Awareness and training

Previous

On this page

 

The controls and activities in the Awareness and training (AT) family deal with the education of users with respect to the security of the system.

AT-01 Awareness and training policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures
  3. Review and update the current awareness and training
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may prevent the need for mission- or system-specific policies and procedures. The approach to awareness and training can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security or privacy incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

Top of page 
 

AT-02 Literacy training and awareness

Control

  1. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors)
    1. as part of initial training for new users and [Assignment: organization-defined frequency] thereafter
    2. when required by system changes or following [Assignment: organization-defined events]
  2. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]
  3. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
  4. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques

Discussion

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. As needed, organizations may supplement the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and protect personal information as well as to respond to suspected incidents. The content addresses the need for operations security and the handling of personal information.

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-02A.1 is conducted at a minimum frequency consistent with directives, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.

Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines.

GC discussion: Organizations provide privacy content that covers, at minimum, the items addressed in the Mandatory Procedures for Privacy Training of the TBS Directive on Personal Information Requests and Correction of Personal Information.

Related controls and activities

AC-03, AC-17, AC-22, AT-03, AT-04, CP-03, IA-04, IR-02, IR-07, IR-09, PL-04, PM-13, PM-21, PS-07, PT-02, SA-08, SA-16, SA-400.

Enhancements

  • (01) Literacy training and awareness: Practical exercises
    • Provide practical exercises in literacy training that simulate events and incidents.
    • Discussion: Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.
    • Related controls and activities: CA-02, CA-07, CP-04, IR-03.
  • (02) Literacy training and awareness: Insider threat
    • Provide literacy training on recognizing and reporting potential indicators of insider threat.
    • Discussion: Potential indicators and possible precursors of insider threat can include behaviours such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices.
      Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behaviour of team members, while training for employees may be focused on more general observations.
    • Related controls and activities: PM-12.
  • (03) Literacy training and awareness: Social engineering and mining
    • Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
    • Discussion: Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.
    • Related controls and activities: None.
  • (04) Literacy training and awareness: Suspicious communications and anomalous system behaviour
    • Provide literacy training on recognizing suspicious communications and anomalous behaviour in organizational systems using [Assignment: organization-defined indicators of malicious code].
    • Discussion: A well-trained workforce provides another organizational control that can be employed as part of a defence-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications.
      Training personnel on how to recognize anomalous behaviours in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behaviour by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations.
    • Related controls and activities: None.
  • (05) Literacy training and awareness: Advanced persistent threat
    • Provide literacy training on the advanced persistent threat.
    • Discussion: An effective way to detect APTs and to preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home.
    • Related controls and activities: None.
  • (06) Literacy training and awareness: Cyber threat environment
      1. Provide literacy training on the cyber threat environment
      2. Reflect current cyber threat information in system operations
    • Discussion: Since threats continue to change over time, threat literacy training by the organization is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational mission and business functions.
    • Related controls and activities: RA-03.

References

Top of page 
 

AT-03 Role-based training

Control

  1. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]
    1. before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter
    2. when required by system changes
  2. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
  3. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

Discussion

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.

Roles that may require role-based training include senior leaders or management officials (e.g., head of agency, chief executive officer, chief information officer, senior accountable official for risk management, senior official in the department’s security governance, appropriate privacy senior official or executive), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy practitioners; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personal information.

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the defined security and privacy roles. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies.

Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.

GC discussion: Ensure that employees of government institutions receive privacy training as outlined in Appendix B of the TBS Directive on Personal Information Requests and Correction of Personal Information.

Related controls and activities

AC-03, AC-17, AC-22, AT-02, AT-04, CP-03, IR-02, IR-04, IR-07, IR-09, PL-04, PM-13, PM-23, PS-07, PS-09, SA-03, SA-08, SA-11, SA-16, SR-05, SR-06, SR-11.

Enhancements

  • (01) Role-based training: Environmental controls
    • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
    • Discussion: Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility.
    • Related controls and activities: PE-01, PE-11, PE-13, PE-14, PE-15.
  • (02) Role-based training: Physical security controls
    • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
    • Discussion: Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment.
    • Related controls and activities: PE-02, PE-03, PE-04.
  • (03) Role-based training: Practical exercises
    • Provide practical exercises in security and privacy training that reinforce training objectives.
    • Discussion: Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying personal information, assessing permissible uses of the information and acceptable processes in handling the personal information in various scenarios or scenarios on conducting PIAs.
    • Related controls and activities: None.
  • (04) Role-based training: Suspicious communications and anomalous system behaviour
    • Withdrawn: Moved to AT-02(4).
  • (05) Role-based training: Handling personal information
    • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personal information handling and transparency controls.
    • Discussion: Personal information handling and transparency controls include identifying the organization’s authority to collect, use or disclose personal information as well as communicating the authority and handling practices to the individual.
    • GC discussion: Role-based training for GC departments and agencies addresses the applicable definitions, such as the types of information that may constitute personal information and the risks, considerations, and obligations associated with its handling. Such training also considers the authority to collect and use personal information documented in TBS and institution-specific privacy policies and notices, PIB, privacy notice statements, PIAs, the Privacy Act, contracts, information sharing agreements and arrangements, memoranda of understanding, and/or other documentation. The training covers the responsibilities of employees for the management of personal information and management of privacy breaches. It also addresses the complaints process and review by the courts of GC institutions handling personal information.
    • Related controls and activities: PT-02, PT-03, PT-05, PT-06.

References

Top of page 
 

AT-04 Training records

Control

  1. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training
  2. Retain individual training records for [Assignment: organization-defined time period]

Discussion

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization.

GC discussion: Library and Archives Canada provides guidance on records retention for GC departments and agencies.

Related controls and activities

AT-02, AT-03, CP-03, IR-02, PM-14, SI-12.

Enhancements

None.

References

 

AT-05 Contacts with security groups and associations

Withdrawn: Incorporated into PM-15.

Top of page 
 

AT-06 Training feedback

Control

Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel].

Discussion

Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-02B and AT-03B.

GC discussion: Collection of individual’s personal opinions and views related to training is considered to be personal information; as such, notice should be provided to respondents participating in the feedback process.

Related controls and activities

None.

Enhancements

None.

References

TBS Directive on Privacy Practices

 
Previous
Date modified: