As TDP SO/TL, I need a basic security awareness training developed for IS users (AT-02)

[ADPennington]

This training will satisfy Security Control AT-02 (Security Awareness Training).

SO = System Owner TL = Tech Lead IS = Infosec

The organization provides basic security awareness training to information system(IS) users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [At least every 365 days] thereafter.

The content should:

• provide a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents
• address awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

For CSP Only AT-2(c) [at least annually]

Related controls: AT-01 (security training policy), AT-03 (role-based security), and AT-04 (security training record-keeping) may need to be satisfied in the future. If so, perhaps worthwhile to consider these as we're building strategy to satisfy AT-02.

ACs:

• [x] AT-02 implementation statement, indicating list of trainings TDP sys admins complete annually as HHS employees, saved in repo.
• [x] sys admins certificates of training completions, saved centrally and most recent certs shared with OCIO.

[ADPennington]

reached out to Penyin on 6/1 to ask if there are other ACF program offices with system-specific training models we could review.

[ADPennington]

stub comment for research findings:

re: provide a basic understanding of the need for information security

• TDP is a new, secure, web-based data reporting system for TANF grantees in the [S,T, and Ts] to easily submit accurate data about low-income families and individuals receiving assistance.
• Categories of data collected via TDP included can be found here and here
• mishandling of access to and use data that includes PII violates HHS and ACF rules of behavior and policies related to records management, privacy, and cybersecurity. This also has a negative impact on individuals represented in the data, grantee users, and OFA/ACF/HHS (e.g. identify theft, fraud, embarrassment/loss of reputation)

re: user actions to maintain security and to respond to suspected security incidents

• upholding least privilege standards (e.g. protocols for changing user permissions)
• following TDP IRP
• examples of privacy incidents and breaches that warrant IRP activation
• monitoring of security issues/unusual activities (types and where to track them)

links to relevant hhs+ acf rules/policies/resources

• records management
• privacy training 101
• cybersecurity 101
• role-based training for hhs IT admins

re: certificates

• certificate example (only accessible to staff with an HHS PIV)

[valcollignon]

@ADPennington - where does this ticket stand? It's been in "Next Sprint Backlog" since May 21. Can this move back to backlog until we're ready for it? CC: @lfrohlich

[lfrohlich]

I moved it back to product backlog

[stevenino]

Will be discussed at the next IPT meeting. Not required for v1

[lfrohlich]

Per IPT 4/6/22 -- HHS trainings should be sufficient. Alex and Thomas will need to submit certificates annually.

[ADPennington]

Per IPT 4/6/22 -- HHS trainings should be sufficient. Alex and Thomas will need to submit certificates annually.

recommend we write a security control implementation statement relevant to AT series and store it here with the others. cc: @lfrohlich @stevenino

[stevenino]

Per IPT 4/6/22 -- HHS trainings should be sufficient. Alex and Thomas will need to submit certificates annually.

recommend we write a security control implementation statement relevant to AT series and store it here with the others. cc: @lfrohlich @stevenino

Would that be an AC for this ticket or can we close this ticket now as not required?

[ADPennington]

Per IPT 4/6/22 -- HHS trainings should be sufficient. Alex and Thomas will need to submit certificates annually.

recommend we write a security control implementation statement relevant to AT series and store it here with the others. cc: @lfrohlich @stevenino

Would that be an AC for this ticket or can we close this ticket now as not required?

i updated ACs @stevenino.