Security Awareness Training
The Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer security awareness and accepted computer practices for all employees who manage, use, or operate Federal computer systems. Additionally, Federal regulations (5 C.F.R. § 930.301(a)) require that role-specific training be provided based on each user’s security responsibilities and require agencies to provide training for employees with significant information security responsibilities. The CMS Business Partners Systems Security Manual requires Medicare contractors to document and monitor information security training activities.
Sixteen of the twenty-one Medicare contractors had no identified gaps in security awareness training, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this area, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in security awareness training:
- The contractor did not formally track and monitor job-specific security training to ensure that employees received the minimal requirements stated in the policy.
- Employees did not complete security awareness refresher training.
Employees who are unaware of their security responsibilities or have not received adequate training may be at increased risk of causing or exacerbating a computer security incident. If security personnel are not provided specific job-related training, management has no assurance that these employees can effectively perform their job responsibilities. Inadequately trained employees could cause the loss, destruction, or misuse of sensitive information and information technology (IT) assets.