Level 2
Description:
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. [SP 800-50] provides guidance on security awareness and training programs.
Priority: High
Domain: AWARENESS AND TRAINING (AT)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Security Hub, AWS Security Training and Certification
- AWS Identity and Access Management (IAM), AWS Security Hub, AWS Simple Email Service (SES)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Security Center
- Azure Sentinel
- Azure Information Protection
- Azure Policy
- Azure Monitor
- Azure Virtual Machines
- Azure App Service
- Azure DevOps
- Azure Logic Apps
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
- Administrative: supporting documentation of role-based security training being performed
- Technical: screen shot of groups and membership assignment
Possible Technology Considerations:
- Learning Management System (LMS)
What needs to be answered:
Do all employees receive general training? Is there initial training for new hires on security policies? Is there annual training for any changes made to policies or security?
Checks for AWS
- Implement Security Awareness Training for Managers, Administrators, and Users
Description This check ensures that managers, systems administrators, and users of organizational systems receive security awareness training to make them aware of the security risks associated with their activities. The training covers applicable policies, standards, and procedures related to the security of those systems. The content includes understanding the need for information security, user actions to maintain security, and how to respond to suspected security incidents. - Deploy Security Awareness Techniques
Description This check verifies that security awareness techniques are deployed to reinforce security awareness among managers, administrators, and users. Techniques may include providing supplies with security reminders, sending email advisories or notices, displaying security awareness messages on login screens, showcasing security awareness posters, and conducting information security awareness events.
Checks for Azure
- Implement Security Awareness Training for Managers, Administrators, and Users:
Description: This check ensures that security awareness training is implemented for managers, administrators, and users of organizational systems in Azure. The policy verifies that these individuals receive training to make them aware of the security risks associated with their activities. The training covers applicable security policies, standards, and procedures, providing a basic understanding of information security, user actions to maintain security, and how to respond to suspected security incidents. This policy check aims to ensure that employees across various roles receive general security training to enhance overall security awareness. - Deploy Security Awareness Techniques:
Description: This check verifies that security awareness techniques are deployed in Azure to reinforce security awareness among managers, administrators, and users. The policy ensures that various techniques are used to promote security awareness, such as providing supplies with security reminders, sending email advisories or notices from organizational officials, displaying security awareness messages on login screens, showcasing security awareness posters, and conducting information security awareness events. Deploying these techniques helps reinforce security practices and promote a security-conscious culture within the organization.
More Details: Policies in place regarding handling, storage, and transmission of sensitive information including CUI.