Body
North Idaho College's (NIC) Information Technology (IT) Department is charged with ensuring all NIC employees are knowledgeable and following best practice protocols for managing data. As such, a high priority is given to effective security awareness and training throughout the organization. This includes implementing a viable information security program comprised of a strong awareness and training component. The IT Department is ultimately responsible for the security of data and assets of the NIC. The Data Stewards, in cooperation with senior NIC management shall ensure that a consistent, NIC -wide, well-supported and effective security program is implemented and maintained.
The IT Department shall be responsible for developing, implementing, and maintaining a Security Awareness and Training Plan. This plan shall document the process for security training, education, and awareness and ensure that all NIC employees understand their role in protecting the confidentiality, integrity, and availability of data assets. The plan shall cover what information to communicate, when to communicate it, with whom to communicate, responsibility for communication, and the process by which communication shall be effected.
Secondly, the plan shall ensure that employees are provided with regular training, reference materials, supports, and reminders that enable them to appropriately protect NIC data assets. Training shall include, but is not limited to:
- Responsibilities for protecting sensitive information
- Risks to information assets and resources
- Data encryption and access management
- Secure use of data and information assets
- NIC information security policies, procedures, and best practices assets and identities
TRAINING PLAN REQUIREMENTS
The training plan shall ensure:
- All NIC employees may attend an approved security awareness training class within 30 days of being granted access to NIC resources.
- Employees receive training appropriate for specific job roles and responsibilities. After such training, staff must verify through certificate completion and assessment that he or she received the training, understood the material presented, and agrees to comply with it.
- Employees are trained on how to identify, report, and prevent security incidents and data breaches.
- Appropriate security policies, procedures, and manuals are readily available for reference and review.
- Employees annually attend security awareness refresher training.
- Users sign or recognize an acknowledgement stating they have read and understand NIC acceptable use requirements regarding computer and information security policies and procedures.
- Staff must be provided with sufficient training and supporting reference materials to allow them to protect NIC data and assets.
- The CIO or their designee shall prepare, maintain, and distribute an information security manual that concisely describe information security policies and procedures.
- Cloud computing and outsourcing security awareness training shall address multi-tenant, nationality, and cloud delivery models.
MANAGEMENT IMPLEMENTATION
The CIO or their designee shall:
- Develop and maintain a communications process to communicate new security programs and items of interest.
- Ensure that staff responsible for implementing safeguards receive training in security best practices.
- Ensure periodic security reminders (flyers or posters, emails, verbal updates at meetings) keep NIC staff up-to-date on new and emerging threats and security best practices. The frequency and method of delivery of such reminders shall be determined by the CIO or designee.
Audit Controls and Management
Documented procedures and evidence of practice should be in place for this policy as part of NIC internal operations. Examples of management controls include:
- Documented information security training plan with evidence of consistent update and version control of the document
- On-demand review of existing training program information and implementation within the organization
- Completion and employee acceptance logs for completed education
- Completion rate statistics
- On-demand evidence of continuing education and reminders are in place