All users of Agency-owned information resources shall complete the TAMUS Information Security Awareness Course 3001 located in the TAMUS TrainTraq system or TAMU EOD External Gateway immediately upon hire and every year thereafter. If the training material changes substantially, the chief information security officer may deem all users or a specific segment of users must reaccomplish the training out-of-cycle.
Between training cycles, the chief information security officer shall employ other communications channels (such as email, Agency intranet, digital signage, and awareness campaigns such as National Cyber Security Awareness Month) to inform users of information security awareness topics.
Employees, contractors or third party users breach security because they are not aware or trained on information security requirements.
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
a. The organization has established a security training program to improve the awareness of the impact that a security breach can have on the organization as well as the individual users, employees, contractors and third parties.
b. The organization uses security awareness techniques such as displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.
State organizations shall:
- Provide an ongoing information security awareness education program for all users; and
- Use new employee orientation to introduce information security awareness and inform new employees of information security policies and procedures.
Obtain Security awareness and training policy; procedures addressing security awareness training implementation; NIST Special Publication 800-50; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; other relevant documents or records and ascertain if
(I)the organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system and when required by system changes;
(ii)the security awareness training is consistent with applicable regulations and NIST Special Publication 800-50;
(iii)the security awareness and training materials address the specific requirements of the organization and the information systems to which personnel have authorized access;
(iv)the organization defines in the security plan, explicitly or by reference, the frequency of refresher security awareness training and the frequency is at least annually.
(v)the organization provides refresher security awareness training in accordance with organization-defined frequency.
