Security Awareness and Training Policy and Procedures
Medium Priority
Intermediate Level
NIST CSF
The organization develops, documents, and disseminates security awareness and training policy and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Implementation Guidance
Develop comprehensive security awareness and training programs that cover all personnel. Include role-specific training for different job functions.
Best Practices
Implement annual security awareness training, provide role-specific training, conduct phishing simulations, maintain training records
Testing Procedures
Review training materials, verify training completion records, test awareness through simulations
Related Guidelines
AT-2, AT-3, AT-4, AT-5