AT-01-727 Security Awareness and Training Policy and Procedures
Security Awareness and Training Policy and Procedures
AT-01-727
Security Awareness and Training Policy and Procedures
Awareness and Training
Identify, Protect
Enterprise Security Policy, Standards and Guidelines, Security Awareness and Training
LOW, MOD, HIGH
P1
Yes
May 20, 2016
All users of Agency-owned information resources shall undergo Texas A&M University System ("TAMUS") approved information security awareness training at a schedule established by TAMUS.
The chief information security officer shall prescribe any additional required training for users with access to confidential, sensitive, or mission-critical information resources, and users with privileged access to information resources.
Applications and technology solutions are not effectively and efficiently used since a training curriculum for employees has not been established or regularly updated.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
The organization has written and documented policy and procedure supporting a training and awareness program.
State organizations shall establish the requirements to ensure each user of information resources receives adequate training on computer security issues.
Obtain security awareness and training policy and procedures; other relevant documents or records and ascertain if:
I)the organization develops and documents security awareness and training policy and procedures.
(ii)the organization disseminates security awareness and training policy and procedures to appropriate elements within the organization.
(iii)responsible parties within the organization periodically review security awareness and training policy and procedures.
(iv)the organization updates security awareness and training policy and procedures when organizational review indicates updates are required.
(v)the security awareness and training policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
(vi)the security awareness and training policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the security awareness and training procedures address all areas identified in the security awareness and training policy and address achieving policy-compliant implementations of all associated security awareness and training controls.