Introduction
Humans are repeatedly identified as the weakest link in the cybersecurity chain. We are highly susceptible to falling for phishing attacks, social engineering schemes, and other deceptive attempts. This realization makes cybersecurity training increasingly important. Companies are putting more effort into their cybersecurity training programs, but does law require cybersecurity training? Or just something good to do?
No matter your industry, many laws and mandates require employees to receive some level of cybersecurity. If applicable, these laws and mandates also dictate tracking requirements. It’s not enough to just implement training; you need to track and document that all applicable employees have taken it. Audits do happen! It’s important to note training requirements may vary based on roles and levels of responsibilities. A privileged user, such as a system administrator, engineer, or developer, may have different requirements than a standard user, who may have different requirements than an executive. Below we will discuss various compliance laws and how they define cybersecurity training
Federal Regulations
If you are a business owner, an independent contractor, or an employee, you are subject to cybersecurity regulation. From a federal perspective, your industry determines which regulatory bodies and legislation apply to you. If you work in healthcare, you have heard of HIPPA. If you work in the DoD or federal government, you’ve probably heard of FISMA. Not just your industry determines what regulations you must abide by, also the functions you perform. You could be subject to multiple laws, regulations, and authorities. If you’re an IT company that processes health-related data, you may need to know about FISMA as well as HIPPA requirements. Most federal training requirements are expected to be performed annually at a minimum.
- Federal Information Security Modernization Act (FISMA)
The office of Management and Budget (OMB) is responsible for managing the Federal Information Security Modernization Act of 2014. This is the overarching mandate for federal agencies. FISMA requires all federal employees and contractors to participate in annual cybersecurity training.
- Health Insurance Portability and Accountability Act (HIPAA)
HIPPA has been around since 1996. It is a federal law issued by the Us Department of Health and Human Services (HHS). It provides national standards for the protection of health and healthcare information. HHS ensures complete compliance with role-based training requirements based on the OMB A-130 FISMA requirements and is also required annually.
- Gramm-Leach-Biley Act (GLBA)
The GLBA was implemented to determine how financial organizations protect non-public information (NPI). Annual training is required.
- Payment Card Industry Data Security Standard (PCI DSS)
This policy regulates the baking industry and is used by any organization that processes payment via credit cards. Annual training is required.
- General Data Privacy Regulation (GDPR)
The GDRP was launched to ensure businesses secured privacy data in relation to European citizens. Even if you are a US-based company, you are subject to compliance if you manage any European customer data. GDPR requires annual privacy awareness training.
State Regulations
When it comes to state regulations, they seem to still be evolving and adapting. Below we will address the requirements for each state.
- Alabama
Alabama Code Title 41, Section 28, Articles 1-8 mandates Alabama Information technology laws. The Executive Branch Secretary indirectly authorizes cyber training, and training is provided here: http://www.cybersecurity.alabama.gov/IntTraining.aspx
- Alaska
Alaska does not mandate cybersecurity training. However, they do provide training: http://doa.alaska.gov/ets/security/sa_bulletins/ and also provide threat indicators: http://doa.alaska.gov/ets/security/threatindicatorsoa.html. Alaska’s Department of Administration, Enterprise Technology Services division, develops the cybersecurity website for the state.
- Arizona
Arizona does not mandate cybersecurity training. However, the Chief Information Officer develops the state IT strategic plan, and cyber training is incorporated under goal 1.4: https://aset.az.gov/sites/default/files/Strategic-Plan-2014-2018-v12.pdf.
- Arkansas
Arkansas does not mandate cybersecurity training. Voluntary training is developed and provided by the State of Arkansas Department of Information Systems, Cybersecurity Office: http://www.dis.arkansas.gov/security/Pages/default.aspx
- California
California does not mandate cyber training. However, there are several training opportunities:
Individual state agencies like the DMV and the Franchise Tax Board implement mandatory cyber training.
- Colorado
Colorado requires cyber training for state employees. It is statutorily required under the Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.
http://www.oit.state.co.us/ois/stateemployees
- Connecticut
Connecticut mandates cybersecurity awareness for state employees
- Delaware
Delaware mandates statewide cyber training for all executive branch, state, and local agency employees through the Delaware Code Title 29, Chapter 90C
- Florida
Florida mandates cyber training for state employees as required by Florida Statutes Chapter 282. http://www.fdle.state.fl.us/cms/EmployeeTraining.aspx
- Georgia
GA E.O.182 – This executive order mandates that all Executive Branch agencies and employees complete cybersecurity training within ninety (90) days of releasing of this order.
- Hawaii
Hawaii does not mandate cybersecurity awareness training but does provide a cybersecurity program: https://ets.hawaii.gov/state-of-hawaii-cyber-security-program/
- Idaho
Idaho does not mandate cybersecurity training but does provide training on their state webpage: https://cybersecurity.idaho.gov/training/
- Illinois
In Illinois, Cooke County has training: http://www.govtech.com/security/Cybersecurity-Training-for-Cook-County-IllinoisEmployees.html
- Indiana
Indiana’ recently released a bill to mandate cybersecurity training:
- Iowa
Iowa has voluntary security awareness training produced by the Executive branchhttps://secureonline.iowa.gov/about-iso/2016-03-10/iso-catalog-services
- Kansas
The Kansas Office of Information Technology Services webpage has self-assessment security tools – https://oits.ks.gov/kito/it-security-council
- Kentucky
Kentucky does not mandate cybersecurity training but does annual host training for state government employees during October, Cybersecurity Awareness Month.
