Security Training - Information Security (INFOSEC) and Information Assurance (IA) for ALL Employees; Military, Government Civilian and Contractor

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32606	SM-02.02.01	SV-42943r2_rule	DCSD-1 PESP-1 PETN-1 PRTN-1	Medium

Description
Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-41045r7_chk )
Checks: Check #1. Check that initial and recurring (minimum annually) information security AND information assurance training is provided to each employee. Check #2. Check to ensure the following training topics are covered. Some topics may not be necessary based on the organizations mission or other considerations. Reviewers should use discretion in determining if adequate training topics are covered: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: Information Assurance) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc (as applicable) k. Use of personal computers for conducting official business l.Concerns identified during Component self- inspections Check #3. Check records of employee training and ensure 100% of initial training briefings are accomplished and at least 95% of employees have completed annual training. Note that while 100% completion of annual training is the goal, employees on extended leave. TDY or other circumstances make this a difficult thing to accomplish. All training accomplished must be documented. Anything less will be a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Check Text ( C-41045r7_chk )

Checks:

Check #1. Check that initial and recurring (minimum annually) information security AND information assurance training is provided to each employee.

Check #2. Check to ensure the following training topics are covered. Some topics may not be necessary based on the organizations mission or other considerations. Reviewers should use discretion in determining if adequate training topics are covered:

a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media)
b. Communications Security
c. Computer (AKA: Information Assurance) Security requirements
d. Counter-intelligence briefings
e. Penalties for engaging in espionage activities
f. Courier briefing (if applicable)
g. Reporting of derogatory information
h. Reporting of Security Incidents
i. Security of Laptop computers when traveling
j. Special access programs, NATO, COSMIC TS, etc (as applicable)
k. Use of personal computers for conducting official business
l.Concerns identified during Component
self-
inspections

Check #3. Check records of employee training and ensure 100% of initial training briefings are accomplished and at least 95% of employees have completed annual training. Note that while 100% completion of annual training is the goal, employees on extended leave. TDY or other circumstances make this a difficult thing to accomplish.

All training accomplished must be documented. Anything less will be a finding.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix Text (F-36521r3_fix)
Fixes: 1. Ensure initial and recurring (annual minimum) information security and information assurance training is provided to each employee. 2. Ensure the following training topics are covered at a MINIMUM: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: Information Assurance) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc (as applicable) k. Use of personal computers for conducting official business l.Concerns identified during Component self- inspections m. Check records of employee training and ensure 100% of initial training and termination briefings are accomplished and at least 95% of employees have annual training. While 100% annual training is the goal, things like extended employee TDY ot leave make this difficult to achieve. All training accomplished must be documented. Anything less will be a finding.

Fix Text (F-36521r3_fix)

Fixes:

1. Ensure initial and recurring (annual minimum) information security and information assurance training is provided to each employee.

2. Ensure the following training topics are covered at a MINIMUM:

a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media)
b. Communications Security
c. Computer (AKA: Information Assurance) Security requirements
d. Counter-intelligence briefings
e. Penalties for engaging in espionage activities
f. Courier briefing (if applicable)
g. Reporting of derogatory information
h. Reporting of Security Incidents
i. Security of Laptop computers when traveling
j. Special access programs, NATO, COSMIC TS, etc (as applicable)
k. Use of personal computers for conducting official business
l.Concerns identified during Component
self-
inspections
m. Check records of employee training and ensure 100% of initial training and termination briefings are accomplished and at least 95% of employees have annual training. While 100% annual training is the goal, things like extended employee TDY ot leave make this difficult to achieve.

All training accomplished must be documented. Anything less will be a finding.