EXECUTIVE ORDER NO. 005
THE METROPOLITAN GOVERNMENT OF NASHVILLE AND DAVIDSON COUNTY
Karl F. Dean, Mayor
SUBJECT: Information Security Management Training
I, Karl Dean, Mayor of the Metropolitan Government of Nashville and Davidson County, by virtue of the power and authority vested in me, do hereby find, direct and order the following:
I. Understanding the importance of individual responsibility and accountability for information security management is paramount to achieving the Metropolitan Government of Nashville and Davidson County’s (Metropolitan Government) information security management goals.
III. General information security awareness training and targeted, specific, training are important elements in information security management.
III. Information security awareness training needs to be continuously improved and reinforced.
IV. The training of all Metropolitan Government employees and third party users (including, but not limited to, consultants, contractors, interns and temporaries with access to Metropolitan Government information technology and security management) in information security awareness is imperative in order to help protect the confidentiality, integrity and availability of the electronic and non electronic information of the public, Metropolitan Government employees, and the Metropolitan Government itself.
V. Training Program
The Department of Human Resources, with the assistance of the Department of Information Technology Services and the Department of General Services, shall identify information security management training requirements, develop curriculum, implement thorough institutional training systems, and improve curriculum and requirements to adjust to changing threat models, vulnerabilities, risks, and identified gaps and deficiencies. Specifically, they will:
1. prepare and maintain one or more information security management manuals that concisely describe the Metropolitan Government’s information security management policies and procedures;
2. develop and maintain a process to communicate new information security management program information, including, but not limited to, security items of interest and ongoing reminders;
3. define the level of information security awareness training required for each job/role description and include the level of information security awareness training required into personnel job/role descriptions and responsibilities;
4. prepare programs on information security awareness training and devise a plan on presenting these programs to all Metropolitan Government employees and third party users according to the level of security required in personnel job/role descriptions and responsibilities. In addition,
a. these programs will address the requirements for appropriate training for each job/role, as reflected in applicable policies and procedures;
b. training objectives and content must be aligned with the jobs/roles and responsibilities of the trainees to maintain a targeted and focused training effort;
c. where practical, training must use real world examples to clearly illustrate learning principles and illuminate situations that may be encountered by trainees; and
d. training content and completion shall be documented and maintained on file in the Department of Human Resources;
5. review, as necessary, but at least annually, the content of required training courses to promote the use of best practices for information security management. This will enable training objectives to reflect changes in needs, policies, and technologies, as well as external requirements, such as federal and state laws and contractual obligations; and
6. assure accountability in information security management during pre-employment (including, but not limited to, background screenings); employment (including, but not limited to, during transfers or promotions and during any disciplinary process); and post employment (including, but not limited to, the removal of access rights).
VI. Employee and Third Party User Training
All Metropolitan Government employees and third party users are required to complete the information security awareness training that shall be conducted under the direction of the Metropolitan Department of Human Resources. In addition,
1. all new employees and third party users must attend or complete an approved information security awareness training class prior to, or at least within thirty (30) days of, being granted access to the Metropolitan Government’s information assets;
2. all employees and third party users must sign an acknowledgement stating they have read and understand the Metropolitan Government’s requirements regarding information security policies and procedures;
3. all employees and third party users must be provided with sufficient training and supporting reference materials to allow them to properly protect the Metropolitan Government’s information assets;
4. all employees and third party users must attend or complete information security compliance refresher training, as is determined necessary by the Department Human Resources, that reinforces security concepts, practices, and responsibilities and addresses any new information security issues that may arise; and
5. all employees and third party users must be aware of their responsibilities to protect the Metropolitan Government’s information assets and be adequately trained to fulfill those responsibilities.
VII. Persons Covered
This Executive Order shall apply to all Metropolitan Government employees and third party users except: employees and users of the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency. I hereby request that the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency develop a similar training program and require that the employees and users under their authority receive information security awareness training.
VIII. Supervisors Responsible
Each employee of the Metropolitan Government who acts in a supervisory capacity is responsible for overseeing compliance with this Executive Order by those persons in his or her line of authority.
IX. Implementation Schedule
The training required by this Executive Order for current Metropolitan Government employees and third party users shall be completed as expeditiously as possible. The Department of Human Resources shall also be responsible for providing this training to each new Metropolitan Government employee and third party user.
Ordered, Effective and Issued:
Karl F. Dean
Date: March 17, 2008