Organizational System Security Plan (SSP) – Employee Security Training Protocols

Control 03.02.02 

1. Introduction:
Safeguarding our organizational assets and data is not solely dependent on technological measures but also hinges on the preparedness and knowledge of our team. This document elaborates our systematic approach to employee security training.

2. Assessment & Policy Framework:

a. Organizational Needs Analysis: Before curating our training approach, we delved into understanding our organizational needs and the access levels of various personnel.

b. Documented Protocols: Our assessment led to the formulation of detailed policies and procedures which lay down the foundation for our security training program, including the techniques to be used.

c. Role-based Responsibilities: Every stakeholder in our organization, be it managers, system administrators, or general users, has a distinct role to play. Their respective responsibilities towards ensuring organizational security have been clearly defined.

3. Structured Training Sessions:

a. Content Diversity: Our formal training encompasses a range of topics, highlighting the importance of information security, identification of prevalent threats, adherence to security best practices, and the methodologies for incident response.

b. Tailored Training: No two roles in our organization are identical. Acknowledging this, we’ve ensured that the training content is fine-tuned according to the specific needs of different user groups and their respective system access privileges.

4. Ongoing Annual Mandatory Training:

• Training Components: An annual training mandate exists for all employees, requiring them to undergo sessions on:
  • Cybersecurity awareness
  • Insider threat identification
  • Counterintelligence awareness
  • Export compliance
  • Marking of classified information
  • Derivative classification.

5. Active Security Awareness Programs:

a. Phishing Defense: Our employees are continually trained to recognize and counteract phishing attempts, equipping them with the knowledge and tools needed to thwart such threats effectively.

b. DoD Mandatory Training: All employees that deal with classified data must complete the Department of Defense (DoD) cybersecurity training, ensuring that we consistently meet the high security standards set by the DoD.

6. System Administrators’ Continuous Learning:

a. Vendor-Driven Training: To ensure our system security remains top-notch, administrators and their backups are encouraged to participate regularly in vendor-specific training sessions. This enhances their familiarity and proficiency with crucial tools and systems.

b. Specialized Modules: Our training framework integrates specialized modules to cater to distinct needs, including Microsoft Azure administration and comprehensive comprehension of roles and responsibilities tied to security.

7. Rigorous Maintenance of Training Records:

a. IT Admins’ Training Trail: Every training session attended is logged in our IT ticketing system. This practice ensures clarity and holds personnel accountable for their training commitments.

b. Training Records for General Staff: The Human Resources department is entrusted with the upkeep of training records for the rest of the staff. This ensures that everyone is on the same page and updated with mandatory training modules.

Plan of Action and Milestones (POA&M) for Organizational System Security Plan (SSP) – Employee Security Training Protocols

Control: 03.02.02 – Security Training

1. Introduction:

• Milestone: Communicate the significance of security training to all employees.
• Action: Develop and distribute a briefing to highlight the importance of security awareness and training.
• Deadline: [Date]

2. Assessment & Policy Framework:

a. Organizational Needs Analysis

• Milestone: Complete the organizational needs analysis.
• Action: Conduct a workshop to understand the current needs and access levels of personnel.
• Deadline: [Date]

b. Documented Protocols

• Milestone: Document security training protocols.
• Action: Design and distribute policies and procedures manual.
• Deadline: [Date]

c. Role-based Responsibilities

• Milestone: Assign security responsibilities based on roles.
• Action: Create a responsibility matrix and communicate to stakeholders.
• Deadline: [Date]

3. Structured Training Sessions:

a. Content Diversity

• Milestone: Develop diverse training content.
• Action: Curate a list of topics and finalize content.
• Deadline: [Date]

b. Tailored Training

• Milestone: Customize training modules based on roles.
• Action: Design tailored training modules and sessions.
• Deadline: [Date]

4. Ongoing Annual Mandatory Training:

• Milestone: Launch annual mandatory training sessions.
• Action: Schedule and execute annual training sessions.
• Deadline: [Date]

5. Active Security Awareness Programs:

a. Phishing Defense

• Milestone: Reduce phishing vulnerabilities.
• Action: Implement regular phishing drills and simulations.
• Deadline: [Date]

b. DoD Mandatory Training

• Milestone: Ensure 100% compliance with DoD training requirements.
• Action: Enroll eligible employees and monitor completion.
• Deadline: [Date]

6. System Administrators’ Continuous Learning:

a. Vendor-Driven Training

• Milestone: Improve system security through vendor training.
• Action: Schedule and ensure attendance of vendor-specific sessions.
• Deadline: [Date]

b. Specialized Modules

• Milestone: Incorporate specialized training modules.
• Action: Identify needs and implement specialized training.
• Deadline: [Date]

7. Rigorous Maintenance of Training Records:

a. IT Admins’ Training Trail

• Milestone: Maintain a transparent record of IT admin training.
• Action: Regularly update IT ticketing system with training data.
• Deadline: [Date]

b. Training Records for General Staff

• Milestone: Centralize training records for staff.
• Action: Collaborate with HR to ensure accurate and updated records.
• Deadline: [Date]

https://securityawareness.usalearning.gov/cui/index.html

DoD Mandatory Controlled Unclassified Information (CUI) Training

This course is mandatory training for all DoD personnel with access to controlled unclassified information. The course provides information on the eleven training requirements for accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements.

NOTES:

1. This course and exam may be taken an unlimited number of times.
2. Students will receive a certificate for the course after passing the exam with a 70% or better score. Please note, the exam must be completed in a single session because bookmarking is not available.
3. Students are encouraged to print or save a copy of the certificate as evidence of completion as CDSE does not maintain records of course completions from this site.
4. The course will run best in Edge Chromium, Google Chrome and MozillaFirefox. Pop-ups must be enabled.
5. For those using assistive technology, the following keyboard shortcuts have been added to this course:
   • Press Ctrl + M to mute audio
   • Press Alt + Right Arrow for the next screen and Alt + Left Arrow to go to the last screen
   • Press tab to navigate interface elements of the course, and use the up and down arrow to explore instructional elements on each screen.