· web viewper the servicenow onboarding procedures, once an account is created by ets, a...

Security Operations CenterSecurity & Privacy Awareness Training Administration

Process: Security and Privacy Awareness Training Administration Author: DGS Enterprise Technology Solutions (ETS) - Security Operations Center (SOC)Purpose: The purpose of this process is to ensure that all persons affected are provided information

security awareness and privacy training which provides for an informed staff capable of fulfilling their responsibility to preserve and protect DGS information assets and resources. This document outlines the annually recurring process of the administration of the SANS “Securing the Human” Information Security Training program and the Privacy Training centered around the Information Practices Act of 1977.

Scope: This document will detail the recurring calendar dates and tasks Security & Privacy Awareness Training system administration as well as guide recurring initiatives and goals.

Roles: SOC: The SOC unit will be responsible for the administration of the program in its entirety under the direction of the Information Security Officer (ISO). This includes but is not limited to ongoing monitoring and maintenance, contract management, and strategic management of the program content and design.

ETS Staff: Assist in response and management of support calls for the Securing the Human online system via DGS Help Desk, including the ServiceNow portal.

DGS Personnel: Permanent employees, Seasonal Clerks, Retired Annuitants, Student Assistants and Contractors/Consultants are responsible for training completion each calendar year.

DGS Authority: Acceptable Use Policy; Security and Privacy Awareness Training Policy

Process Overview:As new Department of General Services (DGS) personnel are onboarded, it is the responsibility of the Information Security Officer (ISO) to ensure that Security Awareness (SA) and Privacy Awareness Trainings are administered. The department ISO has elected to administer the SA training through Securing The Human (STH), a tool designed to administer comprehensive online training using modern technological methodologies.

DGS personnel, or “user(s)”, referred to in this document are classified as: Permanent employees, Seasonal Clerks, Retired Annuitants, Student Assistants, Contractors/Consultants, or any other individual granted access to DGS information assets.

New personnel are on-boarded with Securing the Human as being a mandatory training requirement. Personnel must complete Security Awareness and Privacy training immediately upon gaining access to state information assets. Personnel are allowed a 5 business-day grace period to complete the training. Incompletion after this time will result in their network access being revoked by ETS disabling their network account. It is mandatory for all DGS personnel to complete SA training annually, prior to December 31st of each year. Incomplete personnel who fail to meet this deadline will have their access revoked.

of 13


New User Onboarding:

1. In order for personnel to gain access to state information assets with DGS, they must have a network account created by ETS via ServiceNow request. Per the ServiceNow onboarding procedures, once an account is created by ETS, a ServiceNow task is automatically created and assigned to the SOC.

2. Once the ServiceNow task is received by the SOC analyst, a “start date” must by identified. New personnel must be notified within 24 hours (before or after) of their start date with the ISO training requirements.

3. Upon the personnel start date, the SOC analyst creates the new user account in the Securing the Human program and specific, customized, training modules will be assigned to the employee based on their division, office, or unit. See “Securing the Human Account Creation” section.

4. After the new account is created, an email is generated by STH and sent to the new user for log in and completion of the Security Awareness training.

5. The SOC analyst also sends an email from the DGSInfoSec to the personnel’s supervisor and attendance clerk with additional instructions for the personnel to complete Security Awareness and Privacy Awareness training. The Privacy Training link takes the employee to the DGS SOC Intranet website where they can find training and compliance details outlined under the Information Practices Act of 1977.

ServiceNow Tasks

The DGS SOC is using ServiceNow to track SA Training request. The following steps are used to create and manage these request tickets:

1. Open ServiceNow and log in2. Open “My Groups Work” to view incoming onboarding tasks (SOC analyst must be added to the

“Security Operations Center Administration” group in ServiceNow)3. Select the task number for the “New User Request – NAME”4. Updated the “Assigned to” field to select the SOC analyst’s name5. Verify the personnel start date to determine if action is required.6. Verify the location and classification of the user to determine what type of training will be needed. 7. Once training account is set up (See “Securing the Human Account Creation” section), use the

buttons in the task to generate the email to be sent to the new user and their supervisor. Track the task daily until the user completes the training.

8. Once personnel complete the training in STH, close the task by update the “State” to “Close Completed”

9. After 24 to 48 hours of not completing the training, use the ServiceNow buttons to generate a reminder email to be sent to the user and their supervisor.

10. After 5 business days, use the ServiceNow buttons to generate a Final Reminder to the user and their supervisor that allows for only 24 more hours before access is revoked.

11. If training is still not completed, use the ServiceNow buttons to generate a notification to the user and their supervisor that their account is now disabled.

