1912 Security Awareness and Training
Department of Human Services |
Index: |
POL1912 |
|
Revised: |
06/02/2025 |
||
Next Review: |
06/02/2027 |
Subject: DHS Information Security Policies
Policy
This policy establishes the Georgia Department of Human Services Enterprise Security Awareness and Training Policy, for managing risks from a lack of company security awareness, communication, and training through the establishment of an effective security awareness and education program. The security awareness and education program helps DHS document, communicate, and train the agency’s employees on security best practices and concepts.
Authority
-
United States Department of Commerce National Institute for Standards and Technology (NIST)
-
United States Internal Revenue Service
-
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
-
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
-
Georgia Technology Authority
-
Social Security Administration
-
Federal Bureau Investigation (Criminal Justice Information Services)
References
-
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
-
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
-
ACF/OCSS - Security Agreement
Applicability
The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.
Responsibilities
DHS has chosen to adopt the Security and Awareness principles established in NIST SP 800-16 “Information Technology Security Training Requirements: A Role- and Performance-Based Model.” The following subsections outline the Security and Awareness standards that constitute DHS’ policy. Each DHS Business System is then bound to this policy and must develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.
AT-1 Security Awareness and Training Policy and Procedures
-
Develop, document, and disseminate to designated agency personnel:
-
All organizational level security and privacy awareness and training policy that:
-
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
-
-
Procedures to facilitate the implementation of the security and privacy awareness and training policy and the associated controls.
-
-
Designate an agency official to manage the development, documentation, and dissemination of the security and privacy awareness and training policy and procedures; and
-
Review and update the current security and privacy awareness and training control :
-
Policy every one (1) year (or if there is a significant change); and
-
Procedures every one (1) year, (or when there is a significant change).
-
AT-2 Security Awareness
-
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
-
As part of initial training for new users and annually thereafter; and
-
When required by system changes or following assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
-
-
Employ the following techniques to increase the security and privacy awareness of system users by providing one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
-
Update literacy training and awareness content annually and following system changes and
-
Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques.
AT-2 (1) Practical Exercises:
Provide practical exercises in literacy training that simulate events and incidents.
AT-2 (2) Insider Threat:
Provide literacy training on recognizing and reporting potential indicators of insider threat.
AT-2 (3) Social Engineering and Mining:
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
Treasury Directive:
Train users and provide means to ensure workstations are adequately protected from theft, particularly regarding laptops acting as workstations.
AT-3 Role-Based Security Training
-
Provide role-based security and privacy training to personnel with the following roles and responsibilities: information system security manager (ISSM); information system security officer (ISSO); security specialist; system and software developers; system, network and database administrators; programmer/systems analyst; and personnel having access to CUI.
-
Before authorizing access to the system, information, or performing assigned duties, and;
-
When required by system changes;
-
Within sixty (60) days of entering a position that requires role-specific training, within three hundred sixty-five (365) days thereafter
-
-
Update role-based training content annually and following system changes and update literacy training and awareness content annually and following system changes; and.
-
Incorporate lessons learned from internal or external security or privacy incidents into role-based training.
SSA.1
-
The training and awareness programs must include:
-
The sensitivity of SSA data,
-
The rules of behavior concerning use and security in systems and/or applications processing SSA data,
-
The Privacy Act and other Federal and state laws governing collection, maintenance, use, and dissemination of information about individuals,
-
The possible criminal and civil sanctions and penalties for misuse of SSA data,
-
The responsibilities of employees, contractors, and agent’s pertaining to the proper use and protection of SSA data,
-
The restrictions on viewing and/or copying SSA data,
-
The proper disposal of SSA data,
-
The security breach and data loss incident reporting procedures,
-
The basic understanding of procedures to protect the network from viruses, worms, Trojan horses, and other malicious code,
-
Social engineering (phishing, vishing and pharming) and network fraud prevention.
-
AT-4 Security Training Records
-
Identify employees and contractors who hold roles with significant information security and privacy responsibilities;
-
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
-
Retain individual training records for a period of five (5) years.
SSA also requires the organization to certify that each employee, contractor, and agent who views SSA data certify that they understand the potential criminal, civil, and administrative sanctions or penalties for unlawful assess and/or disclosure.
Evaluation
The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:
-
Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
-
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.