HomeMy WebLinkAboutDocumentation_Regular_Tab 07_6/8/2023Agenda Item #7.
Regular Council
STAFF MEMO
Meeting: Regular Council - Jun 08 2023
Staff Contact: Brad Gomberg, Director of IT Department: IT
Consider Approval of IT Security Awareness Policy
Florida Statutes 282.3185 (Local Government Cybersecurity Act), requires municipalities to develop
cybersecurity training for all employees with access to its network, and to ensure that this training is
completed within 30 days after employment, and annually thereafter. The goal is to ensure that all staff
and other users of the Village's information systems understand and apply security awareness
measures in order to protect the Village's information systems, personally identifiable information, and
other sensitive information.
The IT department authored this policy which was reviewed by HR and Labor attorney Lara Donlon. It
will be housed with the HR department's Personnel policies and managed jointly by HR and IT.
This document and any attachments may be reproduced upon request in an alternative format by
completing our Accessibility Feedback Form, sending an e-mail to the Village Clerk or calling 561-768-
0443.
PROJECT NAME: N/A BUDGET: Refer to above ENCUMBERED: N/A
memo
Proposed: Projected Remaining:
Refer to above memo Refer to above memo
I.T. Security Awareness 3.8b 5.31.23 FINAL ADA
Page 108 of 768
Agenda Item #7.
VILLAGE OF TEQUESTA
PERSONNEL POLICY
TITLE: I.T. SECURITY AWARENESS
(ITSA)
POLICY: 3.8b
EFFECTIVE: June 8, 2023
REVISED: New
PAGES:
CONTENTS: This policy consists of the following
numbered sections:
1.
Purpose
11.
Policy Statement
Ill.
Policy Scope
1V.
Security Requirements
V.
Compliance
V1.
Non -Compliance
VII.
Enforcement
1. PURPOSE:
The purpose of this policy is to ensure that all Village
staff and users of the Village's information systems
are aware of, understand, and apply security awareness
in order to protect the Village's information systems,
personally identifiable information, and other
sensitive information, by ensuring information
confidentiality, integrity and availability of data. The
quality and integrity of the Village's I.T. Security
Awareness (ITSA) program ensures that all Village
staff, understand the security implications of their
actions and increases the likelihood that information
system security will not be breached, either
intentionally or unintentionally, through technical
measures (such as hacking) or non -technical measures
(such as social engineering). The goal of this policy is
to ensure that all Village staff understand the risks of
using information technology, how to defend against
malicious threats, and how to react to information
security events or incidents when using Village issued
software, hardware or other systems related to Village
business, regardless of where the event or incident
takes place.
II. POLICY STATEMENT:
To establish a formal and efficient ITSA program for
the Village of Tequesta, a strong information program
requires all users to be proficient in understanding
security policies, procedures, and technical security
controls. All Village staff members need to have the
necessary skills to carry out their assigned duties in a
safe and secure manner. This policy promotes
continuous employee training around data security and
privacy education.
III. POLICY SCOPE
This policy applies to all users of information systems
that belong to the Village of Tequesta, and everyone
who utilizes Village or personally owned systems to
access the organizationas data and networks. This
Security Awareness Policy applies to all parties who
interface with Village IT systems. Specifically, it
includes:
1. All employees, whether employed on a full-time
or part-time basis by The Village of Tequesta,
2. All contractors and third parties that work on
behalf of and are paid directly by The Village of
Tequesta,
3. All contractors, Temp Agencies and third parties
that work on behalf of The Village of Tequesta
but are paid directly by an alternate employer,
4. All employees of partners and clients of The
Village of Tequesta who access Village non-
public information systems,
5. All Council Members, volunteers, paid and
unpaid interns.
IV. SECURITY REQUIREMENTS
1, The IT department or its designee will ensure
that managers, systems administrators, and users
of organizational information systems are made
aware of the security risks associated with their
activities and the applicable policies, standards,
Page 109 of 768
Agenda Item #7.
and procedures related to the security of
organizational information systems.
2. All Village department heads or directors and
mid -level managers must ensure that all Village
staff within each respective department are
taking and adhering to the training necessary to
carry out their assigned information security
related duties and responsibilities.
3. Periodic simulated attack audits shall be
perforined by the IT department to verify
compliance and assess the effectiveness of
training.
4. Security awareness training will be provided to
ensure all parties within the scope of this policy
can recognize and take appropriate action on
indicators of physical and logical threats.
5. All Village employees are required to complete
security awareness training:
a. Within two (2) business days of employment
(or by the end of the second shift for those
with schedules on non-consecutive business
days),
b. After a failure to recognize a simulated
attack.
c. After a failure to recognize a real attack,
depending on the individual's post -incident
job status.
d. After the deployment of a new or
significantly updated/revised information
system, and
e. On an annual basis.
