Page 14 - Information_Security_Program
P. 14

SECURITY TRAINING AND AWARENESS [DP231]
        Back to Table of Contents

        Scope: Enterprise
        Distribution: All employees and contractors with access to privacy‐restricted information
        Purpose: To ensure that employees and contractors know their roles and responsibilities with regard to information security.
        External Regulation or Standard: 45 CFR 164.308 (a)(5)(i), 45 CFR 164.308(a)(5)(ii)(A) ‐ Security Awareness and Training, PCI 12.6ISO
        27001 A.8.1.2

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Director of Information   DP231.1   The Director of Information Technology, Privacy and Data Security will maintain the
         Technology, Privacy                 organization's security training and awareness program.
         and Data Security
         Director of Information   DP231.2   The security training and awareness program will instruct employees and contractors
         Technology, Privacy                 on their roles and responsibilities with regard to information security and include, at
         and Data Security                   a minimum:
         Director of Information   DP231.3   Training materials for new employees and contractors;
         Technology, Privacy
         and Data Security
         Director of Information   DP231.4   Annual all‐employee training exercises; and
         Technology, Privacy
         and Data Security
         Director of Information   DP231.5   Periodic all‐employeecommunications.
         Technology, Privacy
         and Data Security
         Director of Information   DP231.6   The security training and awareness program will require employees to acknowledge
         Technology, Privacy                 they have read and understood the company’s security policy and procedures.
         and Data Security
         Directors, Managers     DP231.7     Directors, managers and supervisors are responsible for ensuring employees,
         and Supervisors                     contractors, volunteers and participants under their supervision that have access to
                                             privacy‐restricted information complete the necessary data security training in a
                                             timely manner.
         Employees and           DP231.8     All employees and contractors with access to privacy‐restricted information will
         Contractors with                    review and sign off on all privacy and relevant privacy and data security policies
         Access to Privacy‐                  annually prior to accessing privacy‐ restricted information.
         Restricted Information


























                                                                                                         11 | Page
        GES CONFIDENTIAL
   9   10   11   12   13   14   15   16   17   18   19