PURPOSE
_______________________________________________________________

To ensure that the appropriate level of information security awareness training is provided to all users (County employees, contractors, sub-contractors, volunteers and other governmental and private agency staff) of County information technology (IT) resources.

REFERENCE
_______________________________________________________________

Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information

May 8, 1007, Board Order No. 26

Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy

POLICY
_______________________________________________________________

Effective information security programs must include user information security awareness training as well as training in the handling and protection of personal and/or confidential information and in the user's responsibility to notify County department management in the event of actual or suspected loss or disclosure of personal and/or confidential information. Training must begin with employee orientation and must be conducted on a periodic basis throughout the person's term of employment with the County.

Periodic information security awareness training must be provided to all users of County IT resources and should be documented to assist County department management in determining employee awareness and participation. Users must be aware of basic information security requirements and their responsibility to protect all information (personal, confidential, other).

The Chief Information Office (CIO) shall facilitate and coordinate with County departments to establish and maintain a countywide information security awareness training program. This program will be based on County IT security policies to ensure County IT resources (i.e., hardware, software, information, etc.) are not compromised.

County departments may develop additional information security awareness training programs based on their specific needs and sensitivity of information. Each County department shall ensure its employees/users participate in the countywide as well as any specific departmental information security awareness training programs.

Information security awareness training shall be provided to employees/users as appropriate to their job function, duties and responsibilities.

Definition Reference As used in this policy, the terms "personal information" and "confidential information" shall have the same meanings as set forth in Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information.

Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: May 8, 2007	Sunset Review Date: May 8, 2011