Medium

Purpose

To establish an employee security awareness policy which will ensure employees that utilize the state network are informed of current security best practices recommended for technologies being utilized by the state.

Standard

  1. Employees shall complete the NDIT provided Information Security Awareness overview on their first day of employment.
  2. Employees shall complete the NDIT Information Security Awareness Training within the first three business days of being given credentials to access the state government network.
  3. Employees shall complete the NDIT Information Security Awareness Training (Refresher) annually.
  4. Employees shall complete the ongoing Information Security Awareness Trainings quarterly.
  5. Employees that do not complete trainings within sixty (60) days of being assigned will be reported to their agency's HR Division
  6. Social Engineering Campaign Trainings:
    1. All failed phishing campaigns will receive the Social Engineering Indicator page as their training.
    2. Employees failing three (3) campaigns during a twelve (12) month period will be required to take an additional training.
    3. Employees failing four (4) campaigns during a twelve (12) month period will be required to attend a cybersecurity training presented by NDIT. The employee's supervisor will be notified.
    4. Employees failing five (5) or more campaigns during a twelve (12) month period will result in NDIT Security contacting the agency's HR Department.

Definition

Employee - This includes state government employees and non-state government employees.  Non-state government employees are individuals employed by a private vendor and are working on a state project.

State Government Network - "Internal", is used to outline the perimeter of the network infrastructure used solely for State Agencies and excludes other government branches, such as, K12, North Dakota universities, and other political sub-divisions attached externally to the State network.

Social Engineering - Broad range of malicious activities performed through human interactions by using psychological manipulation to deceive users into making security mistakes or giving away sensitive information. Common forms include: phishing (email), vishing (voice), and smishing (text message).

Policy

To provide security awareness to enhance the protection of the state information technology infrastructure.

Scope

This standard applies to all executive branch state agencies including the University Systems Office but excluding other higher education institutions, i.e. campuses and agricultural and research centers.

Statement of Commitment

North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09).

Non-Compliance

Non-compliance with this standard shall be reported to the Office of the State Auditor.


Revision Number: 5
Revision Date: 2022-10-24
Effective Date: 2005-07-19
Last Reviewed: 2023-03-24
Number: POL0020119