Computer Training Policy

Version: 1.00Issue Date: 9/15/2014

1.0 Overview

This computer training policy defines the minimum training for users on the network to make them aware of basic computer threats to protect both themselves and the network. This computer training policy especially applies to employees with access to sensitive or regulated data.

Management is aware that computer training costs lower the total cost of the use of technology. Training is an investment in reducing the cost of using technology and lowers the risk of security incidents. Management shall appoint a training team or training department that shall be responsible for developing the training materials required by this poilcy. The training team shall also further define the extent of training and employee testing required. Management shall work with the training team and develop an effective training budget which provides for practical training needs as defined by the collaborative effort between management and the training team.

2.0 Purpose

This computer training policy is designed to protect the organizational resources on the network and increase employee efficiency by establishing a policy for user training. When users are trained about computer use and security threats, they work more efficiently and are better able to protect organizational resources from unauthorized intrusion or data compromise. This computer training policy will help prevent the loss of data and organizational assets. Computer training is a key element in the reduction of risk of user errors and malicious threats. This computer training policy includes security awareness training.

3.0 Scope

This computer training policy applies to any person who connects to organizational resources whether they are permanent, temporary, or part time staff members and includes extended contractors and any volunteers. The level of training required is determined by the employee's access to organizational resources and the security needs of those resources. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Terms

  • Social engineering - A combination of techniques used to trick people into releasing information to unauthorized individuals or to trick people into performing an action which will allow an attacker to take over their computer or gain unauthorized physical access to resources.
  • Phishing - A fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card information by masquerading as a legitimate and trustworthy entity using electronic communication.
  • Spoofing - A person or machine masquerading as another in an attempt to fool a receiver.

5.0 Training Schedule

All personnel covered by this policy must be trained prior to beginning the job and trained every two years thereafter.

6.0 Training Categories

Training categories will include but not be limited to the following areas:

  • Basics:
    1. What files are
    2. How to set view for details and show extensions for known file types
    3. Why not seeing file extensions is a security hazard to you
    4. File storage size - how to determine
    5. Mail attachments
    6. Where to store files
      • How to use your network drive
      • What your network drive is and what it means to you
    7. How to copy files
    8. Ways to increase efficiency on the computer such as keyboard shortcuts
  • Ways to get malware:
    1. Through email
    2. Through browser
    3. By connecting
    4. By installing unapproved programs
  • Email viruses:
    1. How they spread
    2. Spoofing sender
    3. Dangerous attachments
  • Email SPAM
    1. Protect your email address.
    2. Filtering spam.
  • Hoaxes:
    1. Phishing.
    2. Fraud methods.
    3. Social engineering techniques.
  • Email use
    1. How to set up email for remote users or with your ISP with POP3.
    2. How to set up out of office reply.
    3. How to set mail filtering rules.
    4. How to use, import, and export personal folders.
    5. What an undeliverable response to an email message means.
  • Use of web browser
    1. Safe browser?
    2. Avoid adware and spyware - ignore ads that may compromise your computer or get you to install an illicit program.
    3. How to change browser settings for better security.
    4. Products to prevent malware.
    5. How do I know what website I really am on? - How attackers can fool you.
  • Passwords
    1. Why protect my password?
    2. Why do I need to change my password every 30 days
    3. How to change your password.
    4. How to choose strong passwords that you can remember.
    5. If I log in on a website can someone see my password?
  • Other
    1. Reasons for firewall - worms and others
    2. Why worry about malware?
    3. What is a vulnerability?
    4. Why not run all services?
    5. Social engineering
  • Data identification
    1. Rating data for confidentiality, integrity, and availability needs.
    2. The difference between public data and confidential data.
    3. Who owns data and responsibilities to protect the data.
    4. What are the user's responsibilities.
  • Applications
    1. Users shall have application training for those applications they are required to use to perform their job functions. The application developers shall develop a users manual and training for the application as a part of the System Development Life Cycle (SDLC). This information shall be provided to the training team if the application is used throughout the organization. If the application is used in one or more departments, the application training may be the responsibility of the department(s) or may be turned over to the training team.
  • Ethics
  • Policies
  • Security incidents
  • IT resource acceptable use.

7.0 Position Specific Training

General classifications of positions where training should be tailored to positions include:

  • End users
  • Management
  • Technical staff

Each of these categories has different responsibilities that must be emphasized in the training. The management training must discuss what information security is, what the organizational policies are, what the risks are, what we are doing to mitigate those risks, what management's role and responsibilities are, what it should be concerned about, and what members of management need to do in their daily activities.

The techniciansí training must identify risks, what the organizational policies are, what technicians need to be concerned with from a technical perspective, what kinds of practices they need to follow to sustain security, what the procedures are for administering, managing and maintaining the technology, and what actions they need to take to identify problems, resolve them, and escalate problems that they cannot resolve.

The end users training must make them aware of applicable policies and procedures, where to get more information, and where to turn for help.

8.0 Training Opportunities

Basic training as listed in section 6.0 shall be provided internally by the organization and shall include the following opportunities:

  1. Scheduled training seminars for 1 to 4 hours per day.
  2. Brown bag lunch training for lunch time training for up to 1 hour per day on one or two days per week.

9.0 Requirements

All organizational staff shall make measurable and continuous progress in the training areas listed in section 6. Each employee manager shall be responsible for ensuring that employees under their supervision make progress in the required training areas. Each employee must retain knowledge about training in areas listed in section 6 within the first year of employment.

10.0 Security Awareness

Security awareness shall be increased at every opportunity with the following measures:

  • Screens at logon time displaying acceptable usage warnings.
  • Posters displaying information about computer security awareness.
  • Periodic informative emails and/or newsletters with security awareness tips and reminders.
  • Websites with security awareness tips and computer training resources.
  • Positive reinforcement for those who apply security awareness on the job.
  • Meetings and training seminars.

11.0 Enforcement

Since training is very important to the security of the organization, auditing shall be used as a mechanism to be sure the training policy is being followed. Auditors may test employees at random about their knowledge in the areas listed in section 6. If an employee gets malware on their computer, they may be audited. Employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

12.0 Other Policies

  • Auditing Policy

13.0 Additional Requirements

  • Training and employee testing materials.
  • Develop a process to define basic minimum computer and security skills.
  • Definitions of job roles requiring additional training and the extent of training required.
  • Additional definitions about how violations of this policy shall be handled.
  • Additional information about the material to post on posters, login screens, emails and newsletters.
  • Develop a process to be sure appropriate training needed to fulfill the organization's objectives are a useful part of the employee's performance plan and career path. The process should ensure the employee gets the training in a timely fashion based on their performance plan needs.
  • Develop a process to identify any gaps in training. For example, examine help desk calls to determine any training gaps.
  • Develop a process to be sure training is in place to support long term IT plans.
  • Create and maintain a skills database to show training needs, gaps, and achievements. Track employees that have attended training and what training they attended. Determine skills required for the business needs and be sure the training addresses any gaps.
  • A process shall be put into place to ensure that the training team has sufficient knowledge to train users in the appropriate areas. Third parties shall evaluate the training staff annually.
  • A process shall be developed to evaluate the number and type of help desk calls to determine and address:
    • Specific users that need additional training.
    • General areas where additional training is necessary.
  • An annual review of the training program shall be performed to be sure the training program is current with technology trends and the latest security concerns.
  • Alternative training and the most cost effective strategies are reviewed annually and appropriate changes are made. The effectiveness of intranet based training combined with testing to certify learning compentencies versus traditional classroom training should be evaluated.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________