Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
AT-1 |
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
|||
|
assessment objective: Determine if the organization: |
|||
at-1(a)(1) |
at-1(a)(1)[1] |
develops and documents an security awareness and training policy that addresses: |
||
at-1(a)(1)[1][a] |
purpose; |
|||
at-1(a)(1)[1][b] |
scope; |
|||
at-1(a)(1)[1][c] |
roles; |
|||
at-1(a)(1)[1][d] |
responsibilities; |
|||
at-1(a)(1)[1][e] |
management commitment; |
|||
at-1(a)(1)[1][f] |
coordination among organizational entities; |
|||
at-1(a)(1)[1][g] |
compliance; |
|||
at-1(a)(1)[2] |
defines personnel or roles to whom the security awareness and training policy are to be disseminated; |
|||
at-1(a)(1)[3] |
disseminates the security awareness and training policy to organization-defined personnel or roles; |
|||
at-1(a)(2) |
at-1(a)(2)[1] |
develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls; |
||
at-1(a)(2)[2] |
defines personnel or roles to whom the procedures are to be disseminated; |
|||
at-1(a)(2)[3] |
disseminates the procedures to organization-defined personnel or roles; |
|||
at-1(b)(1) |
at-1(b)(1)[1] |
defines the frequency to review and update the current security awareness and training policy; |
||
at-1(b)(1)[2] |
reviews and updates the current security awareness and training policy with the organization-defined frequency; |
|||
at-1(b)(2) |
at-1(b)(2)[1] |
defines the frequency to review and update the current security awareness and training procedures; and |
||
at-1(b)(2)[2] |
reviews and updates the current security awareness and training procedures with the organization-defined frequency. |
|||
potential assessment methods and objects: Examine: [select from: Security awareness and training policy and procedures; other relevant documents or records]. Interview: [select from: Organizational personnel with security awareness and training responsibilities; organizational personnel with information security responsibilities]. |