12. Forward a ServiceNow task to the ETS Active Directory team to disable the account.13. Close the task. 14. If user need access reinstated, they will need to work with ETS to re-enable the account and

they are then allowed 24 hours to complete the training before they will again have access revoked.

of 13


Separated Users:

1. ABMS Separation alert or email notification is received in DGSInfoSec inbox.2. Look up user profile in STH to determine which sub-account user is under.3. From STH home page under Account Management, select Allocate Users.4. Select separated user’s sub-account from the left dropdown.5. Select “Released Employees” from the right dropdown.6. Locate the separated user and click on their name.7. Click on “Move Selected>” and STH will move the user to “Released Employees”8. Select Apply Changes.

---Done with STH task. Move to Service Now portal---9. Create a new ServiceNow incident and update the SOC analyst as the Caller, the Category as

“Service” and the Business Service as “Security Training”. 10. The State must be set to “Resolved” and the Assignment group and Assigned to fields must be

completed accordingly.11. Add the Short Description, Comments, and Work notes based on the information outlined from

the screen shot below. 12. Resolve (Close) the task.

of 13


Transfers within DGS:

1. ABMS transfer alert or email notification is received in DGSInfoSec inbox.2. Look up user profile in STH to determine which sub-account user is under.3. From STH home page, under Account Management, select “Allocate Users”4. Select user’s existing sub-account from the left dropdown.5. Select user’s new sub-account from the right dropdown.6. Locate the user and click on their name.7. Click on “Move Selected>” and STH will move the user to new sub-account.8. Select Apply Changes.

---Done with STH task. Move to Service Now portal---9. Create a new ServiceNow incident and update the SOC analyst as the Caller, the Category as

“Service” and the Business Service as “Security Training”. 10. The State must be set to “Resolved” and the Assignment group and Assigned to fields must be

completed accordingly.11. Add the Short Description, Comments, and Work notes based on the information outlined from

the screen shot below. 12. Resolve (Close) the task.

of 13


Securing The Human Account Creation

Security Awareness Training is created through SANS – Securing the Human. When an alert is received for a new DGS user, an SOC analyst determines what division and office the user will reside and assigns them to the corresponding sub-account in STH.

1. SOC analyst logs in to www.securingthehuman.org 2. SOC analyst should pull up new user’s information in the Outlook Address book for reference.3. Use dropdown in the Account Status section to select appropriate division where the new user

resides.4. Under Account Management click “Add Users”5. Using the Outlook information as a reference input the new user’s information in the Add Single

User section.6. Click “Add User” and user will be added as a “Queued User.” 7. Under User Management click “Manage Queued Users”8. Select new user and click “Activate Users”9. Notice will appear that the user is going to receive a welcome email and the seat license will be

assigned. Click “Confirm”10. Email notification is sent automatically to the new user to complete the training.

STH Password Reset Requests

1. Password reset requests should be sent to the DGS Info Sec email. 2. Respond with URL for password reset: https://vle.securingthehuman.org/auth/forgotpassword.php

or

1. Log in to Securing The Human administration page.2. Under User Management, select “User Profiles”3. Using available search criteria, locate the user’s profile and click “View User”4. Select “Reset Password” and follow prompts to reset password.5. Notify employee that their password has been reset and they should receive an email from STH.

of 13

https://vle.securingthehuman.org/auth/forgotpassword.php

http://www.securingthehuman.org/


Account Reconciliation

Account reconciliation is the process of ensuring that all current DGS employees with Active Directory accounts have a matching STH account and are current with their annual training requirement. Employees that have left the department for any reason are also included in this reconciliation process and are removed from STH. When DGS employees are separated from the department, a “Separation Alert” is generated by ABMS and the DGSInfoSec email is included on its distribution. When Separation Alerts are received, an ISO analyst moves the employee to the STH Sub-Account: “Released Employees.” For bulk account reconciliations, follow steps outlined below.

1. Obtain AD users list from AD Team2. Create STH users list (“Breakout Report” under Summary Reports in STH) 3. Create dated folder in z:\04 Security Awareness\Account Mgmt4. Copy Reconcile.accdb into your dated folder, then open for edits5. Nav: External Data -> Linked Table Manager6. Select both the AD and STH tables and prompt for new location.