6. Security awareness efforts and training are
ongoing at The Village of Tequesta via periodic
Phishing, Vishing, Smishing, and/or other Social
Engineering campaigns, and annual or remedial
eybersecurity awareness training campaigns.
V. COMPLIANCE
The Village of Tequesta will train all parties on what
actions or non -actions should be taken when they are
exposed to security threats. Certain actions or non -
actions by a user may result in a compliance event. A
compliance event will assist the IT Department in
identifying threats and taking action to further secure
The Village of Tequesta's systems and data.
A compliance event includes, but is not limited to:
1. Deleting a simulated or real phishing, smishing,
spear phishing, or other social engineering
content,
2
Submitting a simulated or real phishing,
smishing, spear phishing, or other social
engineering content via the "Phish Alert" process
in Microsoft Outlook, Outlook Web Access, or
mobile device mail app,
Reporting real or simulated attacks to the Village
of Tequesta IT Department for investigation,
Notifying the Tequesta Police Department of a
suspicious person attempting to tailgate or
otherwise gain access to restricted areas of the
Village.
Taking no action on a simulated or real phishing,
smishing, spear phishing, or other social engineering
content is considered partial compliance as the
content remains in the users profile and can
potentially be activated at a later date.
VI. NON-COMPLIANCE
Violations of this policy and non-compliance events
(NCE) will be treated like other allegations of
wrongdoing at The Village of Tequesta.
Users under the scope of this policy and procedure
must adhere to the stipulated security requirements.
Any user in violation of the parameters of this policy
or procedure will be considered non -compliant and
subject to enforcement actions as outlined below in
Section VII (Enforcement), or subject to disciplinary
actions as outlined within applicable collective
bargaining agreements and department policies. Users
may be considered non -compliant i£
1. A user fails to complete Annual awareness
training within two (2) business days of
employment (or by the end of the second shift for
those with schedules on non-consecutive business
days), provided they were scheduled for the
training by the IT Department and provided time
during the workday to complete the training,
2. A user fails to complete remedial training within
7 days of being directed to do so, or an agreed -
upon time established by the Village Manager,
Department head or designee; or appropriate
authority, where circumstances dictate.
3. A user fails an actual or simulated social
engineering attack,
4. A user takes action on or activates content within
any real social engineering attack or otherwise
grants a threat actor access to protected
information or the Village network,
Page 110 of 768
Agenda Item #7.
A user continually fails to carry out expected
actions from awareness and training,
Failure of an actual or simulated social engineering
attack includes but is not limited to:
1. Clicking on a URL within a phishing attempt,
2. Replying with any information to a phishing
attempt,
3. Opening an attachment that is part of a phishing
attempt,
4. Enabling macros that are within an attachment as
part of a phishing attempt,
5. Allowing exploit code to run as part of a phishing
attempt,
6. Entering any data within a landing page as part of
a phishing attempt,
7. Transmitting any information as part of a vishing
attempt,
8. Replying with any information to a smishing
attempt,
9. Complying with any requests made by a threat
actor as part of social engineering attempt,
10. Plugging in a USB stick or removable drive as
part of a non -Village initiated social engineering
attempt,
11. Allowing any non -authorized persons into
protected or secured physical locations
throughout the Village,
12. Failing to follow The Village of Tequesta's
policies in the course of a physical social
engineering attempt.
VIl. ENFORCEMENT
Non -Compliance with Simulated Events
The total number of Non -Compliant Village initiated
events considered for enforcement will accrue over a
rolling 12-month period. Any user found in violation
of this policy and demonstrating a lack of competence,
shall require immediate corrective action as
determined by the number and/or severity of events as
follows:
NCE
Corrective Action
1st
Remedial Security Awareness Training /
Testing
2°a
Remedial Security Awareness Training /
Testing, and a meeting with their
respective department head and the IT
Director to assist the employee to improve
NCE
Corrective Action
his/her recognition of malicious clues
within content.
3rd
Remedial Security Awareness Training /
Testing, meeting with the IT Director and
FIR Director, a verbal warning; possible
deactivation of the user and/or temporarily
disabling the user's email account where
feasible.
4t"
Remedial Security Awareness Training /
Testing, meeting with the IT Director, HR
Director and Village Manager, and a
written warning.
Acquiescing to a Real Social EnLyineeriniz Attack
The Village reserves the right to take appropriate
disciplinary or corrective action up to and including
termination for not adhering to, or non-compliance
with the stipulated IT security requirements, or for
demonstrated lack of competence resulting in
acquiescence to a real social engineering attack (not
training exercise), in accordance with the Village's
Personnel Policies, applicable collective bargaining
agreements, and department policies.
APPROVAL:
JEREMY ALLEN, VILLAGE MANAGER
TEQUESTA, FLORIDA
Page 111 of 768