System Security Plan (ssp) Categorization: Moderate-Low-Low


Awareness and Training (AT)



Yüklə 1,92 Mb.
səhifə11/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   ...   7   8   9   10   11   12   13   14   ...   29

10.3

10.4Awareness and Training (AT)

10.4.1AT-1 – Security Awareness & Training Policy and Procedures


Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.

Recommended Continuous Monitoring Frequency: Annual


Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)

The organization:


  1. Develops, documents, and disseminates to all personnel

    1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

  2. Reviews and updates the current:

    1. Security awareness and training policy every 5 years; and

    2. Security awareness and training procedures at least annually.

Click here to enter text.





CONTINUOUS MONITORING STRATEGY

Click here to enter text.



10.4.2AT-2 – Security Awareness (+ Classified)


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Annual


Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)

The organizations shall provide basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and at least annually thereafter.

Security awareness training will be conducted: (a) During in-processing; (b) Site specific information will be briefed based on the mission and requirements of the job and Upon receipt of a USERID and password. The Privileged User, ISSM or their alternate will brief the user on his/her IA responsibilities; (c) Awareness Refresher Training. Classroom, briefings, computer-based training, or seminars will be used and documented to ensure all users comply with IA training requirements; (d)

Refresher training and awareness may also be delivered periodically through staff meetings, online delivery systems, or similar venues, and documented in accordance with Security Training Records. [AT-4]; (e) As required, due to policy or regulatory violations. See also [IR-4].


Click here to enter text.





CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.4.2.1AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual


Program Frequency:

Choose an item.
Implementation Status:


 Implemented  Planned


Organizational Tailoring:


 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)


 Tailored Out (Provide justification below)  Modified (Provide justification below)

Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. These can include behaviors such as job dissatisfaction, unexplained financial resources, consistent violations of organizational policies, etc. Carnegie Mellon Software Engineering Institute has been conducting research on insider threat indicators for several years. Additional information on insider threat indicators can be found at: http://www.cert.org/insider-threat/.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.4.3AT-3 – Role-Based Security Training



Recommended Continuous Monitoring Frequency: Annual


Program Frequency:

Choose an item.
Implementation Status:


 Implemented  Planned


Organizational Tailoring:


 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)


 Tailored Out (Provide justification below)  Modified (Provide justification below)

Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)

The organization provides role-based security training to personnel with assigned security roles and responsibilities:



  • Before authorizing access to the information system or performing assigned duties as part of initial training for new users;

  • When required by information system changes; and at least annually thereafter.

All users shall receive initial and at least annual General User training, while users assigned to positions requiring privileged access shall receive, in addition, Privileged User training.

See the DAA PM for specific content requirements for General and Privileged User Training, as well as the minimum requirements for Assured File Transfer (AFT)/Trusted Download Training.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.4.3.1AT-3(2) – Security Training: Physical Security Controls


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



As appropriate, the organization provides ISSOs with initial and annual training in the employment and operation of physical security mechanisms or when sufficient changes are made to physical security systems. This control supports insider threat mitigation.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.4.3.2AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization provides training to its personnel on indicators in order to recognize of suspicious communications and/or anomalous system behavior (e.g., receiving a suspicious email, an unexpected web communication, etc.).

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.4.4AT-4 – Security Training Records





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Training records shall contain, at a minimum, the following elements:

User name

Name of training

Date of training (initial and refresher)

Type of training (classroom, one-on-one, online CBT, briefing, etc.)

Initial training records must contain legal signatures, or FIPS 140-2-compliant digital signatures, of users who received the training. Refresher training may be documented through user-initialed attendance rosters, e-mail acknowledgments, USERIDs captured through online content delivery systems, or other similar user acknowledgments. In addition, organizations shall maintain training records.

The organization:


Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training

Click here to enter text.



Retains individual training records for at least five (5) years

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.4.5AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5





Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   ...   7   8   9   10   11   12   13   14   ...   29




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin