3.2.1 has a weight of -5 points

( Awareness and Training Family) 1/3

Ensure that managers, systems administrators, and users of organizations systems are made of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems



Video

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for Control 03.02.01 

1. Control Identifier:
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems 

2. Objective:
Our company has implemented a training system to ensure that our personnel are consistently informed about the security risks associated with their roles, emphasizing the importance of understanding potential threats and vulnerabilities.

3. Target Group:

  • Managers
  • Systems Administrators
  • Users of Organizational Systems (ranging from leadership to everyday users)

4. Purpose:
We aim to solidify our security posture. By ensuring our staff knows what’s at stake and the correct protocols, we minimize potential threats stemming from unawareness or misinformed actions.

5. Current Implementation:

a) Training Program:
Our employees, from entry-level to C-level executives, undergo Security Level I training annually. Our program covers:

  • Cybersecurity awareness
  • Insider threat nuances
  • Counterintelligence dynamics
  • Export compliance protocols
  • Proper marking of classified information
  • The intricacies of derivative classification

b) Content Calibration:
We’ve tailored our training content and frequency to our specific organizational needs and the systems our personnel access. Core subjects cover:

  • Grasping the significance of information security.
  • User actions to uphold security standards.
  • Proper reactions to suspected security breaches.
  • Recognizing the necessity of operational security.

c) Security Awareness Techniques:
To maintain and enhance our staff’s security consciousness, we employ:

  • Scheduled training sessions.
  • Stationery and supplies bearing security reminders.
  • Regular email advisories and notices from senior officials.
  • Security-centric logon screen messages.
  • Strategically placed security reminders throughout our facilities.

6. Measurement & Compliance:
Our evaluation teams carry out post-training checks to measure training effectiveness. Employee understanding and retention are assessed periodically. We also maintain a detailed record of all training interventions, participant details, and performance metrics for internal audits.

7. Periodic Review:
Our teams review this control annually, updating based on new threat intelligence, technological shifts, and feedback loops from employees.

8. Role-based Responsibilities:

  • Our IT department oversees technical components, including logon reminders.
  • Human Resources helms the orchestration and documentation of training.
  • All managers ensure their respective teams understand and follow our security norms.

 

Example of Plan of Action and Milestones ( POA & M):

Plan of Action & Milestones (POA&M) for Control 03.02.01

1. Control Identifier:
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and the related policies, standards, and procedures.

2. Identified Gaps:
a) Periodic re-assessment of training materials for up-to-date relevance.
b) Continuous improvement in training delivery methods to enhance engagement.
c) Need for more robust methods to measure the effectiveness of training and awareness techniques.

3. Plan of Action:

a) Review and Update of Training Content:

  • Task: Annually review and update the content of Security Level I training.
  • Responsible Party: Human Resources in collaboration with the IT department.
  • Completion Date: Annually, one month before the scheduled training sessions.

b) Enhancement of Training Delivery:

  • Task: Incorporate interactive and multimedia content in training programs to increase engagement.
  • Responsible Party: Human Resources.
  • Completion Date: Six months from now.

c) Improve Measurement Metrics:

  • Task: Implement advanced metrics to gauge training effectiveness, such as post-training quizzes, simulations, and periodic drills.
  • Responsible Party: Human Resources and Evaluation teams.
  • Completion Date: Eight months from now.

d) Increase Frequency of Security Awareness Techniques:

  • Task: Introduce bi-monthly email advisories and notices, along with quarterly refresher webinars.
  • Responsible Party: IT department and senior officials.
  • Completion Date: Starting next month and ongoing.

e) Expand Role-Based Training:

  • Task: Develop specialized training modules for different roles, ensuring they’re tailored to the specific needs and potential threats associated with each role.
  • Responsible Party: Human Resources in coordination with respective department heads.
  • Completion Date: Ten months from now.

4. Monitoring and Status Update:
Quarterly reviews will be conducted to assess the progress of the action items. Each review will result in an updated status for each task, identifying any challenges or roadblocks and proposing solutions.

5. Funding Requirements:
A budget will be allocated for the enhancement of training materials, introduction of new training techniques, and additional tools required for measurement.

6. Risks if not Addressed:
Failure to implement these improvements might lead to:

  • Employees not being adequately aware of evolving security threats.
  • Inefficient responses to security breaches.
  • Potential vulnerabilities due to outdated or insufficient training.

 

RELEVANT INFORMATION:

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.