Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
AT-4 |
SECURITY TRAINING RECORDS |
|||
|
assessment objective: Determine if the organization: |
|||
at-4(a) |
at-4(a)[1] |
documents individual information system security training activities including: |
||
at-4(a)[1][a] |
basic security awareness training; |
|||
at-4(a)[1][b] |
specific role-based information system security training; |
|||
at-4(a)[2] |
monitors individual information system security training activities including: |
|||
at-4(a)[2][a] |
basic security awareness training; |
|||
at-4(a)[2][b] |
specific role-based information system security training; |
|||
at-4(b) |
at-4(b)[1] |
defines a time period to retain individual training records; and |
||
at-4(b)[2] |
retains individual training records for the organization-defined time period. |
|||
potential assessment methods and objects: Examine: [select from: Security awareness and training policy; procedures addressing security training records; security awareness and training records; security plan; other relevant documents or records]. Interview: [select from: Organizational personnel with security training record retention responsibilities]. Test: [select from: Automated mechanisms supporting management of security training records]. |