Abstract
This document and NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program describe the following key approaches of an information security awareness and training program that federal departments and agencies should follow to help ensure that individuals learn the appropriate information security-related material: All employees of an organization must be regularly or continually exposed to information security awareness techniques (e.g., posters, awareness tools/trinkets, periodic e-mail, warning messages, tips of the day upon accessing an information system, computer/information security day events). All users of information and information systems must attend information security awareness training (on-line or in-person) each year. This material should provide the information security basics and literacy as described in Chapter 3 of this document. This basics and literacy knowledge serves as the foundation upon which role-based training is built for those with significant responsibility for information security. Each person who has been identified by his or her organization as having significant responsibility for information security must receive formal role-based information security training.1 The amount and frequency of training depends on the gap between an individual s existing and needed skills, and changes in technology and the operating environment to which the individual must adapt. Influences on training needs include individual development plans (IDPs), performance plans, and management. URL:
https://csrc.nist.gov/publications/detail/sp/800-16/rev- 1/draft