Add to collection(s) Add to saved
  1. Social Science

security awareness training

advertisement 
SECURITY AWARENESS
TRAINING
GUIDE FOR CHIEFS OF POLICE
Created July 2012
This document has been created at the request of the Missouri Police Chiefs Association
board of directors and was created in cooperation and review with the CJIS Systems
Officer (CSO)/ Major Sandra Karsten and the State Information Security Officer (ISO)/
Steven White
This guide includes the CJIS requirements and policy for training, the training handouts
and a method for tracking required security training.
This guide is being sent electronically for ease of use and the ability to incorporate the
elements of the requirements for policy, training, and tracking purposes.
Included in this guide are the following resources:
1. Security Awareness Training Requirements and Policy. (Incorporated into
document.)
2. Security Awareness Training Program. (Attachment to email.)
3. Training Tracking Instrument. (Attachment to email.)
How to utilize this information:
1. Establish your policy;
2. Provide the Security Awareness Training handout to those that need to be trained.
There are two versions - one for staff that are operators or have access to secure
locations and one for IT staff or IT vendors.
3. Require them to read the handout (if you have a system for policy review and
document/tracking this would be an avenue as well) and then;
4. Save the signed copy of the training for each individual who is required to take
the training - it must be available upon request by FBI or MSHP auditors. You
may utilize other forms of delivery and documentation, but a sign off and ability
to provide documentation is needed for the auditing process.
Security Awareness Training Requirements
and Policy
Security Awareness Training Requirement - Effective Date - January 1, 2013
A significant number of topics can be mentioned and briefly discussed in any awareness
session or campaign. To help further the development and implementation of individual
agency security awareness training programs the following baseline guidance is provided.
The training is required within the first 6 months of hire date and must be completed every
two years after initial training. The delivery of the information is not specified - it can be
done through electronic, verbal or written mechanisms. The key requirement is the ability to
track an individual has had the training. Test are not required but encouraged especially for
individuals with direct terminal access.
5.2.1.1 All Personnel -
This first level is for persons who have unescorted access to secure locations. They do not
have to have direct terminal access to the computer systems.
Examples: support staff such as custodians, maintenance, Mayor, and City Council
members.
At a minimum, the following topics shall be addressed as baseline security awareness
training for all authorized personnel with access to CJI:
1. Rules that describe responsibilities and expected behavior with regard to CJI usage.
2. Implications of noncompliance.
3. Incident response (Points of contact; Individual actions).
4. Media protection.
5. Visitor control and physical access to spaces—discuss applicable physical security policy
and procedures, e.g., challenge strangers, report unusual activity.
6. Protect information subject to confidentiality concerns — hardcopy through destruction.
7. Proper handling and marking of CJI.
8. Threats, vulnerabilities, and risks associated with handling of CJI.
9. Dissemination and destruction.
5.2.1.2 Personnel with Physical and Logical Access
This level is for persons with terminal or computer access to computer systems containing
CJI. They would also have unescorted access to secure locations and would have had a
fingerprint background check completed.
Examples: Police officers, dispatchers, clerical or data entry staff.
In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as
baseline security awareness training for all authorized personnel with both physical and
logical access to CJI:
1. Rules that describe responsibilities and expected behavior with regard to information
system usage.
2. Password usage and management—including creation, frequency of changes, and
protection.
3. Protection from viruses, worms, Trojan horses, and other malicious code.
4. Unknown e-mail/attachments.
5. Web usage—allowed versus prohibited; monitoring of user activity.
6. Spam.
7. Social engineering.
8. Physical Security—increases in risks to systems and data.
9. Media Protection.
10. Handheld device security issues—address both physical and wireless security issues.
11. Use of encryption and the transmission of sensitive/confidential information over the
Internet—address agency policy, procedures, and technical contact for assistance.
12. Laptop security—address both physical and information security issues.
13. Personally owned equipment and software—state whether allowed or not (e.g.,
copyrights).
14. Access control issues—address least privilege and separation of duties.
15. Individual accountability—explain what this means in the agency.
16. Use of acknowledgement statements—passwords, access to systems and data, personal
use and gain.
17. Desktop security—discuss use of screensavers, restricting visitors’ view of information
on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems.
18. Protect information subject to confidentiality concerns—in systems, archived, on backup
media, and until destroyed.
19. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and
services.
5.2.1.3 Personnel with Information Technology Roles
This level is for those individuals who have direct access to computer systems that transmit,
store or process CJI.
Examples: system administrators, security administrators, network administrators, IT
contractors.
In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed
as baseline security awareness training for all Information Technology personnel:
1. Protection from viruses, worms, Trojan horses, and other malicious code—scanning,
updating definitions.
2. Data backup and storage—centralized or decentralized approach.
3. Timely application of system patches—part of configuration management.
4. Access control measures.
5. Network infrastructure protection measures.
5.2.2 Security Training Records
Records of individual basic security awareness training and specific information system
security training shall be documented, kept current, and maintained by the Local Agency
Security Officer.
Related documents
Goltz Goal Team 1 Two for All Update
Goltz Goal Team 1 Two for All Update
COLLEGE OF CENTRAL FLORIDA
COLLEGE OF CENTRAL FLORIDA
5 -L Math 2280 Practice Exam 2
5 -L Math 2280 Practice Exam 2
Network Diagram Example
Network Diagram Example
Security Awareness Training Handout
Security Awareness Training Handout
Security Awareness for IT Staff Handout
Security Awareness for IT Staff Handout
Finite Difference Approximation of the Nernst-Planck Equation and von 1 Nernst-Planck Equation
Finite Difference Approximation of the Nernst-Planck Equation and von 1 Nernst-Planck Equation
WASPC CJIS Statistical Data Request
WASPC CJIS Statistical Data Request
Psychology 328 Outline of Self
Psychology 328 Outline of Self
Criminal Justice - Essex County College
Criminal Justice - Essex County College
Critical Job Inventory And Risk Assessment
Critical Job Inventory And Risk Assessment
CJI Training-Short
CJI Training-Short
Download
advertisement