Security Awareness, Training, and Education

We cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all GPC users involved in using and managing information technology:

  • Understand their roles and responsibilities related to the organizational mission;
  • Understand the organization’s IT security policy, procedures, and practices; and
  • Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are
    responsible.

You Are The Key!

We cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all of our users involved in using and managing information technology:

Understand their roles and responsibilities related to the organizational mission;

  • Understand the organization’s IT security policy, procedures, and practices; and
  • Have at least adequate knowledge of the various management, operational, and
    technical controls req

As often cited in audit reports, periodicals, and conference presentations, it is generally understood that people are one of the weakest links in attempts to secure systems and networks. The “people factor” – not technology – is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset.”

A robust and enterprise wide awareness and training program is paramount to ensuring our users understand their IT security responsibilities, organizational policies and standards, and how to properly use and protect the IT resources entrusted to them.

GPC S.A.T.E Program Management – Roles and Responsibilities

While it is important to understand the policies that require agencies to develop and implement awareness and training, it is crucial that we understand who has responsibility for IT security awareness and training. This section identifies and describes those within the college that have responsibility for IT security awareness and training.

GPC Information Security (InfoSec) – personnel with the GPC Information Security department, part of IT, are responsible for overall program development and management, including developing, implementing, and maintaining the awareness, training, and education program.

Other important roles and responsibilities for successful awareness program management are:

Chief Information Officer (CIO) – CIOs are tasked with providing training and overseeing personnel with significant responsibilities for information security. CIOs work with the Chief Information Security Officer (CISO)/Security Awareness Program Manager, to:

  • Establish overall strategy for the IT security awareness and training program:
  • Ensure the college President, senior managers, system and data owners, and other understand the concepts and strategy of the security awareness program, and are informed of the progress of program implementation;
  • Ensure the security awareness and training program is funded; and
  • Ensure effective tracking and reporting mechanisms are in place.

Chief Information Security Officer (CISO)/S.A.T.E. Program Manager – At GPC these roles function as one-in-the-same. The CISO has tactical-level responsibility for the awareness and training program and should:

  • Ensure awareness and training material developed or used is appropriate and timely for the intended audiences;
  • Ensure that awareness and training material is effectively deployed to reach the intended audience;
  • Ensure that users and manager have an effective way to provide feedback on the awareness and training material and presentation;
  • Ensure that awareness and training material is reviewed periodically and updated when necessary; and
  • Assist in establishing a tracking and reporting strategy.

Managers – have responsibility for complying with IT security awareness and training requirements established for their users. Managers should:

  • Work with the CIO and CISO security program manager to meet shared responsibilities;
  • Serve in the role of system owner and/or data owner, where applicable;
  • Consider developing individual development plans (IDPs) for users in roles with significant security responsibilities;
  • Ensure that all users (including contractors) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their security responsibilities before allowing them access;
  • Ensure that users (including contractors) understand specific rules of each system and application they use; and
  • Work to reduce errors and omissions by users due to lack of awareness and/or training.

Users – as our largest audience, our users are the single most important group of people who can help to reduce unintentional errors and IT vulnerabilities, and why we say ‘You Are the Key!”. This group includes faculty, staff, and students; contractors, foreign or domestic guest researchers, other GSU personnel, visitors, guests, and other collaborators or associates requiring access. Users must:

  • Understand and comply with agency security policies and procedures;
  • Be appropriately trained in the rules of behavior for the systems and applications to which they have access;
  • Work with their managers to meet training needs;  Keep software/ applications updated with security patches; and
  • Be aware of actions they can take to better protect the college’s information. These actions include, but are not limited to: proper password usage, data backup, proper antivirus protection, reporting any suspected incidents or violations of security policy, and following rules established to avoid social engineering attacks such as Phishing, and best practices to help stop the spread of spam or viruses and worms.

Information Security Training Document

Security Training Resources

Securing The Human: In summer 2015, GPC InfoSec will be introducing a new and exciting security awareness training program platform. The on-line LMS will be provided by the SANS Institute, which specializes in information security and cyber security training.

The training modules, collectively called ‘Securing The Human’ or STH, is an award-winning information and cyber security training solution, use by thousands of public and private industry entities, many Georgia state agencies, and several GSU institutions.

STH