7. When prompted, update the table locations to point to the files obtained in your named folder from the steps above.

8. Close the Linked table manager9. Open the AD and STH tables to verify

a. AD table columns:-Directory Name, E-Mail, Description, Expires

b. STH table columns-Subaccount, FirstName, LastName, Email, Dept, Reference, Started, Completed, Product

of 13


10. For each sub-account, export the records from “ADD to STH” using the “Export – ADD to STH” saved export.

a. Make any manual edits as neededb. Proceed to Account Management -> Add Users -> Upload Batch users in STHc. Choose your export file from its save location.d. Click Send Filee. Review screenf. Click Confirm

11. Export the records from “REMOVE from STH” using the “Export – REMOVE from STH” saved export.a. Make any manual edits as neededb. Submit a client support request to SANS-Securing the Human support. Request a “Bulk

Reallocation of Users.” Provide the excel spreadsheet and have the users reallocated into the “Released Employees” sub-account. ([email protected]) or https://securingthehuman.sans.org/vlehelp/resources/contact-support

of 13

https://securingthehuman.sans.org/vlehelp/resources/contact-support

mailto:[email protected]


Security Awareness Training - Annual Process:

January

Reset Employee Accounts in STH and generate Compliance ReportsThe annual “Reset” of the STH training system is required in order to reset all employees who completed the training from the previous year.

1. Collect final SA Training user data from the previous year. Once collected, detailed reporting can be accomplished outside of the STH system.

a. Breakout Report – provides a listing of employees with start and completion dates.b. Account Details Report – provides an overview of the amounts of employees enrolled and at

various points of progress. This report is grouped by sub account to facilitate reporting by division and subgroup if defined.

2. Compile listing of employees that have completed the training for the previous calendar year. This list will be referred to as the End of Year SA Training Compliance report

3. Send this listing to ETS-CAM2 ABMS team for inclusion into training record:a. Retrieve list of active employees from CAM2 – ABMS team. The list will include the employee’s full

name, the first three letters or their last name, and the employee number.b. Create a file in Excel and name it “isosectrn.csv”. The file will have three columns containing the

employee number, first three letters of the employee’s last name, and date training completed as shown below. Format completed users from STH in this format.

c. Send “isosectrn.csv” file to CAM2-Oracle.d. CAM2 will download the file then move it to \u10\GS12XPRD\interface_data\isosectrn.csv.e. CAM2 will run DGS ISO Security Training Record Upload In ABMS Sys Admin. This request set runs:

- DGS ISO Security Training Loader, which loads the records into the xx_iso_security_training table.

- DGS ISO Security Training Record Insertion, which takes the data from table xx_iso_security_training and uses it to update employee training records.

f. CAM2 will notify ISO of completion.g. ISO will validate records uploaded into ABMS.

4. Compile listing of employees that have not completed the training for the previous calendar year. This list will be referred to as the End of Year SA Training Non-Compliant report

a. Provide this listing to the ISO and CIO.b. Send to division Deputy Directors.

5. In STH, navigate to Home -> Reset Training.a. Select All employees and uncheck “Send Reset Email”b. Click “Reset Training” and click “Confirm”c. Note the “Training has been reset for these users” notification

of 13


January cont.

Release Ex-employees to Free License Seats

DGS is given a two week Release Seats period in between license years. Until this timeframe is activated the Release Seats page will be greyed out and cannot be accessed.

Once the Release Seats page is active, utilize this feature to remove Users that are no longer with DGS and will not be part of the security awareness program for the next training cycle. Throughout the year, employees who have left the organization are moved to the sub-account “Released Employees.”

1. Navigate to the homepage of STH2. Click on “Release Seats” under the End of Year section.3. Select all employees under the “Released Employees” sub account.4. Remove employees and note that STH confirms that seats will be made available.

NOTE: Added employees do not use a Seat License until they have completed at least one module. Until that point, employees can be removed at any time throughout the year from the “Manage Inactive Users” page and the seats will become available for re-use.

February

License Renewal

DGS ISO will renew the license with STH annually on September 30th. The current license agreement reserved up to 3600 seats within the SA Training. Procurement of the license renewal is facilitated in partnership with Enterprise Technology Solutions (ETS) Administration Unit.

1. ISO analyst gets accurate number of DGS employees by Active Directory Inquiry:a. Submit Remedy ticket to the AD Email Group requesting a list of current AD users and the

corresponding email addresses and organization information.b. AD Email Group will respond with complete spreadsheet of all currently active AD Directory Users.

2. Assess current number of AD users and compare to available seats within the SA Training to determine if more seats should be incorporated with the new license renewal.

3. Determine the need to remove or add training modules within the SA Training.4. Contact SANS Securing The Human to obtain a quote and invoice for license renewal.5. After quote is received, forward procurement package to the ETS Admin Unit containing:

a. DMC Packageb. SAN official quotec. IT Request form

of 13


February cont.

