By Jack Anderson
February 5, 2019
The Safeguards in the NIST CSF are requirements to ensure HIPAA compliance. AT-1 is concerned with security awareness training:
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
The group writes a security awareness and training policy. The policy will be given to all affected personnel and will be reviewed and updated several times a year. The security awareness and training policy states the purpose for the training, who will carry it out, and what their jobs will entail. The group writes procedures that state how the policy will be carried out. The security awareness and training policy and procedures comply with all laws and rules applicable to the group.
The possible answers are:
- Yes, We have a policy in place and have implemented the procedures
- Yes ALT, We have implemented an alternative that meets the requirements
- No, We are not in compliance but have a plan to get into compliance
- NA, This safeguard does not apply to us
What answer(s) best explain why you chose NA?
- Cost
- Organization Size
- Complexity
- Alternate Solution
In the Jumpstart program you are supplied with a NIST policy that allows us to answer either Yes or NA when we do your NIST Risk Assessment. In the NIST scoring system an answer of NA scores the same as a Yes.