COMPUTER SECURITY TRAINING PROCEDURES

1. PURPOSE. Computer security training requirements shall be developed and conducted for all SAO employees involved with the management, use or operation of each SAO computer system which contains sensitive data. The procedures and responsibilities described in this handbook apply to all SAO elements and to non-SAO organizations that use SAO computer systems, including contractors performing work for the SAO. This Chapter focuses on the provision for development and implementation of a security awareness and training program for SAO.

2. BACKGROUND. Information Security is a major concern of the SAO. In order to maintain a secure invironment this office has addopted guidance and direction from federal agencies specifically the National Institute of Standards (NIST). The Computer Security Act of 1987 was signed and became Public Law 100-235 on January 8, 1988. The Act strengthens the role and responsibility of NIST for the development and promulgation of computer security. The Act places emphasis on three major provisions:

(1) Identifying computer systems containing sensitive information;

(2) Developing security plans for those sensitive systems;

(3) Mandating computer security training for all users of sensitive Federal computer systems.

3. RESPONSIBILITIES

a. The State Attorney is responsible for Information security.

b. The SAO CIO is responsible for:

  1. Implementing an automated information systems security program. The CIO will ensure that computer security training and awareness are basic elements of the SAO security program.
  2. Developing and issuing procedures for SAO division' use to organize and conduct computer security and awareness training for all employees.
  3. Establishing an automated information systems security program that includes security training and awareness for all employees in accordance with SAO policy.

c. Managers and immediate supervisors are responsible for ensuring that all facility personnel attend formal AIS security and awareness training according to facility policy and procedures.

d. All SAO employees, contractors, and other individuals using AIS resources are responsible for attending specifically assigned AIS security and awareness training.

4. PROCEDURES

a. Presented in this section are training guidelines and requirements for computer security. The training should be designed to enhance employees' awareness of the threats to and vulnerability of computer systems and encourage the use of improved security practices. Due to the sensitive nature of certain positions, SAO divisions should ensure that personnel in positions designated as "security officer, system administrator and in contractor positions" receive the appropriate IR security training.

b. The SAO standard for developing and conducting IR security awareness and training for SAO employees shall be the National Institute of Standards and Technology's (NIST) Special Publication 500-172, Computer Security Training Guidelines.

c. Personnel making use of automated information systems shall be aware of the vulnerabilities of such systems and trained in techniques to enhance security. Employees shall complete an initial IR security training session prior to gaining access to a SAO automated information system. This training may be held as part of orientation that new employees normally attend. Attendance shall be documented and placed in their official personnel file. Each administration and staff office is responsible for developing, implementing and maintaining a structured security program to include application security, personnel security, facility security and security awareness and training.

d. All SAO employees, including contractors, are to receive initial security training at orientation, and shall receive annual training in the following five content areas:

  1. Computer Security Basics. An introduction to the basic concepts of computer security practices and the importance of the need to protect the information from vulnerabilities to known threats.
  2. Security Planning and Management. Training which focuses on the policy level issues of IR security and involves decision-making on the organization of the security program, security planning, and risk management process.
  3. Computer Security Policy and Procedures. Training which examines government-wide and Department specific security practices in the areas of physical, personnel, software, communications, data, and administrative security.
  4. Contingency Planning. Training covers the concepts of all aspects of contingency planning, including emergency response plans, backup plans and recovery plans. It identifies the roles and responsibilities of all employees involved.
  5. System Life Cycle Management. Training explains how security is addressed during each phase of a systems life cycle, which consists of system design, development, test and evaluation, implementation and maintenance. It also addresses procurement, certification, and accreditation.

e. SAO employee training is divided into the following categories:

  1. Executives. Those senior managers who are responsible for setting Department computer security policy, assigning responsibility for implementing the policy, determining acceptable levels of risk, and providing the resources and support for the computer security program.
  2. Program/Functional Managers. Those managers and supervisors who have a program or functional responsibility (not in computer security) within the Department. They have primary responsibility for the security of their data and are responsible for designating the sensitivity and criticality of data and processes, assessing the risks to the data, and identifying security requirements to the supporting data processing organization, physical security staff, physical facilities personnel, and users of their data. Functional managers are responsible for assuring the adequacy of all contingency plans relating to the safety and availability of their data.
  3. IRM, Security and Audit Personnel. Personnel involved with the day-to-day management of the Department's information resources, including the accuracy, availability, and safety of these resources. Each organization assigns responsibility differently, but as a group these persons issue procedures, guidelines, and standards to implement the Departmental or component policy for information security to monitor its effectiveness and efficiency. They provide technical assistance to users, functional managers, and to the data processing organization in such areas as risk assessment and available security products and technologies. They review and evaluate the functional and program groups' performance in information security.
  4. IR Management, Operations and Programming Staff. Personnel involved with the daily management and operations of the automated data processing services. They provide for the protection of data in their custody and identify to the data owners what those security measures are. The group includes: computer operators, schedulers, tape librarians, database administrators, and systems and applications developers. They provide the technical expertise for implementing security-related controls within the automated environment, and have primary responsibility for all aspects of contingency planning.
  5. (End) Users. Any employee or other customer who has access to a Department computer system that processes sensitive or non-sensitive information. This is the largest and most heterogeneous group of employees. It consists of everyone from the data entry clerk who has a personal computer with sensitive information to the executive.

f. These groupings are based on the need for employees within a given category to know or be able to perform the same or similar types of tasks. Each division will determine specific training needs and categories to ensure that each employee within their organization receives the appropriate training.

g. Required Levels of Training. The level of training required in each training or subject matter area will vary from general awareness training to specific courses in such areas as contingency planning, depending upon the training objectives established by the Departmental components.

  1. Awareness Training. Awareness training should create the sensitivity to threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them. Initial security training shall cover rules of the system(s) to which the employee or contractor has access to; is consistent with guidance issued by NIST and OMB. Each SAO employee or contractor shall receive initial AIS security training and thereafter receive "refresher" training on an annual basis.
  2. Performance Training. Employees develop skills to design, execute, or evaluate Department computer security procedures and practices. The purpose of this training is to enable employees to apply security concepts while performing the tasks that relate to their particular positions. It may require education in basic principles and training in state-of-the-art applications.
  3. Policy-level Training. Training provided for executives to enable them to understand computer security principles so that they can make informed policy decisions about the computer security program.
  4. Implementation Training. Training which provides program/functional managers with the ability to recognize and assess threats and vulnerabilities to automated information resources. These managers then are able to set security requirements which implement SAO security policy.

REFERENCES:

a. NIST Computer Security Training Guidelines, Special Publication 500-172 (Nov. 1989).