Navigate

CCI-000112

CCI-000112 Definition

Provide basic security awareness training to system users (including managers, senior executives, and contractors) when required by system changes or following organization-defined events.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following [AT-02_ODP[03]; events that require security literacy training for system users are defined]. - privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following [AT-02_ODP[04]; events that require privacy literacy training for system users are defined].

Validation Procedures

Examine: [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; appropriate codes of federal regulations; security and privacy literacy training curriculum; security and privacy literacy training materials; training records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for literacy training and awareness; organizational personnel with information security and privacy responsibilities; organizational personnel comprising the general system user community]. Test: [SELECT FROM: Mechanisms managing information security and privacy literacy training].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000112.

Control	Description
AT-2	a: Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1: As part of initial training for new users and [one of ] thereafter; and 2: When required by system changes or following [one of ]; b: Employ the following techniques to increase the security and privacy awareness of system users [techniques to be employed to increase the security and privacy awareness of system users are defined;]; c: Update literacy training and awareness content [the frequency at which to update literacy training and awareness content is defined;] and following [events that would require literacy training and awareness content to be updated are defined;] ; and d: Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

Control

Description

AT-2

a: Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
- 1: As part of initial training for new users and [one of ] thereafter; and
- 2: When required by system changes or following [one of ];

b: Employ the following techniques to increase the security and privacy awareness of system users [techniques to be employed to increase the security and privacy awareness of system users are defined;];

c: Update literacy training and awareness content [the frequency at which to update literacy training and awareness content is defined;] and following [events that would require literacy training and awareness content to be updated are defined;] ; and

d: Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.