When implementing an ongoing security awareness program for the first time, you’ll want to create a training policy.  If a policy exists, compare it against our template to determine if it meets the requirements of the NIST Cybersecurity Framework and will pass an audit.

The purpose of the policy is two-fold:

1. Authority to implement a formal program.
2. Help satisfy audit requirements for security awareness and training.

In particular, NIST SP800-53r4 specifies with control AT-1 that a “Security Awareness and Training Policy and Procedures” is required regardless of the information system in place (Low, Moderate, or High impact).

We’ve scoured through the NIST publications and developed a template that contains all of the sections required by the NIST security controls.  This template likely encompasses any other information security frameworks you may follow.  Each section is labeled with the reference and justification for inclusion.

Here’s a screenshot of the table of contents.

Notice that it includes Roles and Responsibilities, Coordination Among Organizational Entities, and Updates.  These ensure organizational support for your program and a process by which to update that program over time.

Here’s an excerpt from the document with sample text included within the sections.

If you’d like a free copy of the training policy template, request it here.