 |
||
 |
||
 |
KITO Home | |
1.0 TITLE: Kansas IT Enterprise Policy for Computer Security Awareness and Training
1.1 EFFECTIVE DATE: January 22, 2009
1.2 TYPE OF ACTION: New Policy
1.3 KEY WORDS: Kansas IT Security Council, Enterprise Security Policy, Information Security, User Security Awareness, Desktop User Security Training
2.0 PURPOSE: To ensure all Kansas government employees, contractors, or other third parties who have access to or use Kansas IT resources, have available training and opportunities to meet and respond to computer security issues and incidents faced in the workplace.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government; and contractors or other third parties; hereafter referred to as Entities.
4.0 REFERENCES:
4.1 ITEC IT Policy 7230, Revision 1, General Information Technology Enterprise Security Policy
4.2 Kansas IT Security Council, IT Security Reporting Protocols, October 25, 2007
4.3 Kansas IT Security Council, IT Security Awarness and Training Policy Requirements
4.4 Department of Administration, Intrusion Detection Incident Response Secuirty Policy and Procedures
4.5 NIST Special Publication 800-16, Information Technology Security Training Requirements
4.6 NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
5.0 DEFINITIONS:
5.1 Security incident is defined as a compromise of a system that has critical, sensitive, or confidential data; any compromise that significantly affects agency resources; the act of violating an explicit or implied security policy; the act of violating any Federal, State or local law which may result in the loss of confidentiality, integrity or availability. Compromises may be the result of failed or successful unauthorized access attempts; unwanted disruption of service; or use of a system to change or damage system hardware, firmware or software.
6.0 POLICY:
6.1 Statement of Responsibility: The Kansas IT Security Council is responsible for establishing a minimum security standard and for tracking training via the annual Enterprise Security Self Assessment as a vehicle to promote awareness.
6.2 Every state employee, contractor or other third parties shall receive annual training according to minimum standards as set forth in section 6.1.
6.3 Those agencies whose budgets fall under the $100,000 reporting criteria will be provided assistance in meeting provisions of section 6.2.
6.4 Kansas Board of Regents Institutions must follow this policy or an approved industry best practices policy designed for higher education technical environments or institutions.
7.0 PROCEDURES:
7.1 The practices and procedures for Computer Security Awareness and Training shall conform to the requirements set forth in the “Computer Security Awareness and Training Policy Requirements”, as amended, included as Attachment A to this policy.
8.0 RESPONSIBILITIES:
8.1 Heads of entities are responsible for establishing procedures for their organizations to comply with the requirements of this policy.
8.2 Entities are responsible for developing programs to ensure employees receive user awareness training at least once yearly.
8.3 The Kansas IT Security Council is responsible for the maintenance of this policy.
9.0 CANCELLATION: None
DA Home | Services | Divisions | Contact Us | Disclaimer | Kansas.gov
