Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Awareness and training
Appendix 1.2 Awareness and training
AT-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, pages 59–60
- NIST Special Publications 800-50
- NIST Special Publications 800-100, pages 26–34
- LIMSpec 7.1, 7.2
AT-2 Literacy training and awareness
This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
Additional resources:
AT-3 Role-based training
This control recommends the organization provide the necessary role-specific security and privacy training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
Additional resources:
AT-4 Training records
This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations.
Additional resources:
- LIMSpec 8.1, 8.5, and 31.4