§3544.(b).(4).(A),(B) - Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
Training: The requirement for the agency to ensure that there are sufficient trained personnel available for the information security program falls under the purview of the CISO who manages the program, and supporting functions. This extends to the CISO's management of the staffing of dedicated security personnel for his office, as well as overseeing the designation and training and performance of personnel assigned to other established information security roles, including authorizing officials, system owners, and information system security officers. The CISO fulfills this requirement through the use of staffing plans in concert with human resources personnel, and by means of agency-level performance measurement plans and processes.
Security Awareness Training: The agency program must address requirements for training of all users on risks associated with their activities and on their responsibilities for complying with agency information security policies and procedures. In response to this requirement, agencies provide user-level security awareness information (often computer based) to employees and contractors at least annually, and on an occasional, as-needed basis, through e-mail messages, announcements, newsletters, etc.
Wednesday, July 20, 2011
Thursday, July 7, 2011
Gramm-Leach-Bliley Act (GLBA) and Security Awareness Training
The Gramm-Leach-Bliley Act of 1999 (also known as the Gramm-Leach-Bliley Financial Services Modernization Act or "GLBA") was designed to open up competition in the financial services industry. It applies to all "Financial Service Providers" which includes obvious groups such as insurance agencies, tax preparers and financial adviser's, as well as less obvious groups such as universities and educational establishments (since they handle financial information relating to student loans).
The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all "Financial Service Providers" to develop a written information security plan including:
• assigning at least one employee to manage the program,
• conducting risk assessments, and
• developing, implementing and monitoring a program to secure the information.
In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.
The FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:
1. Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
2. Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle and post reminders about their responsibility for security in areas where such information is stored.
The Safeguards Rule, issued in 2002, establishes standards for the protection of customer information and requires all "Financial Service Providers" to develop a written information security plan including:
• assigning at least one employee to manage the program,
• conducting risk assessments, and
• developing, implementing and monitoring a program to secure the information.
In the preamble to the Safeguards Rule, the Federal Trade Commission (FTC) identified employee training as one of the three areas that the Commission believes are particularly relevant to information security.
The FTC issued guidelines for organizations implementing measures to meet the Safeguards rule. In this document, the suggested security measures include:
1. Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
2. Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle and post reminders about their responsibility for security in areas where such information is stored.
Subscribe to:
Comments (Atom)