AUTHORITY: Implementing and authorized by Section 25 of the Data Security on State Computers Act [20 ILCS 450].

SOURCE: Adopted at 42 Ill. Reg. 22571, effective January 1, 2019.

SUBPART A: INTRODUCTION

 

Section 4000.100  Purpose

 

This Part implements the annual State of Illinois' employee cybersecurity training requirements set forth in Section 25 of the Data Security on State Computers Act [20 ILCS 450].

 

Section 4000.105  Definitions

 

Terms not defined in this Section shall have the same meaning as in the State Officials and Employees Ethics Act [5 ILCS 430]. The following definitions are applicable for purposes of this Part:

 

"Act" means the Data Security on State Computers Act [20 ILCS 450].

 

"Agency" or "DoIT" means the Department of Innovation and Technology. 

 

"Designated Contact" means the State employee appointed by an agency, board or commission to serve as the entity's cybersecurity-training liaison with DoIT and shall monitor and support that entity's compliance with the cybersecurity training requirements of this Part.

 

"Employee" means:

 

any person employed full-time, part-time, or pursuant to a contract and whose employment duties are subject to the direction and control of an employer with regard to the material details of how the work is to be performed;

 

any appointed or elected commissioner, trustee, director, or board member of a board of a State agency, including any retirement system or investment board subject to the Illinois Pension Code [40 ILCS 5]; or

 

any other appointee [5 ILCS 430/1-5];

 

but does not include an employee of the legislative branch, the judicial branch, a public university of the State, or a constitutional officer other than the Governor. (Section 25(a) of the Act).

SUBPART B: TRAINING REQUIREMENTS AND RESPONSIBILITIES

 

Section 4000.200  Training to be Provided by Department of Innovation and Technology

 

a)         Every employee shall annually undergo training by the Department of Innovation and Technology concerning cybersecurity.  (Section 25(b) of the Act).

 

b)         The training shall include, but not be limited to, detecting phishing scams, preventing spyware infections and identity theft, and preventing and responding to data breaches. (Section 25(b) of the Act).

 

c)         DoIT shall provide access to electronic-based, in-person, or paper-based cybersecurity training, with reasonable efforts made to provide training in the format requested to accommodate the needs of the employee and his or her employing agency.

 

1)         All employees are encouraged to complete cybersecurity training through electronic means.

 

2)         In-person training may include a web conference service component. 

 

d)         DoIT shall establish a minimum of two training periods per year. Tentative training dates will be provided by DoIT, via electronic mail, to each Designated Contact by January 15^th of each calendar year.

 

e)         DoIT shall confirm training dates at least 60 calendar days prior to the training to each Designated Contact.

 

Section 4000.205  Responsibility of Employees and Employer Agencies, Boards and Commissions

 

a)         Each agency, board and commission with an employee required to complete cybersecurity training shall designate an internal contact to monitor and track compliance with the cybersecurity training requirements. 

 

b)                  The agency, board or commission shall promptly notify DoIT of its selection, including contact information for that Designated Contact.  This information shall be submitted at security.training@illinois.gov.

 

c)         To facilitate delivery of training materials, each agency, board and commission with employees required to complete annual cybersecurity training shall maintain a list identifying each employee who is required to complete annual cybersecurity training. The Designated Contact shall notify DoIT of the number of employees in its agency required to complete cybersecurity training.

 

d)         Upkeep of the employee list referenced in subsection (a) is the sole responsibility of the employer agency, board or commission.  

 

1)         The Designated Contact shall provide to DoIT the employee list, as well as the email address of each employee, and any further information DoIT may request, no later than 30 calendar days prior to the training launch. DoIT's notice of the training will include what information the Designated Contact is required to provide.

 

2)         The Designated Contact shall be responsible for providing paper copies of the training materials to those employees within his or her agency who do not have State-issued computers.

 

3)         The Designated Contact shall annually provide to DoIT the list of those employees who have completed cybersecurity training.

 

e)                  Each agency, board and commission is responsible for responding to audit requests for information regarding completion of cybersecurity training within that specific agency, board or commission.

 

f)                   Each employee is responsible for ensuring that he or she is able to timely complete the mandatory cybersecurity training in person, online, or in paper form.  In the event that the training is not completed, disciplinary action may be enforced by the employee's supervising agency.