Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: AT-FAMILY: AWARENESS AND TRAINING

AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

AT-1	SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
	assessment objective: Determine if the organization:
	at-1(a)(1)	at-1(a)(1)[1]	develops and documents an security awareness and training policy that addresses:
			at-1(a)(1)[1][a]	purpose;
			at-1(a)(1)[1][b]	scope;
			at-1(a)(1)[1][c]	roles;
			at-1(a)(1)[1][d]	responsibilities;
			at-1(a)(1)[1][e]	management commitment;
			at-1(a)(1)[1][f]	coordination among organizational entities;
			at-1(a)(1)[1][g]	compliance;
		at-1(a)(1)[2]	defines personnel or roles to whom the security awareness and training policy are to be disseminated;
		at-1(a)(1)[3]	disseminates the security awareness and training policy to organization-defined personnel or roles;
	at-1(a)(2)	at-1(a)(2)[1]	develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;
		at-1(a)(2)[2]	defines personnel or roles to whom the procedures are to be disseminated;
		at-1(a)(2)[3]	disseminates the procedures to organization-defined personnel or roles;
	at-1(b)(1)	at-1(b)(1)[1]	defines the frequency to review and update the current security awareness and training policy;
		at-1(b)(1)[2]	reviews and updates the current security awareness and training policy with the organization-defined frequency;
	at-1(b)(2)	at-1(b)(2)[1]	defines the frequency to review and update the current security awareness and training procedures; and
		at-1(b)(2)[2]	reviews and updates the current security awareness and training procedures with the organization-defined frequency.
	potential assessment methods and objects: Examine: [select from: Security awareness and training policy and procedures; other relevant documents or records]. Interview: [select from: Organizational personnel with security awareness and training responsibilities; organizational personnel with information security responsibilities].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056