Security Awareness and Training

§164.308(a)(5)(i): Implement a security awareness and training program for all members of its workforce (including management).

Audit Inquiry

Does the entity have policies and procedures in place regarding a security awareness and training program?

Does the entity provide security awareness and training to all new and existing members of its workforce?

Obtain and review policies and procedures for security awareness and training program.

Elements to review may include but are not limited to:
• How workforce members are provided the security awareness and training
• Identifies workforce members (including managers, senior executives, and as appropriate, business associates, and contractors) who will be provided with the security and awareness training
• How workforce members will be provided with security and awareness training when there is a change in the entity’s information systems
• How frequently security awareness and training will be provided to all workforce members

Obtain and review documentation demonstrating the implementation of a security awareness and training program including related training materials. Evaluate and determine whether the training program is reasonable and appropriate for workforce members to carry out their functions.

Obtain and review documentation demonstrating that the security awareness and training programs are provided to the entire organization and made available to independent contractors and business associates, if appropriate.

Required/Addressable

Required