Users of a system can be viewed as the weakest link in securing systems. Often users are not aware of how their actions may impact the security of a system. Making system users aware of their security responsibilities and teaching them correct practices helps change their behavior. It also supports individual accountability, which is one of the most important ways to improve information security. Without knowing the necessary security measures or how to use them, users cannot be truly accountable for their actions.
The purpose of information security awareness, training, and education is to enhance security by:
• raising awareness of the need to protect system resources,
• developing skills and knowledge so system users can perform their jobs more securely, and
• building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems.
The company is responsible for making sure that managers and users are aware of the security risks associated with their activities and that employees are trained to carry out their information security-related duties and responsibilities. Examples of awareness and training security requirements include: security awareness training, role based security training, and security training records.
Related Articles
CMMC AT.2.056 - Provide Security Awareness Training
Requirement text: AT.2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to ...
Security Assessment: SP 800-171 Security Family 3.12
A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...
Personnel Security: SP 800-171 Security Family 3.9
Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...
CMMC AT.2.057 - Provide Role-based Security Training
Requirement text: AT.2.057: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations determine the content and frequency of ...
CMMC AT.3.058 - Provide Insider Threat Training
Requirement text: AT.3.058: Provide security awareness training on recognizing and reporting potential indicators of insider threat. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Potential indicators and possible precursors of insider threat ...