Navigate

CCI-004289

CCI-004289 Definition

Defines the frequency individuals are required to read and re-acknowledge the rules of behavior whenever the rules are revised or updated.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge [PL-04_ODP[02]; one or more of the following PARAMETER VALUES is/are selected: {[PL-04_ODP[03]; frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected)]; when the rules are revised or updated}].

Validation Procedures

Examine: [SELECT FROM: Security and privacy planning policy; procedures addressing rules of behavior for system users; rules of behavior; signed acknowledgements; records for rules of behavior reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior; organizational personnel with responsibility for literacy training and awareness and role-based training; organizational personnel who are authorized users of the system and have signed and resigned rules of behavior; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior; mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004289.

Control	Description
PL-4	a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].

Control

Description

PL-4

a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and

d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].