AT-01-727 Security Awareness and Training Policy and Procedures

Security Awareness and Training Policy and Procedures

Control ID

AT-01-727

Control Name

Security Awareness and Training Policy and Procedures

Control Category

Awareness and Training

Functional Areas

Identify, Protect

Sub-Areas

Enterprise Security Policy, Standards and Guidelines, Security Awareness and Training

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

All users of Agency-owned information resources shall undergo Texas A&M University System ("TAMUS") approved information security awareness training at a schedule established by TAMUS.

The chief information security officer shall prescribe any additional required training for users with access to confidential, sensitive, or mission-critical information resources, and users with privileged access to information resources.

Risk Statement

Applications and technology solutions are not effectively and efficiently used since a training curriculum for employees has not been established or regularly updated.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].

Control Example

The organization has written and documented policy and procedure supporting a training and awareness program.

State Implementation

State organizations shall establish the requirements to ensure each user of information resources receives adequate training on computer security issues.

Testing Procedures

Obtain security awareness and training policy and procedures; other relevant documents or records and ascertain if: I)the organization develops and documents security awareness and training policy and procedures. (ii)the organization disseminates security awareness and training policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review security awareness and training policy and procedures. (iv)the organization updates security awareness and training policy and procedures when organizational review indicates updates are required. (v)the security awareness and training policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (vi)the security awareness and training policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the security awareness and training procedures address all areas identified in the security awareness and training policy and address achieving policy-compliant implementations of all associated security awareness and training controls.