6. The ETS Admin Unit will then facilitate the procurement of the license renewal and finalize the purchase.7. Notification of payment and renewal will be sent from SANS STH and all changes, if any, will be reflected in

the online SA Training administration account.8. See Material Review and STH Marketing Refresh sections on Page 11 to help identify any possible changes

to currently licensed SA Training modules. Training campaign ends the first week of December and the grace period extends to December 31 st Manage support calls for Securing the Human Send out reminder notices to staff that have not completed training

March-May

Training continues its year-round availability. See “Ongoing Support” section on Page 16.

- Stay connected and aware of DGS security news and tips by visiting the ISO Intranet site at http://inside.dgs.ca.gov/iso/Home.aspx.

- Stay connected and aware of statewide security news and tips by visiting the State ISO Intranet site at http://www.cio.ca.gov/OIS/.

June

Material Review

SANS Securing The Human provides material for required Security Awareness training. The DGS Information Security Office reviews current training materials provided by STH and should determine what material to keep, add, or remove. Any new material selected will need to be incorporated into the new training curriculum. Factors to consider while reviewing current training material:

Relevance to the department Best Practices Problem areas within DGS (vulnerabilities and frequently reported incidents) Specific Campaign Goals for DGS or from State ISO

STH Marketing Refresh

In an effort to maintain interest and participation with the Security Awareness training, the DGS ISO refreshes the marketing materials and strategies annually. Items to consider for a Marketing Refresh can involve, but are not limited to:

New technologies Information Security slogans or articles (such as NCSAM) New graphics and themes Website layout and structure Methods to keep the overall training with a fresh look and feel

of 13


July - August

Training continues its year-round availability. See “Ongoing Support” section on Page 16.

- Stay connected and aware of DGS security news and tips by visiting the ISO Intranet site at http://inside.dgs.ca.gov/iso/Home.aspx.

- Stay connected and aware of statewide security news and tips by visiting the State ISO Intranet site at http://www.cio.ca.gov/OIS/.

September

STH Campaign Preparation

The DGS Information Security Office is responsible for initiating, implementing, and administering the annual Information Security and Privacy Awareness Campaign that starts in October. Preparation procedures to ensure a successful Campaign include the following:

1. STH account reconciliation (see STH Annual Reset and Account Reconciliation section)2. Compare AD list with current STH users and add absent employees to STH (see STH Account Creation

section)a. Provide these numbers to the ISO and CIO to review

3. Organize marketing materials (See Material Review and STH Marketing Refresh sections from June).4. Update the DGS intranet websites (ISO, Intranet Homepage).5. Work with PIO to manage and create content for the Campaign:

a. Develop templates for notification emails to all DGS employeesb. Collaborate in regards to support, announcements, and feedback (Flyers, posters, graphics,

publications)c. Establish language and email structure for Campaign Launch notification from DGS Director

6. Update ISO SharePoint calendar to reflect all Campaign dates, meetings, and reminders.7. Draft FAQs to publish for DGS employees and FAQ Scripts to be provided to the DGS Help Desk team.8. Submit all preparations items above to the ISO and CIO to review.9. Collect feedback and document lessons learned for improved future Campaign implementation

of 13


October

National Cyber Security Month

Leverage national campaign to refocus on DGS campaign.Training Campaign Continues

Maintain STH account requests and manage tickets through Remedy (see Creating Remedy Tickets section) Manage support calls for Securing the Human Send out reminder notices to staff that have not completed training Continue Securing the Human reporting

o Weekly status of who took trainingo Send Training Completion Acknowledgement out via News Clips by the 17th.

November

Training Campaign Continues

Manage support calls for Securing the Human Send out reminder notices to staff that have not completed training Continue Securing the Human reporting

o Weekly status

of 13


December

Training Campaign Ends

Training campaign ends the first week of December and the grace period extends to December 31 st Manage support calls for Securing the Human Send out reminder notices to staff that have not completed the training Send final metrics updates to the DGS programs, Deputy Directors, and business partners demonstrating

campaign achievements, completed training, and report any employees out of compliance.

Ongoing Support:

1. Maintaining Security Awareness links and materials on the DGS ISO intranet website2. Creating, removing, or modifying STH user accounts

a. Separations (move to “Released Employees” sub-account in STH)b. Transfers within DGS (move employees’ STH accounts to new sub-accountsc. Name change updates

3. Training completion and data reporting4. Completing password resets5. Customer support (technical questions, feedback, etc.)6. Organizational inquiries7. STH account reconciliation and resets8. Collecting new marketing materials and ideas for future campaigns9. Identify Lessons Learned

References: Documents and LinksRevision History:

Version ID Date of Change Author Rationale1.0 January 2017 Joe Frei Compliance1.1 March 2017 Joe Frei Updates to Procedures1.2 March 2018 Joe Frei Updates to Procedures

of 13