6-5.3 Training Requirements

Exhibit 6-5.3 

Training Requirements

 

Training Type

Requirement(s)

Annual Training

Based on requirements defined by the CISO at the beginning of the fiscal year (see the Information Security Training Matrix on the CISO Website), all personnel with an ACE ID or access to the Postal Service intranet must participate in information security training and data protection requirement training annually. Information security training is recommended for all other non-bargaining personnel.

Information Resource Operational Security Training

All personnel with access to the Postal Service network must be trained to handle and report information security breaches and incidents.

All PCI developers and administrators must complete formal training [1] in general secure coding techniques, [2] in developing secure code in the programming language(s) they use, and [3] and must maintain evidence of successful completion.

For information resources processing sensitive- enhanced, sensitive, or critical information, operational security training must be developed and conducted that is appropriate for job responsibilities, and role-based activities.

The training should explain how to protect information throughout its life cycle and report incidents.

All C&A stakeholders, including Business Relationship Management portfolio managers, Solution Development Teams, and their staff must complete annual training on the Certification and Accreditation (C&A) process.

New Personnel Training

All new personnel must receive information security training and be issued a copy of Handbook AS-805-C, Information Security for General Users.