NIST 800-171 | AWARENESS AND TRAINING

Training beyond just your average users is part of the training & awareness family of requirements.

Duty & role-specific training is often missing from training & awareness program. Specialized training is required for administrators such as proper training on how to implement security features within Windows Server OS.

Awareness and Training

3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access.

The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents.

The content also addresses awareness of the need for operations security.

Security awareness techniques can include:

• Formal training

• Offering supplies inscribed with security reminders

• Generating email advisories or notices from organizational officials

• Displaying logon screen messages

• Displaying posters

• Conducting information security awareness events.

NIST Special Publication 800-50 provides guidance on security awareness and training programs.

3.2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards.

Such training can include, for example, policies, procedures, tools, and artifacts for the organizational security roles defined.

Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.

NIST Special Publication 800-181 provides guidance on role-based information security training in the workplace.

3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Potential indicators and possible precursors of insider threat include behaviors such as:

• Inordinate

• Long-term job dissatisfaction

• Attempts to gain access to information that is not required for job performance

• Unexplained access to financial resources

• Bullying or sexual harassment of fellow employees

• Workplace violence

• Other serious violations of organizational policies, procedures, directives, rules, or practices.

Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

For further Information and Demo, please contact us: