Il permesso di soggiorno

A key objective of an effective IT security program is to ensure that each employee understands his or her roles and responsibilities and is adequately trained to perform them. The DHS cannot protect the confidentiality, integrity, and availability of its IT systems and the information they contain without the knowledge and active participation of its employees in the implementation of sound security principles.

5 CFR part 930, subpart C, as revised, requires that all users (Federal employees as well as contractors) of Federal information systems must be exposed to security awareness materials at least annually. Additional to the annual training requirement, training will occur when

employees are hired (they must receive the training before they are allowed access to systems), when system security changes occur, when an employee’s work responsibilities change.”

OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires that persons be trained in their responsibilities and in the “rules of behavior” for using general support systems (e.g., LANs) and for using major applications before being given access to those systems or applications. Computer security training must be addressed in the security

plan for each IT system. In addition, Component ISSMs shall prepare and submit to the DHS IT Security Training Program Director a training plan outlining their plans for IT security

awareness, training, and education for the year. The plans shall follow the guidance in the DHS Component Information Technology (IT) Security Awareness, Training and Education Plan template, issued by the DHS IT Security Training Office.

In 5 CFR Part 930, the Office of Personnel Management (OPM) requires Federal agencies to identify employees responsible for the management or use of computer systems that process sensitive information and to provide training to the following groups: executives; program and functional managers; information resources management (IRM), security, and audit personnel;

automated data processing (ADP) management and operations personnel; and end users. It requires that employees in these groups receive their required training within 60 days of their appointment. It also requires that additional training be provided whenever there is a significant change in the agency’s IT security environment or procedures, or when an employee enters a new position involving the handling of sensitive information. It also requires that computer security refresher training be given as frequently as determined necessary by the agency based on the sensitivity of the information that the employee uses or processes.

The Federal Information Security Management Act of 2002 (FISMA) tasks the Chief Information Officer (or comparable official) of each agency with training and overseeing personnel with significant responsibilities for information security. Additionally, FISMA

requires that each agency include security awareness training within an agency-wide information security program. The security awareness training must inform personnel, including contactors and other users of IT systems that support the operations and assets of the agency, of (1) information security risks associated with their activities and (2) their responsibilities in

complying with agency policies and procedures so that such risks will be reduced. FISMA also requires each agency to include as part of its performance plan a description of the resources—

including budget, staffing, and training—that are necessary to implement the program.

NIST SP 800-16, Information Technology Security Training Requirements: A Role- and

Performance-Based Model, provides Federal agencies with detailed guidelines for developing a robust training program for staff within 26 security-related roles. This document will be used to the extent that it is practical in developing and implementing awareness and training materials and courses for DHS employees and support contractors.

DHS Policy

a. Components shall establish an appropriate IT Security Training Program for users of DHS systems.

b. DHS personnel and contractors accessing DHS IT systems shall receive initial training and annual refresher training in security awareness and accepted security practices.

c. DHS personnel and contractors with significant security responsibilities (e.g., ISSOs, system administrators) shall receive initial specialized training, and annual refresher training thereafter, specific to their security responsibilities prior to being granted access to DHS IT systems.

d. Components shall maintain training records, to include name and position, type of training received, and costs of training. IT awareness training must be completed before IT accounts are authorized.

DHS Policy

e. Unless a waiver is granted by the ISSM, user accounts and access privileges, including access to email, shall be disabled for those DHS employees who have not received annual refresher training.

f. Components shall prepare and submit an annual training plan, outlining their plans for IT Security Awareness, Training and Education. This plan shall follow the guidance in the DHS Component Information Technology (IT) Security Awareness, Training and Education Plan template, issued by the DHS IT Security Training Office.

g. Training plans shall include awareness of internal threats and basic IT security practices.

h. Components shall prepare and submit IT security awareness, training, and education statistics to the DHS IT Security Training Program Director on a quarterly basis. These statistics shall include:

− Total number of personnel and number of personnel that have received awareness training.

− Total number of personnel with significant security responsibility and the number that have received role-based training.

− The cost of any agency-provided IT security training or materials for the year.

Components must also provide:

− Brief descriptions of the awareness and training provided to personnel.

− Information concerning how they have explained policies relating to Peer-to-Peer (P2P) file sharing to all system users.

i. Components shall provide evidence of training by submitting copies of training schedules, training rosters, training reports, etc., upon request of the DHS IT Security Training Office, or during onsite validation visits performed on a periodic basis.

