AT-03-727 Role-Based Security Training

Role-Based Security Training

AT-03-727
Role-Based Security Training
Awareness and Training
Protect
Security Awareness and Training
LOW, MOD, HIGH
P1
Yes
August 17, 2016

The chief information security officer may prescribe additional role-based security training on an as-needed basis, based on factors such as information resource risk or scope of assigned duties.

Failure to conduct suitable and relevant security training, and to publish notifications to enhance awareness of organizational policies and procedures may expose the operational environment to potential security breach by employees, contractors and third
The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
Employees are trained in information security based on their role and job responsibilities.
State organizations shall provide role-based information security training to staff with information security responsibilities.
Obtain Security awareness and training policy; procedures addressing security training implementation; NIST Special Publication 800-50; codes of federal regulations; security training curriculum; security training materials; security plan; other relevant documents or records and ascertain if (I)the organization identifies personnel with significant information system security responsibilities and roles and documents those roles and responsibilities. (ii)the organization provides security training to personnel with identified information system security roles and responsibilities before authorizing access to the system or performing assigned duties and when required by system changes. (iii)the security training materials address the procedures and activities necessary to fulfill the organization-defined roles and responsibilities for information system security. (iv)the security training is consistent with applicable regulations and NIST Special Publication 800-50; (v)the organization defines in the security plan, explicitly or by reference, the frequency of refresher security training; (vi)the organization provides refresher security training in accordance with organization-defined frequency, at least annually.