Why do I need Information Security and PCI training?

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources. This training facilitates the City’s due care and diligence to meet several regulatory requirements and honor our custodial information security responsibilities.

I don’t use computers, why do I need to take this training?

Our number one defense against information theft and loss is you! Everyone is responsible for knowing and following our organization’s security policies and procedures.

When do I need to complete my training?

This module meets two requirements for the City, so there are two answers to this question:

1. If you process payment cards, then you must complete the training by 9/15/2018.
2. All other people must complete the training within the fiscal year, which ends on June 30^th each year.

How long will the training take?

The training is self-paced and can be completed within 40 minutes.

How do I take the training module?

The primary and preferred method is to use new CityLearner.

If you do not have access to CityLearner (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

I don’t have CityLearner access, how do I take the training?

If you do not have access to CityLearner (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

I don’t have access to a computer, how do I take the training?

If you do not have access to a computer (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

How does General Awareness help me in my job?

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources.

What is PCI?

PCI stands for Payment Card Industry – Data Security Standard (PCI-DSS). All organizations that take payment with some form of credit card are required to have computer general awareness training.

Why combine general awareness and PCI into one training?

The PCI requirement for training is to have a General Security Awareness module. Since the goals of both PCI and our awareness effort are aligned, the training meets both requirements and is a good fit to produce only one training to rule them all. 

I don’t take payment cards (PCI), do I need to take the training?

Yes. General information Security Awareness is part of every job. 

“The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services – and the preservation of City information resources…” -Serilda Summers-McGee

For more information please reference:

1. BHR Admin Rule 4.08 ß make this a link – newly simplified in 2018.
2. https://www.portlandoregon.gov/citycode/article/12209

I already have PCI training in my Bureau, do I need to take this training as well?

Yes. Employees in a bureau which has its own PCI training will continue with their bureau-specific PCI training for 2018 and will also have to complete the General Awareness + PCI training module by June 2019.

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources. This training replaces the “Payment Card Industry (PCI) Security Standards” training for PCI-related roles and facilitates the City’s due care and diligence to meet several regulatory requirements while honoring our custodial information security responsibilities. 

The "General Awareness 2018 + PCI” training is now available through CityLearner. Employees with Payment Card Industry (PCI) roles must complete this training by September 15, 2018—in time to meet the City’s 2018 PCI compliance training requirement. Employees who do not have PCI-related roles must complete this annual training by June 30, 2019. Note, Parks and Recreation employees will continue with bureau-specific PCI training for 2018 and will complete General Awareness by the June 2019 deadline.

This CityLearner training takes about 40 minutes to complete, including a short quiz. Exemptions from this mandatory training can be negotiated through the BHR standard review process.

The City of Portland honors the trust extended to us by our communities and employees to preserve and protect the sensitive information we collect, store, and share. Through information security awareness training the City can ensure shared understanding of and compliance with applicable laws, reduce potential information risks and liability, and reinforce appropriate employee behavior when handling sensitive City information.

For more answers, see the FAQ.

With the current environment on the Internet today, the most dangerous things we do online is read our email and connect to websites.

Why is email and web surfing dangerous?

 - Because we are trusting arbitrary sites that we may know nothing about.

Now some of the sites we go to are known to us, however we often search for a subject and may connect to an unknown site. For email, these messages often come from unknown senders. In both web and email, the content may contain malware or try and trick us to provide sensitive information.

The City of Portland Bureau of Technology Services (BTS) has solutions to protect worker's computers and web filtering is one of those solutions. We are actively increasing functionality to ensure we protect from the latest issues and attacks. Due to our continued adjustment, you may experience issues with some websites and browsers.

Known issues:

• Firefox and other non-supported browsers need a configuration change. Here are instructions for Firefox: <firefox link>
• Other software that uses the web may experience problems. These are most commonly programming interfaces that have internal web trust configurations. These configurations need to include the City devices. The Firefox browser fix above must be applied to these software programs. We do not have specific language for each software program, however the concept is the same: Import the City's certificate to the software's certificate trust as an authorized root.

On January 3rd, many of our vendors, including Microsoft began talking about issues in the core hardware inside our computers, called the CPU. The issue involves many shortcuts built into the hardware, making our computers faster. These shortcuts allow malicious software to steal any information from our computers. These shortcuts exist in any CPU built within the last 10 years by Intel, AMD, and ARM. Our mobile devices use ARM processors, while our desktop computers use Intel or AMD CPUs. 

The issues were found many months ago and due to the complexity and wide exposure, the affected hardware vendors worked with operating system organizations like Microsoft to write new operating system software (patches) to address these vulnerabilities before letting the community know of the issues. The patches are now available and come with negative performance impacts, slowing our computers down. The slowdown comes from not using the shortcuts that previously provided us faster processing.

BTS is evaluating the impact of these patches to understand the risk and apply patches as quickly as possible.