the following responsibilities with respect to the manual ISAT: a. Disseminates training materials and RoB to users and collects and grades ISAT exams. b. Collects and verifies that users sign the RoB. c. Notifies ISO of users completion of the training. d. Provides ISOs copies of completed exams and signed RoB for each user. e. Maintains on file the original completed exam and signed RoB for each user. Page 6 of 8

Office of Environmental Information (OEI), Office of Technology Operations and Planning (OTOP), Mission Investment Solutions Division (MISD) MISD has the following responsibilities with respect to the manual ISAT: a. Updates the EPA elearning tool with user s training exam results/grade and indicates whether the user signed the RoB. EPA Users EPA users have the following responsibilities with respect to the manual ISAT: a. Requests approval from ISO to take the training manually and notifies supervisor. b. Successfully completes the EPA ISAT with a score of 85% or better and within the allotted deadline. c. Reads and signs the Rules of Behavior. d. Provides managers, supervisors or CORs their original completed exam and signed RoBs. 9. DEFINITIONS Hard copy A hard copy is a type of output that is a physical reproduction of data, such as a printed version of a document or file. Soft copy A soft copy is an unprinted digital document, file, or some type of data that can be sent electronically such as via email or other type of network connection. 10. WAIVERS The CIO may grant a waiver for sufficient reasons exercising judgment in the best interests of the Agency. 11. RELATED POLICY, PROCEDURES, STANDARDS, AND GUIDANCE Related policy and procedures are available on OEI s Policy Resources website. http://intranet.epa.gov/oei/imitpolicy/policies.htm Related standards and guidelines are available on OEI s website. 12. MATERIAL SUPERSEDED NA 13. ADDITIONAL INFORMATION NA Page 7 of 8

Renee P. Wynn Acting Assistant Administrator for Environmental Information and Chief Information Officer U.S. Environmental Protection Agency Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information