Security Awareness Rules Issued

The Office of Personnel Management has published final rules concerning the obligations of federal agencies to train employees on information technology security. The rules, in the June 14 Federal Register, largely restate in plainer language previous guidance on that issue. The regs require that agencies must develop a plan for information systems security awareness and training, identify employees with significant responsibilities in that area and provide role-specific training in accordance with federal standards. All users must be exposed to security awareness materials at least annually, and executives must receive training in information security basics and policy level training in security planning and management. Additional training is required for IT security program managers, auditors and other security-oriented personnel. Refresher training must be provided as frequently as determined necessary by the agency, based on the sensitivity of the information.