(A) Purpose. This document establishes the Information Security Awareness Training Policy for Howard County. This policy ensures security awareness and training controls that protect the confidentiality, integrity, and availability of the county's information resources.
(B) Scope. This policy applies to all county employees and elected officials who access county information resources.
(C) Policy. The Information Systems Department, on behalf of the county, shall define and ensure the implementation of an information security awareness training program to increase users' awareness of their information security responsibilities in protecting the confidentiality, integrity, and availability of county information resources.
(1) Initial training. Initial security awareness training must be completed within 30 days of date of hire, or effective start date.
(2) Refresher training. Security awareness refresher training must be completed annually, within 60 days of the anniversary of the previous instance of such training.
(D) Compliance. The Information Systems Department shall initiate mechanisms for tracking compliance with this policy, as well as mechanisms to measure application of training.
(1) Monthly phishing assessment. The Information Systems Department shall deliver a random phishing message to all county email addresses to assess the level of email security and click discipline.
(2) Recourse for noncompliance. The Information Systems Department is authorized to limit network access for individuals or units not in compliance with information security policies and related procedures. In cases of noncompliance with this policy, the county may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative and employment policies.
(a) Phishing assessment failures. A phishing assessment failure is defined as clicking a link, opening an attachment, or replying to the monthly phishing assessment email message from the Information Systems Department. Failures are calculated yearly.
1. First offense. Individual shall be assigned remedial training to be completed within 30 days of failure.
2. Second offense. Individual shall be assigned remedial training to be completed within 30 days of failure. A follow-up consultation shall be done with the individual and the Information Systems Director to address issue of non-compliance.
3. Third offense. Individual shall be assigned remedial training to be completed within 30 days of failure. A follow-up consultation shall also be done with the individual, the individual's manager, and the Information Systems Director to address issue of noncompliance.
4. Fourth offense (and subsequent failures). Individual shall have external email access removed immediately. A follow-up consultation shall be done to determine appropriate administrative actions and how to address issue of non-compliance.
(Ord. 2020-BCCO-1, passed 1-6-20)