Awareness and Training Controls (from NIST)
This awareness and training control list and description are meant to tie the awareness and training control to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Security awareness and training policy and procedures - The organization should have a computer training policy specifying who should be trained, subjects they should be trained about, and who is responsible. An example of a Computer Training Policy. (low)
- Security awareness - The organization should be sure that all users have basic knowledge about computer security awareness. The organization will determine the level of training required based on systems the user will access. This can be through enforcement of a computer training policy. (low)
- Security training - Users are to receive training based on their roles in the organization. Users with a signinicant role dealing with system security should get more training in that area that users who do not deal with system security. (low)
- Security training records - The organization should keep records of who has taken what training. (low)