IT security awareness, training, and education responsibilities are provided below.

IT Security Awareness, Training, and Education Responsibilities ISSMs

• Establish overall policy for IT security awareness, training, and education.

• Provide guidance on preparing and attending security awareness and training sessions.

• Submit to the DHS IT Security Training Program Director a training plan outlining their plan for IT Security Awareness, Training, and Education for the year.

• Analyze, on a quarterly basis, security awareness and training statistics submitted by the ISSOs and COTRs and submit a summary of these statistics to the DHS IT Security Training Program Director.

ISSOs

• Ensure that all new employees, including contractors, complete an initial Government- or contractor-sponsored security awareness course as part of their orientation.

• Unless an ISSM waiver is issued, disable all accounts and access privileges, including access to email, of those DHS users who failed to complete the annual security refresher course.

IT Security Awareness, Training, and Education Responsibilities

• Ensure that all users, including all contractors, read and sign rules of behavior for the use of systems and applications prior to their being given access to those systems and applications.

• Implement annual awareness refreshers for employees and support contractors involved in the management, use, or operation of IT systems that process sensitive information.

• Maintain a record of security awareness and training that includes the name and position of the person trained, the type of training, the date of the training, and the cost of the training.

• Submit to the ISSM, on a quarterly basis, statistics on initial and refresher security awareness and training.

• Implement continued training for personnel when there is a significant change in the system security environment or in procedures, or when an employee enters a new position involving the handling of sensitive information.

COTRs

• Ensure that contractors have their personnel complete an initial security awareness course as part of their orientation.

• Ensure that contractors have their personnel complete a refresher awareness course each year.

• Ensure that contractors have their personnel sign rules of behavior for the use of systems and applications prior to their being given access to those systems and applications.

• Ensure that contractors provide additional security awareness training to their personnel whenever there is a significant change in the system security environment or in procedures, or when contractor personnel enter a new position.

• Ensure that contractors maintain a record of their personnel who have completed initial and refresher security awareness training, with the record to include the name of the person trained, the type and date of the training, and training cost.

• Ensure that contractor security awareness and training statistics are provided to the ISSM on a quarterly basis.

4.1.5.1 Initial Awareness

Components must give newly hired employees an initial IT security awareness course and have them read and sign a rules of behavior acknowledgement statement before giving those

employees being given access to any DHS network resources or applications. The awareness course and the rules of behavior should be a part of the orientation process. Components must also provide an initial awareness course to newly hired contractor staff or ensure that the

contractors provide an equivalent course for their staff. Participation in the awareness course is mandatory. Records of the training must be maintained and retained to verify compliance;

records must include the employee’s name and position, the type of training received, and the date of training.

Appropriate media for providing this initial awareness include seminars, presentations,

awareness videotapes, and computer-based products delivered via CD-ROM, intranet/Internet, and/or LAN.

4.1.5.2 Refresher Awareness

Components must provide an IT security awareness refresher course to employees annually; they must also either provide an annual awareness refresher course for contractor staff or ensure that contractors provide an equivalent refresher course for their staff. Participation in the refresher course is mandatory. User accounts and access privileges, including access to email, will be disabled for those who have not received annual refresher training. The appropriate ISSM may issue a waiver to this requirement. Records of the training must be maintained and retained to verify compliance; records must include the employee’s name and position, the type of training received, and the date of training.

Appropriate media for providing refresher awareness include seminars, presentations, awareness videotapes, and computer-based products delivered via CD-ROM, intranet/Internet, and/or LAN.

Additional awareness sessions must be conducted whenever there is a significant change in the IT security environment or procedures or when an employee enters a new position involving the handling of sensitive information.

4.1.5.3 Ongoing Awareness Activities

Components must reinforce the awareness message throughout the year—e.g., through the use of posters, newsletters, email messages, trinkets with a security message, and other appropriate communication media.

4.1.5.4 Role-Based Training

DHS personnel and contractors who have significant security responsibilities—e.g., ISSOs, network administrators, system administrators, and DAAs—must receive specialized training specific to their security responsibilities. Specialized security-related training must also be provided to senior managers, system owners, and IT Project Managers. Components must ensure that such personnel receive this specialized training annually. The level of training shall be commensurate with the individual’s duties and responsibilities. Components must track, by name and position, the type of the training received, the dates of the training, and the costs of the training.