Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.2 Awareness and training"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
| Line 1: | Line 1: | ||
===Appendix 1.2 Awareness and training=== | ===Appendix 1.2 Awareness and training=== | ||
====AT-1 | ====AT-1 Policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated. | This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated. | ||
| Line 7: | Line 7: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | * [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 26–34 | * [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 26–34 | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7. | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2] | ||
====AT-2 | ====AT-2 Literacy training and awareness==== | ||
This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. | This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned." | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | * [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.5, and 8.7] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.4, 8.5, and 8.7] | ||
====AT-3 Role-based | ====AT-3 Role-based training==== | ||
This control recommends the organization provide the necessary role-specific security training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. | This control recommends the organization provide the necessary role-specific security and privacy training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned." | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-16/final NIST Special Publications 800-16] | * [https://csrc.nist.gov/publications/detail/sp/800-16/final NIST Special Publications 800-16] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | * [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.5, and 8.7] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.4, 8.5, and 8.7] | ||
====AT-4 | ====AT-4 Training records==== | ||
This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations. | This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.1, 8.5], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.4] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.1, 8.5], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.4] | ||
Latest revision as of 15:51, 21 March 2023
Appendix 1.2 Awareness and training
AT-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, pages 59–60
- NIST Special Publications 800-50
- NIST Special Publications 800-100, pages 26–34
- LIMSpec 7.1, 7.2
AT-2 Literacy training and awareness
This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
Additional resources:
AT-3 Role-based training
This control recommends the organization provide the necessary role-specific security and privacy training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
Additional resources:
AT-4 Training records
This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations.
Additional resources:
- LIMSpec 8.1, 8.5, and 31.4
