Overview:
Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
Action Items:
3.2.1[a]
Determine if: security risks associated with organizational activities involving CUI are identified.
3.2.1[b]
Determine if: policies, standards, and procedures related to the security of the system are identified.
3.2.1[c]
Determine if: managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.
3.2.1[d]
Determine if: managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan; training records; other relevant documents or records].
2
Interview: Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community; personnel with responsibilities for role-based awareness training].
3
Test: Mechanisms managing security awareness training; mechanisms managing role-based security training].
Related Documents (document name and content will vary by organization):
1) Security awareness and training policy
2) procedures addressing security awareness training implementation
3) relevant codes of federal regulations
4) security awareness training curriculum
5) security awareness training materials
6) system security plan
7) training records
8) other relevant documents or records
Additional Guidance:
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, formal training, offering supplies inscribed with security reminders, generating email advisories or notices from organizational officials, displaying logon screen messages, displaying posters, and conducting information security awareness events. NIST Special Publication 800-50 provides guidance on security awareness and training programs.
Article ID: 128
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-security-awareness-training-3-2-1-128.html