Common use of Information Security Training Standards Clause in Contracts

Information Security Training Standards. All EOHHS staff must review and acknowledge the EOHHS Information Security Training, or an approved alternative, within one (1) month of hire and prior to accessing any Information Resources in the EOHHS Environment and then on an annual basis thereafter as defined by EOHHS. The EOHHS Information Security Training shall consist of two components: i. Any required EOTSS information security training generally made available to EOHHS staff, and ii. Any required EOHHS information security training. EOHHS has published the EOHHS Information Security Training on PACE. Previous versions of the EOHHS Information Security Training may be stored elsewhere but should not be relied upon for compliance purposes. At a minimum, all staff are required to take that calendar year’s information security training posted to PACE. The Security Office has also developed other information security training for specific types of data that may be required based on job duties and role. All EOHHS staff must take information security training that covers the following subject matter: • Definition of sensitive information, • An explanation of the need to safeguard sensitive information, • How to protect sensitive information, • Least access privilege, • Password requirements, • Kinds of data breaches and attack vectors, • Email management, • Incident reporting, and • Steps that staff can take to prevent a data breach. The current EOHHS information security training is deemed to meet the requirements of Executive Order 504 training for EOHHS employees. Additionally, the training is designed to contain information that is intended to meet the training requirements of the HIPAA Security Rule and applicable Third Party Agreements. Agencies may create documentation that effectively supplants or replaces the EOHHS Information Security Training. Agencies may also create documentation that effectively supplements or adds to the EOHHS Information Security Training. Agencies are strongly encouraged to do so where the EOHHS Information Security Training has perceived deficiencies based on the quality or kind of data being handled by the Agency or based on legal compliance. Any supplanting or supplementary materials, whether or not identified as such, must be reviewed and approved by the Security Office prior to publication and dissemination to staff.