§3544.(b).(4).(A),(B) - Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
Training: The requirement for the agency to ensure that there are sufficient trained personnel available for the information security program falls under the purview of the CISO who manages the program, and supporting functions. This extends to the CISO's management of the staffing of dedicated security personnel for his office, as well as overseeing the designation and training and performance of personnel assigned to other established information security roles, including authorizing officials, system owners, and information system security officers. The CISO fulfills this requirement through the use of staffing plans in concert with human resources personnel, and by means of agency-level performance measurement plans and processes.
Security Awareness Training: The agency program must address requirements for training of all users on risks associated with their activities and on their responsibilities for complying with agency information security policies and procedures. In response to this requirement, agencies provide user-level security awareness information (often computer based) to employees and contractors at least annually, and on an occasional, as-needed basis, through e-mail messages, announcements, newsletters, etc.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment