Employment Home
Equal Employment Opportunity
Examination and Certification
Pre-Employment Reviews
Drug-Free Workplace
Appointment
Compensation
Employee Benefits and Insurance
Leave Administration
Work Schedules
Training
Travel/Relocation
Employee Recognition
Employee Relations
Retirement
Layoff
Position Control and Employee Files
Risk Mgt/Health and Safety

Information Technology Home
IT Management
Data Management
Web
Security

Finance Home
Cash and Deposits
Receivables and Revenues
Fixed Assets
Relief of Accountability
Payables and Expenses
Other Liabilities/Debt
Fund Balance/Retained Earnings
Budget and Appropriations
Miscellaneous

Other Home

Countywide Information Security Awareness Training Policy Information

Section:

Information Technology

Subsection:

Security

Authorized By
Navdeep S. Gill, County Executive

Revision History

Revised: N/A
Established: 08/2018

Contact

Policy and Compliance Administrator
Department of Personnel Services
Email: AskDPS@saccounty.gov

7-3302: Countywide Information Security Awareness Training

Purpose

A well-trained workforce, aware of information security risks, plays a crucial role in protecting an organization against a variety of information security threats. As such, federal and state regulations have made information security awareness training a requirement for public entities. Information security awareness training is designed to educate users on the best practices to protect information technology (IT) resources and data and to provide the knowledge and skills necessary to fulfill IT security responsibilities. This policy establishes the requirement for a formal and effective information security awareness and training program for Sacramento County.

Authority

Chief Information Officer

Scope

This policy applies to all County departments and users of County IT resources and data.

Definitions

Information technology (IT) resources are defined as any information in electronic, non-electronic, or audiovisual format or any hardware of software that make possible the storage and use of such information, including electronic mail, local databases, externally accessed databases, motion picture film, recorded magnetic media, photogaphs, and any other digitized information.
User includes any employee (permanent or temporary), contractor, consultant, vendor, volunteer, student or other person who uses County IT resources.

Policy

The County shall require information security awareness training for all users of County IT resources and data to comply with federal and state regulations. The Department of Technology shall determine the appropriate content for information security awareness training. The content shall include reasons information security is needed, behaviors that protect information, techniques for recognizing threats, and appropriate response to suspected security incidents. Training shall be required for all new users and then at least annually for all users. The County may require additional training on specific security threats for users as needed.

Departments, in compliance with government regulations or industry best practices, may require additional security training for specialized staff. Departments shall be responsible for identifying their additional training requirements and determining which staff must receive the training.

The Department of Technology may use additional techniques to reinforce training objectives Countywide. Techniques may include posters, security reminders, email advisories, logon messages, awareness events, and practical exercises.

The County shall track and retain individual training records for all information security awareness training. Records will be retained in accordance with County standards.

Enforcement

Failure to complete required information security awareness training constitutes a violation of this policy. Violators of this policy may be subject to disciplinary action. Violations of this policy will be investigated by the Department of Personnel Services with consultation from the Department of Technology and/or other departments as appropriate.

References

National Institute of Standards and Technology Special Publications (NIST SP):
NIST SP 800-12 An Introduction to Computer Security
NIST SP 800-16 Information Security Training Requirement
NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-100 Information Secuirty Handbook
Elecronic Code of Federal Regulations (CFR): 5 CFR 930.301 Information Security Awareness Training Program
State of Califronia State Administrative Manual (SAM) and Statewide Information Management Manual (SIMM) 5320 Training and Awareness for Information Security and Privacy
Criminal Justice Information Services (CJIS) Security Policy 5.2 Policy Area 2: Security Awareness Training
Payment Card Industry Data Security Standards (PCI DSS) Requirement 12.6 Implement a formal Security Awareness Training Program
Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 CFR 164.308 (a)(5)(i) Security Awareness Training

Section 1: Introduction

Section 2: Employee Code of Conduct

Section 3: Emergency Operations

Section 4: Clerk of the Board

Section 5: Employment

Section 6: Information Technology

Section 7: Finance

Section 8: General Services

Section 9: Other