3.2.2 has a weight of -5 points

(Awareness and Training Family) 2/3

Ensure that personnel are trained to carry out their assigned information securtiy-related duties and responsibilities.

Video

Example of Sysytem Security Plan (SSP):

Organizational System Security Plan (SSP) – Employee Security Training Protocols


Control 03.02.02 


1. Introduction:
Safeguarding our organizational assets and data is not solely dependent on technological measures but also hinges on the preparedness and knowledge of our team. This document elaborates our systematic approach to employee security training.


2. Assessment & Policy Framework:

a. Organizational Needs Analysis: Before curating our training approach, we delved into understanding our organizational needs and the access levels of various personnel.

b. Documented Protocols: Our assessment led to the formulation of detailed policies and procedures which lay down the foundation for our security training program, including the techniques to be used.

c. Role-based Responsibilities: Every stakeholder in our organization, be it managers, system administrators, or general users, has a distinct role to play. Their respective responsibilities towards ensuring organizational security have been clearly defined.


3. Structured Training Sessions:

a. Content Diversity: Our formal training encompasses a range of topics, highlighting the importance of information security, identification of prevalent threats, adherence to security best practices, and the methodologies for incident response.

b. Tailored Training: No two roles in our organization are identical. Acknowledging this, we’ve ensured that the training content is fine-tuned according to the specific needs of different user groups and their respective system access privileges.


4. Ongoing Annual Mandatory Training:

  • Training Components: An annual training mandate exists for all employees, requiring them to undergo sessions on:
    • Cybersecurity awareness
    • Insider threat identification
    • Counterintelligence awareness
    • Export compliance
    • Marking of classified information
    • Derivative classification.

5. Active Security Awareness Programs:

a. Phishing Defense: Our employees are continually trained to recognize and counteract phishing attempts, equipping them with the knowledge and tools needed to thwart such threats effectively.

b. DoD Mandatory Training: All employees that deal with classified data must complete the Department of Defense (DoD) cybersecurity training, ensuring that we consistently meet the high security standards set by the DoD.


6. System Administrators’ Continuous Learning:

a. Vendor-Driven Training: To ensure our system security remains top-notch, administrators and their backups are encouraged to participate regularly in vendor-specific training sessions. This enhances their familiarity and proficiency with crucial tools and systems.

b. Specialized Modules: Our training framework integrates specialized modules to cater to distinct needs, including Microsoft Azure administration and comprehensive comprehension of roles and responsibilities tied to security.


7. Rigorous Maintenance of Training Records:

a. IT Admins’ Training Trail: Every training session attended is logged in our IT ticketing system. This practice ensures clarity and holds personnel accountable for their training commitments.

b. Training Records for General Staff: The Human Resources department is entrusted with the upkeep of training records for the rest of the staff. This ensures that everyone is on the same page and updated with mandatory training modules.

 

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) for Organizational System Security Plan (SSP) – Employee Security Training Protocols


Control: 03.02.02 – Security Training


1. Introduction:

  • Milestone: Communicate the significance of security training to all employees.
  • Action: Develop and distribute a briefing to highlight the importance of security awareness and training.
  • Deadline: [Date]

2. Assessment & Policy Framework:

a. Organizational Needs Analysis

  • Milestone: Complete the organizational needs analysis.
  • Action: Conduct a workshop to understand the current needs and access levels of personnel.
  • Deadline: [Date]

b. Documented Protocols

  • Milestone: Document security training protocols.
  • Action: Design and distribute policies and procedures manual.
  • Deadline: [Date]

c. Role-based Responsibilities

  • Milestone: Assign security responsibilities based on roles.
  • Action: Create a responsibility matrix and communicate to stakeholders.
  • Deadline: [Date]

3. Structured Training Sessions:

a. Content Diversity

  • Milestone: Develop diverse training content.
  • Action: Curate a list of topics and finalize content.
  • Deadline: [Date]

b. Tailored Training

  • Milestone: Customize training modules based on roles.
  • Action: Design tailored training modules and sessions.
  • Deadline: [Date]

4. Ongoing Annual Mandatory Training:

  • Milestone: Launch annual mandatory training sessions.
  • Action: Schedule and execute annual training sessions.
  • Deadline: [Date]

5. Active Security Awareness Programs:

a. Phishing Defense

  • Milestone: Reduce phishing vulnerabilities.
  • Action: Implement regular phishing drills and simulations.
  • Deadline: [Date]

b. DoD Mandatory Training

  • Milestone: Ensure 100% compliance with DoD training requirements.
  • Action: Enroll eligible employees and monitor completion.
  • Deadline: [Date]

6. System Administrators’ Continuous Learning:

a. Vendor-Driven Training

  • Milestone: Improve system security through vendor training.
  • Action: Schedule and ensure attendance of vendor-specific sessions.
  • Deadline: [Date]

b. Specialized Modules

  • Milestone: Incorporate specialized training modules.
  • Action: Identify needs and implement specialized training.
  • Deadline: [Date]

7. Rigorous Maintenance of Training Records:

a. IT Admins’ Training Trail

  • Milestone: Maintain a transparent record of IT admin training.
  • Action: Regularly update IT ticketing system with training data.
  • Deadline: [Date]

b. Training Records for General Staff

  • Milestone: Centralize training records for staff.
  • Action: Collaborate with HR to ensure accurate and updated records.
  • Deadline: [Date]

 

DoD (CUI) Training:

https://securityawareness.usalearning.gov/cui/index.html

 

DoD Mandatory Controlled Unclassified Information (CUI) Training

This course is mandatory training for all DoD personnel with access to controlled unclassified information. The course provides information on the eleven training requirements for accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements.

NOTES:

  1. This course and exam may be taken an unlimited number of times.
  2. Students will receive a certificate for the course after passing the exam with a 70% or better score. Please note, the exam must be completed in a single session because bookmarking is not available.
  3. Students are encouraged to print or save a copy of the certificate as evidence of completion as CDSE does not maintain records of course completions from this site.
  4. The course will run best in Edge Chromium, Google Chrome and MozillaFirefox. Pop-ups must be enabled.
  5. For those using assistive technology, the following keyboard shortcuts have been added to this course:
    • Press Ctrl + M to mute audio
    • Press Alt + Right Arrow for the next screen and Alt + Left Arrow to go to the last screen
    • Press tab to navigate interface elements of the course, and use the up and down arrow to explore instructional elements on each screen.
RELEVANT INFORMATION:

 

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation,

security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management.



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.