Skip to Content

NIST 800-171 - Role-Based Security Training (3.2.2)

129  Matthew Burdick September 27, 2022  Awareness and Training

Overview:
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.


Action Items:
3.2.2[a]
Determine if: information security-related duties, roles, and responsibilities are defined.


3.2.2[b]
Determine if: information security-related duties, roles, and responsibilities are assigned to designated personnel.


3.2.2[c]
Determine if: personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; system security plan; training records; other relevant documents or records].


2
Interview: Personnel with responsibilities for role-based security training; personnel with assigned system security roles and responsibilities; personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel representing the general system user community].


3
Test: Mechanisms managing role-based security training; mechanisms managing security awareness training].


Related Documents (document name and content will vary by organization):
1) Security awareness and training policy
2) procedures addressing security training implementation
3) codes of federal regulations
4) security training curriculum
5) security training materials
6) system security plan
7) training records
8) other relevant documents or records


Additional Guidance:
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, system or network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties.


Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards. Such training can include, for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. NIST Special Publication 800-181 provides guidance on role-based information security training in the workplace.
Not Rated
Secure Code