NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
AWARENESS AND TRAINING
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-1
|
Security Awareness and Training Policy and Procedures
|
P1
|
LOW AT-1
|
MOD AT-1
|
HIGH AT-1
|
| ASSESSMENT PROCEDURE
|
| AT-1 |
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
|
| AT-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents security awareness and training policy;
- (ii) the organization security awareness and training policy addresses:
- (iii) the organization disseminates formal documented security awareness and training policy to elements within the organization having associated security awareness and training roles and responsibilities;
- (iv) the organization develops and formally documents security awareness and training procedures;
- (v) the organization security awareness and training procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls; and
- (vi) the organization disseminates formal documented security awareness and training procedures to elements within the organization having associated security awareness and training roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].
|
| AT-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of security awareness and training policy reviews/updates;
- (ii) the organization reviews/updates security awareness and training policy in accordance with organization-defined frequency;
- (iii) the organization defines the frequency of security awareness and training procedure reviews/updates; and
- (iv) the organization reviews/updates security awareness and training procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].
|
AT-2 SECURITY AWARENESS
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-2
|
Security Awareness
|
P1
|
LOW AT-2
|
MOD AT-2
|
HIGH AT-2
|
| ASSESSMENT PROCEDURE
|
| AT-2 |
SECURITY AWARENESS
|
| AT-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users and when required by system changes;
- (ii) the organization defines the frequency of refresher security awareness training;
- (iii) the organization provides refresher security awareness training in accordance with the organization-defined frequency;
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel comprising the general information system user community].
|
| AT-2(1) |
SECURITY AWARENESS
|
| AT-2(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization includes practical exercises in security awareness training that simulate actual cyber attacks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel that participate in security awareness training].
|
AT-3 SECURITY TRAINING
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-3
|
Security Training
|
P1
|
LOW AT-3
|
MOD AT-3
|
HIGH AT-3
|
| ASSESSMENT PROCEDURE
|
| AT-3 |
SECURITY TRAINING
|
| AT-3.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides role-based security-related training before authorizing access to the system or performing assigned duties, and when required by system changes;
- (ii) the organization defines the frequency of refresher role-based security-related training;
- (iii) the organization provides refresher role-based security-related training in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for role-based, security-related training; organizational personnel with significant information system security responsibilities].
|
| AT-3(1) |
SECURITY TRAINING
|
| AT-3(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides employees with initial training in the employment and operation of environment controls;
- (ii) the organization defines the frequency of refresher training in the employment and operation of environmental controls; and
- (iii) the organization provides refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel with security training responsibilities; organizational personnel with significant information system security responsibilities].
|
| AT-3(2) |
SECURITY TRAINING
|
| AT-3(2).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides employees with initial training in the employment and operation of physical security controls;
- (ii) the organization defines the frequency of refresher training in the employment and operation of physical security controls; and
- (iii) the organization provides refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security training responsibilities; organizational personnel with significant information system security responsibilities].
|
AT-4 SECURITY TRAINING RECORDS
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-4
|
Security Training Records
|
P3
|
LOW AT-4
|
MOD AT-4
|
HIGH AT-4
|
| ASSESSMENT PROCEDURE
|
| AT-4 |
SECURITY TRAINING RECORDS
|
| AT-4.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training;
- (ii) the organization defines the time period for retaining individual training records; and
- (iii) the organization retains individual training records in accordance with the organization-defined time period.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training records; security awareness and training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security training record retention responsibilities].
|
AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATION
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-5
|
Contacts with Security Groups and Associations
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| AT-5 |
CONTACTS WITH SECURITY GROUPS AND ASSOCIATION
|
| AT-5.1 |
ASSESSMENT OBJECTIVE:
Determine if the organization establishes and institutionalizes contact with selected groups and associations within the security community:
- to facilitate ongoing security education and training for organizational personnel;
- to stay up to date with the latest recommended security practices, techniques, and technologies; and
- to share current security-related information including threats, vulnerabilities, and incidents.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing contacts with security groups and associations; list of organization-defined key contacts to obtain ongoing information system security knowledge, expertise, and general information; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security responsibilities (e.g., individuals that have contacts with selected groups and associations within the security community)].
|
Source
