Security Policy Awareness and Security Awareness Training Policy

Security Awareness is a vital piece to the Security Program as all system Users need to understand their role in the protection of SLAM data and digital information. This policy describes the requirements for policy awareness and cybersecurity awareness training.

Security Policy Awareness and Security Awareness Training Policy

Purpose

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of audience, purpose, or how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system.

Security Awareness is a vital piece to the Security Program as all system Users need to understand their role in the protection of SLAM data and digital information. This policy describes the requirements for policy awareness and cybersecurity awareness training.

Definition

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Users: SLAM staff, Board Members, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
• Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)

Policy

IT Staff Responsibilities

• IT staff will provide a minimum set of training and awareness for all staff, volunteers, and contractors who have access to SLAM information systems and who are in computer-related positions of trust (“Users”).
• IT staff will provide annual training and other materials to regularly remind workers about their obligations, their responsibilities with respect to information security, and educate them on cybersecurity trends and issues.
• The IT staff will re-enforce this training with periodic reminders, updates or other communications regarding Information Security (e.g., posters, emails, warning messages, daily tips displayed on screens, events, phishing testing).

SLAM Manager Responsibilities

• Managers must ensure their direct reports have sufficient training and technical skills to be able to securely operate SLAM information systems to which they have been granted access.
• To facilitate compliance with the requirements, management must allocate sufficient on-the-job time for workers to acquaint themselves with SLAM security policies, procedures, and related ways of doing business.

User Responsibilities

• Within their first thirty (30) days of work, all new Users must receive copies of the information security policies that apply to all users and must be made aware that they must comply with the requirements described in these policies as a condition of continued employment.
• Every User must attest that they understand the SLAM policies surrounding information security.
• Users must be clearly informed about the actions that constitute security violations as well as how to properly report a suspected security event.
• Every User must complete information security awareness training sessions delivered electronically via organizations LIM within 30 days of the date when they began work at SLAM. This will include training on cybersecurity, privacy, and password management. Based on their role, additional classes will be assigned as needed.

Approval and Ownership

Revision History