Security Awareness Training Policy

I. Purpose:

The purpose of this policy is to ensure workforce members are informed about information security policies and standards, regulatory requirements and modern cyber threats to City of Olympia technology assets and services.

II. Applicability and Audience

A.    Users

This policy applies to all persons working for, or on behalf of City of Olympia, including workforce members, third parties, volunteers and contractors who access City of Olympia’s systems, applications, and data.

B.    Technology Assets

Intentionally left blank.

C.    Exceptions

Requests for exceptions to this policy must follow the Information Services information security policy exceptions handling process. Please open a ticket with the service desk to request a policy exception.

III. Definitions

All definitions are contained within the City of Olympia Information Security Policy and Standards Glossary.

IV. Policy

All workforce members with access to City of Olympia technology assets are required to complete Security Awareness Training in compliance with this policy. Security Awareness Training must be completed within 180 days of hire, and at least annually thereafter.

A.    Security Awareness Training System

1.    The Information Services is required to provide an enterprise Citywide training system that:

a.    Enables City of Olympia workforce members to meet the requirements of this policy

b.    Enables progress reporting for purposes of compliance with this policy

c.    Provides a feedback form at the end of each training module for workforce members to provide feedback

2.    The IT Infrastructure Manager must review and report on the Security Awareness Training System and associated feedback to the Chief Information Officer whenever:

a.    Security Awareness and Training content is modified or updated

b.    If regulatory or business requirements have changed

c.    If roles and responsibilities or organizational requirements have changed

B.    Information Security Awareness Training

Department directors or their designee are required to ensure that workforce members complete security awareness training on information security topics as determined by the IT Infrastructure Manager and as required by regulatory requirements (e.g., CJIS Security Policy, HIPAA, PCI DSS). Topics may include, but are not limited to:

•    Information Security and Privacy Policies and Regulations

•    Password usage and management

•    Implications of non-compliance

•    Malicious email attachments

•    Phishing and spoofed emails

•    Web usage - allowed/prohibited

•    Security of devices issued to or used by workforce members

•    Visitor control and physical access to spaces

•    Reporting unusual activity and potential security and privacy incidents

C.    Role-Based Security Training

Workforce members in specific jobs and roles in City of Olympia may require additional security awareness training. The IT Infrastructure Manager will work with departments and agencies to identify these roles to ensure required training is completed. These specific jobs and roles include but are not limited to:

1.    Workforce members with duties covered by regulations and security standards such as HIPAA, the PCI DSS, or the FBI CJIS Security Policy

2.    Workforce members who have Incident Response responsibilities

3.    Workforce members participating in software development or other technology engineering and support

4.    Workforce members who have Business Continuity responsibilities

V. Implementation Plan

This policy becomes effective for Citywide use on the date that it is signed by the City Manager. All new technology implementations and new material changes to existing technology implementations must ensure compliance with this policy as of the effective date. All other technology implementations must be brought into compliance within four years after the effective date.

VI. Maintenance

A.    This policy will be maintained by the Information Services. This includes, but may not be limited to:

1.    Interpretation of this policy

2.    Ensuring this policy content is kept current

3.    Recommending updates to this policy and related resources

4.    Developing an escalation and mitigation process if an Organization is not in compliance

5.    Assisting Organizations to understand how to comply with this policy

6.    Monitoring annual compliance by Organizations

B.    This policy will automatically expire five (5) years after its effective date. A new, revised, or renewed policy will be initiated by Information Services prior to the expiration date.

VII. Consequences for Noncompliance

Violations of this policy may be grounds for disciplinary action, up to and including termination and enforcement action which may include civil or criminal charges.

VIII. Appendix A: References

•    Information Security Policy and Standards Glossary

IX. Appendix B: Relevant Compliance Requirements

This section provides references to key regulations and standards that apply to City of Olympia. This section does not replace the authoritative source and is just a reference to assist with further research. Please use the Compliance Standard and Section No. to further research the entirety of the regulation, framework or standard from the authoritative source.

Compliance Standard

Section No.

Description

HIPAA

45 CFR 164 Subpart C

Security Standards for the Protection of Electronic Protected Health Information

164.308(a)(5)

Security Awareness and Training

CJIS Policy v5.9

5.2

Security Awareness Training

5.3.3

Incident Response Training

PCI DSS v3.2.1

6.5

Address common coding vulnerabilities in software- development processes as follows:

- Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.

- Develop applications based on secure coding guidelines.

9.9.3

Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

- Do not install, replace, or return devices without verification.

- Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

- Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

12.6

Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

12.10.4

Provide appropriate training to staff with security breach response responsibilities.

NIST CSF

PR.AT

Awareness and Training

NIST 800-53r5

AT

Awareness and Training

CP-3

Contingency Training

IR-2

Incident Response Training

CIS Controls v7.1

17

Implement a Security Awareness and Training Program

History: New August 2023.