Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Awareness and training

From LIMSWiki
Jump to navigationJump to search

Appendix 1.2 Awareness and training

AT-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated.

Additional resources:

AT-2 Literacy training and awareness

This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."

Additional resources:

AT-3 Role-based training

This control recommends the organization provide the necessary role-specific security and privacy training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."

Additional resources:

AT-4 Training records

This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations.

Additional resources:

References