1912 Security Awareness and Training

Department of Human Services
Online Directives Information System

Index:

POL1912

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Georgia Department of Human Services Enterprise Security Awareness and Training Policy, for managing risks from a lack of company security awareness, communication, and training through the establishment of an effective security awareness and education program. The security awareness and education program helps DHS document, communicate, and train the agency’s employees on security best practices and concepts.

Authority

United States Department of Commerce National Institute for Standards and Technology (NIST)
United States Internal Revenue Service
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
Georgia Technology Authority
Social Security Administration
Federal Bureau Investigation (Criminal Justice Information Services)

References

United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5, September 2020
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-100 “Information Security Handbook: A Guide for Managers” March 2007
United States Department of Commerce Technology Administration National Institute of Standards and Technology NIST Special Publication 800-12, An Introduction to Computer Security June 2017
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-50 “Building a Cybersecurity and Privacy Learning Program” September 2024
United States Internal Revenue Service, IRS Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
Criminal Justice Information Services Security Policy
ACF/OCSS - Security Agreement

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

None

Responsibilities

DHS has chosen to adopt the Security and Awareness principles established in NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model.” The following subsections outline the Security and Awareness standards that constitute DHS’ policy. Each DHS Business System is then bound to this policy and must develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

AT-1 Security Awareness and Training Policy and Procedures

Develop, document, and disseminate to designated agency personnel:
1. All organizational level security and privacy awareness and training policy that:
  1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the security and privacy awareness and training policy and the associated controls.
Designate an agency official to manage the development, documentation, and dissemination of the security and privacy awareness and training policy and procedures; and
Review and update the current security and privacy awareness and training control :
1. Policy every one (1) year (or if there is a significant change); and
2. Procedures every one (1) year, (or when there is a significant change).

AT-2 Security Awareness

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
1. As part of initial training for new users and annually thereafter; and
2. When required by system changes or following assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
Employ the following techniques to increase the security and privacy awareness of system users by providing one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
Update literacy training and awareness content annually and following system changes and
Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques.

AT-2 (1) Practical Exercises:

Provide practical exercises in literacy training that simulate events and incidents.

AT-2 (2) Insider Threat:

Provide literacy training on recognizing and reporting potential indicators of insider threat.

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

Treasury Directive:

Train users and provide means to ensure workstations are adequately protected from theft, particularly regarding laptops acting as workstations.

IRS.1:

Distribute security and privacy awareness reminders/updates to all users on at least a quarterly basis.

IRS.2:

Conduct phishing email simulation exercises on at least a quarterly basis.

AT-2 (4) Suspicious Communications and Anomalous System Behavior:

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using agency-defined indicators of malicious code

AT-3 Role-Based Security Training

Provide role-based security and privacy training to personnel with the following roles and responsibilities: information system security manager (ISSM); information system security officer (ISSO); security specialist; system and software developers; system, network and database administrators; programmer/systems analyst; and personnel having access to CUI.
1. Before authorizing access to the system, information, or performing assigned duties, and;
2. When required by system changes;
3. Within sixty (60) days of entering a position that requires role-specific training, within three hundred sixty-five (365) days thereafter
Update role-based training content annually and following system changes and update literacy training and awareness content annually and following system changes; and.
Incorporate lessons learned from internal or external security or privacy incidents into role-based training.

SSA.1

The training and awareness programs must include:
1. The sensitivity of SSA data,
2. The rules of behavior concerning use and security in systems and/or applications processing SSA data,
3. The Privacy Act and other Federal and state laws governing collection, maintenance, use, and dissemination of information about individuals,
4. The possible criminal and civil sanctions and penalties for misuse of SSA data,
5. The responsibilities of employees, contractors, and agent’s pertaining to the proper use and protection of SSA data,
6. The restrictions on viewing and/or copying SSA data,
7. The proper disposal of SSA data,
8. The security breach and data loss incident reporting procedures,
9. The basic understanding of procedures to protect the network from viruses, worms, Trojan horses, and other malicious code,
10. Social engineering (phishing, vishing and pharming) and network fraud prevention.

AT-4 Security Training Records

Identify employees and contractors who hold roles with significant information security and privacy responsibilities;
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
Retain individual training records for a period of five (5) years.

SSA also requires the organization to certify that each employee, contractor, and agent who views SSA data certify that they understand the potential criminal, civil, and administrative sanctions or penalties for unlawful assess and/or disclosure.

AT-6: Training Feedback

Provide feedback on organizational training results to the following personnel: Agency Senior Management and Agency Disclosure Personnel on an annual basis.

History

Date

Change

User

Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.