AT-03 Security Training

Control: The organization identifies personnel that have significant information system security roles and responsibilities during the system development life cycle, documents those roles and responsibilities, and provides appropriate information system security training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: The organization determines the appropriate content of security training based on the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides system managers, system and network administrators, and other personnel having access to system-level software, adequate technical training to perform their assigned duties. The organization’s security training program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50.

Control Enhancements: (0) None.

Baseline: LOW AT-3 MOD AT-3 HIGH AT-3

Family: Awareness And Training

Class: Operational

ISO 17799 mapping: 8.2.2, 10.3.2, 11.7.1, 13.1.1, 14.1.4

COBIT 4.1 mapping: PO7.4, DS7.2

PCI-DSS v2 mapping: 12.6.1b, 12.9.4