Rule 74-2 Section PR.AT

Awareness and Training.

Agencies shall provide all their workers cybersecurity awareness education and training so as to ensure they perform their information security-related duties and responsibilities consistent with agency policies and procedures. In doing so, each agency shall:

  1. Inform and train all workers (PR.AT-1).
  2. Ensure that privileged users understand their roles and responsibilities (PR.AT-2).
  3. Ensure that third-party stakeholders understand their roles and responsibilities (PR.AT-3).
  4. Ensure that senior executives understand their roles and responsibilities (PR.AT-4).
  5. Ensure that physical and information security personnel understand their roles and responsibilities (PR.AT-5).

For each of the above subsections the following shall also be addressed:

  1. Appoint a worker to coordinate the agency information security awareness program. If an IT security worker does not coordinate the security awareness program, they shall be consulted for content development purposes. Agencies will ensure that all workers (including volunteer workers) are clearly notified of applicable obligations, established via agency policies, to maintain compliance with such controls.
  2. Establish a program that includes, at a minimum, annual security awareness training and on-going education and reinforcement of security practices.
  3. Provide training to workers within 30 days of start date.
  4. Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and computer security incident reporting procedures. Incident reporting procedures shall:
    1. Establish requirements for workers to immediately report loss of mobile devices, security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes according to agency reporting procedures.
  5. Where technology permits, provide training prior to system access. For specialized agency workers (e.g., law enforcement officers) who are required to receive extended off-site training prior to reporting to their permanent duty stations, initial security awareness training shall be provided within 30 days of the date they report to their permanent duty station.
  6. Require, prior to access, workers verify in writing that they will comply with agency IT security policies and procedures.
  7. Document parameters that govern personal use of agency IT resources and define what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the normal performance of any worker's duties, or consume significant or unreasonable amounts of state IT resources (e.g., bandwidth, storage).
  8. Inform workers of what constitutes inappropriate use of IT resources. Inappropriate use shall include, but may not be limited to, the following:
    1. Distribution of malware.
    2. Disablement or circumvention of security controls.
    3. Forging headers.
    4. Propagating "chain" letters.
    5. Political campaigning or unauthorized fundraising.
    6. Use for personal profit, benefit or gain.
    7. Offensive, indecent, or obscene access or activities, unless required by job duties.
    8. Harassing, threatening, or abusive activity.
    9. Any activity that leads to performance degradation.
    10. Auto-forwarding to external email addresses.
    11. Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; hacker website/software; and pornography and sites containing obscene materials.