NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
AWARENESS AND TRAINING
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-1
|
Security Awareness and Training Policy and Procedures
|
P1
|
LOW AT-1
|
MOD AT-1
|
HIGH AT-1
|
| ASSESSMENT PROCEDURE
|
| AT-1 |
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
|
| AT-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents security awareness and training policy;
- (ii) the organization security awareness and training policy addresses:
- (iii) the organization disseminates formal documented security awareness and training policy to elements within the organization having associated security awareness and training roles and responsibilities;
- (iv) the organization develops and formally documents security awareness and training procedures;
- (v) the organization security awareness and training procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls; and
- (vi) the organization disseminates formal documented security awareness and training procedures to elements within the organization having associated security awareness and training roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].
|
| AT-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of security awareness and training policy reviews/updates;
- (ii) the organization reviews/updates security awareness and training policy in accordance with organization-defined frequency;
- (iii) the organization defines the frequency of security awareness and training procedure reviews/updates; and
- (iv) the organization reviews/updates security awareness and training procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].
|
AT-2 SECURITY AWARENESS
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-2
|
Security Awareness
|
P1
|
LOW AT-2
|
MOD AT-2
|
HIGH AT-2
|
| ASSESSMENT PROCEDURE
|
| AT-2 |
SECURITY AWARENESS
|
| AT-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users and when required by system changes;
- (ii) the organization defines the frequency of refresher security awareness training;
- (iii) the organization provides refresher security awareness training in accordance with the organization-defined frequency;
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel comprising the general information system user community].
|
AT-3 SECURITY TRAINING
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-3
|
Security Training
|
P1
|
LOW AT-3
|
MOD AT-3
|
HIGH AT-3
|
| ASSESSMENT PROCEDURE
|
| AT-3 |
SECURITY TRAINING
|
| AT-3.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization provides role-based security-related training before authorizing access to the system or performing assigned duties, and when required by system changes;
- (ii) the organization defines the frequency of refresher role-based security-related training;
- (iii) the organization provides refresher role-based security-related training in accordance with the organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for role-based, security-related training; organizational personnel with significant information system security responsibilities].
|
AT-4 SECURITY TRAINING RECORDS
| FAMILY: AWARENESS AND TRAINING
|
CLASS: OPERATIONAL
|
- Security Control Baseline:
| AT-4
|
Security Training Records
|
P3
|
LOW AT-4
|
MOD AT-4
|
HIGH AT-4
|
| ASSESSMENT PROCEDURE
|
| AT-4 |
SECURITY TRAINING RECORDS
|
| AT-4.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training;
- (ii) the organization defines the time period for retaining individual training records; and
- (iii) the organization retains individual training records in accordance with the organization-defined time period.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training records; security awareness and training records; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security training record retention responsibilities].
|
Source