- Louisiana
Louisiana has mandatory cybersecurity training for new employees and annually thereafter pursuant to the Louisiana Division of Administration, Office of Technology Services p.52 – LA H 633
- Maine
Maine does not mandate cyber training. They do provide training for new employees through the Maine Office of Information Technology: http://maine.gov/oit/security/
- Maryland
Maryland requires state employee cyber training through DHS. State agency personnel have to take a cyber class each month in order to gain access to state networks – http://doit.maryland.gov/Publications/DoITSecurityPolicy.pdf http://doit.maryland.gov/cybersecurity/Pages/default.aspx
- Massachusetts
Massachusetts does not mandate cyber training.
Michigan
Michigan does not mandate cybersecurity training. They do, however, offer online state employee training: http://www.michigan.gov/cybersecurity/0,4557,7-217-51788-192552–,00.html
- Minnesota
Minnesota does not mandate cybersecurity training. They offer security services to employees and residents: http://mn.gov/mnit/
- Mississippi
Mississippi does not mandate cybersecurity training. They do provide online training resources for state employees through an outside college: http://www.its.ms.gov/Services/Pages/education.aspx
- Missouri
Missouri has an employee tips webpage – https://www.cybersecurity.mo.gov/employee_tips/ and https://cybersecurity.mo.gov/
- Montana
Montana enforces mandatory cyber training for executive branch state employees upon hiring and annually thereafter. Legislative branch employees are not required to take cyber training but are encouraged to do so.
- Nebraska
Nebraska has mandatory annual training and a refresher course for all NV state employees.
- Nevada
Nevada requires agency-by-agency state employee annual cybersecurity training, and a passing grade is required. State Security Standard 123 – IT Security
- New Hampshire
New Hampshire requires mandatory annual cyber training for state employees through an executive order.
New Jersey
New Jersey recently passed legislation to mandate annual cybersecurity awareness training:
- New Mexico
New Mexico does not have mandatory cyber training.
- New York
New York does not mandate cyber training but provides training for the general public: https://www.its.ny.gov/awarenesstrainingevents
- North Carolina
North Carolina mandates each agency to provide training and annual assessments of security issues on an agency-by-agency basis.
- North Dakota
North Dakota does not mandate cybersecurity training. They provide security information for state government employees: https://www.nd.gov/itd/services/it-security
- Ohio
Ohio mandates cybersecurity awareness training through its IT-15 (Security Awareness and Training) mandate. Training is provided here:
http://infosec.ohio.gov/Government/StateGovernment/Security/TrainingandAwareness.aspx
- Oklahoma
Oklahoma does not mandate cyber training. The Oklahoma Department of Homeland Security provides a webpage with cyber tips: https://www.ok.gov/homeland/Cyber_Security/.
- Oregon
Oregon employees, volunteers, and third-party users will receive appropriate cyber awareness training and regular updates on policies and procedures.
- Pennsylvania
Pennsylvania mandates annual online security awareness training for all state government employees – http://www.oa.pa.gov/
- Rhode Island
Rhode Island does not mandate cyber training.
- South Carolina
Cyber training is not mandated. The state offers training a program through DHS to state government employees: https://admin.sc.gov/Training/InfoSecandPDP
- South Dakota
South Dakota does not mandate cybersecurity training. They do provide a training resources page: http://cybersecurity.sd.gov/trainingandeducation.aspx
- Tennessee
State employees are expected, but not mandated, to take state-provided security and awareness training when first employed and annually thereafter: https://www.tn.gov/
- Texas
Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
- Utah
Utah has mandatory cyber training for all executive branch level state employees. Training must be completed annually. Below are the security policies:
- 5000-0002 Information Security Policy (DTS)
- 5000-0003 Enterprise Mobile Device Policy
- 5000-0004 Enterprise Web Filter Policy
- Vermont
Vermont enforces mandatory security awareness training for all new state employees. There is no current requirement for repeat training. Their standards and directives include:
- Cybersecurity Directive 19-01
- Cybersecurity Standard Update 19-01
- Information Security Standards
- Virginia
Virginia has required agency by agency state employee training: VA H 852.
- Washington
Washington state does not mandate cybersecurity training.
- West Virginia
Cybersecurity training in West Virginia is mandatory under WV Code Section 5A-6-4a.
- Wisconsin
Wisconsin does not mandate cyber training. Training is available for employees and the general public: http://www.readywisconsin.wi.gov/cyber/default.asp
- Wyoming
Wyoming does not mandate cybersecurity training. There is, however, a cyber awareness page provided for the general public: http://wyohomelandsecurity.state.wy.us/cyber.aspx