OVERVIEW

The purpose of Awareness and Training Policy is to make sure all employees and contractors are informed of security risks and have the appropriate training to identify and mitigate the common issues that put organizations at risk.

SECURITY AWARENESS TRAINING (AT-2)

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
* As part of initial training for new users
* When required by information system changes
* At least once per calendar year

An Employee Roster (AT001) shall be used to determine staff that requires training.

See Information Security Training for additional details.

ROLE-BASED SECURITY TRAINING (AT-3)

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

  • Before authorizing access to the information system or performing assigned duties
  • When required by information system changes
  • At least once per calendar year

SECURITY TRAINING RECORDS (AT-4)

The organization documents and monitors individual information system security training activities including basic Security Awareness Training (AT002) and Role Based Information Security Training (AT003).

The organization retains training records for a minimum 1 year.

AUDIT

  • Quarterly Management Review (MR001) includes assessment of AT002s and AT003s based on Employee Roster (AT001)
  • Quarterly Management Review (MR001) includes review of Employee Roster (AT001)
  • Annual Management Review (MR002) includes review of this policy.
  • Annual Management Review (MR002) includes review of this policy.