Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 03/13/2023
1. Purpose
Ensure that users are familiar with potential threats to the District of Columbia Government (hereafter known as District’s IT resources) and aware of strategies they must employ to prevent or respond to those threats.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.
4. Policy
District’s agencies are responsible for making sure that all the District’s workforce members are aware of and follow the best practice and protocols for managing the District’s information systems and data.
4.1. Security Literacy Awareness and Training
The District’s security awareness and training plan must be adopted by all the District’s agencies for the following:
4.1.1. As part of initial training for new users.
4.1.2. When required by information system changes.
4.1.3. Continuous training and awareness of all users on IT-related threats.
This plan shall document the process for the District’s workforce security training, education, and awareness and ensure that all workforce members understand their roles in protecting the confidentiality, integrity, and availability of the District’s data. The security awareness and training plan shall include the following:
- Agency must ensure that appropriate District security policies, procedures, and manuals are readily available to users for reference and review including an Acceptable Use Policy.
- All members of the District’s workforce must sign an acknowledgment stating that they have read and understood the District’s Acceptable Use Policy.
- All members of the District’s workforce must be provided with training and supporting reference materials to allow them to protect the District’s data and information assets.
- All members of the District’s workforce must be trained on how to identify, report, and prevent security incidents and data breaches.
- All members of the District’s workforce must attend security awareness refresher training periodically as deemed necessary.
- Respective Agencies must maintain a record of the result and report of the security training conducted for the District’s workforce.
- The District may engage the services and expertise of vendors or third parties competent in providing extensive training on security issues, vulnerabilities, identification and stopping of social engineering attacks, and relevant agency security policies when necessary.
4.2. Security Literacy Awareness and Training | Insider Threat
The District’s agencies will develop security awareness training on recognizing and reporting potential indicators of insider threat.
4.3. Role-Based Training
The District’s agencies Security Awareness and Training program must provide appropriate awareness and training for specific job roles and responsibilities:
4.3.1. Before authorizing access to the information system or performing assigned duties.
4.3.2. When required by information system changes.
4.3.3. Annually thereafter.
After such training, the District workforce member must verify, through certificate of completion and assessment, that members received the training, understood the material presented and agrees to comply. The role-based security awareness training for the District must include the following:
4.3.3.1. General user training:
- Current Acceptable Use Policy,
- User training as required by system changes.
- Social engineering attack tactics.
- Annual refresher training.
- Security Awareness Newsletters.
- Displaying log-on screen messages.
- E-learning.
- Displayed security posters.
4.3.3.2. Management Team Training:
- Roles and responsibilities for the District’s security.
- Risk analysis results.
- Social engineering attack tactics with a focus on Spear Phishing and Vishing.
- CISO calendar of projects and engagements.
- Ongoing risk mitigation efforts.
- District security strategy calendar.
- Major policy/procedure revisions.
- Third-party management issues.
4.3.3.3. Security Personnel Training:
- Current Acceptable Use Policy.
- Details of roles and responsibilities.
- Security Policies and Procedures.
- Applicable policies and enforcement requirements.
- IT Audit and Compliance Program.
- Incident response testing plan.
- Ongoing risk mitigation efforts.
- Risk analysis results.
4.4. Processing Personally Identifiable Information
The District’s agencies must provide all District workforce members that handle Personally identifiable information (PII) with training in the secure handling and processing of PII in the course of carrying out their daily tasks.
4.5. Training Records
The District’s agencies must:
4.5.1. Document and monitor individual information system security training activities, including basic and specific information system security training.
4.5.2. Retain individual training records for five years to provide on-demand evidence of continuing training for the District’s workforce.
4.6. OCTO’s Security Awareness and Training Implementation
The Chief Information Security Officer or his designee shall:
4.6.1. Develop and maintain a communications process to communicate new security programs and items of interest.
4.6.2. Ensure that workforce members responsible for implementing the District’s Security Awareness and Training program receives training on security best practices.
Ensure periodic security reminders (flyers or posters, emails, verbal updates at meetings) to keep the District’s workforce up to date on new and emerging threats and security best practices. The frequency and method of delivery of such reminders shall be determined by the CISO.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.