AT-3—Role-Based Training
>Control Description
Provide role-based security and privacy training to personnel with the following roles and responsibilities: • All individuals with unescorted access to a physically secure location; • General User: A user, but not a process, who is authorized to use an information system; • Privileged User: A user that is authorized (and, therefore, trusted) to perform security-relevant functions that general users are not authorized to perform; • Organizational Personnel with Security Responsibilities: Personnel with the responsibility to ensure the confidentiality, integrity, and availability of CJI and the implementation of technology in a manner compliant with the CJISSECPOL.
Before authorizing access to the system, information, or performing assigned duties, and annually thereafter; and
When required by system changes.
Update role-based training content annually and following audits of the CSA and local agencies; changes in the information system operating environment; security incidents; or when changes are made to the CJIS Security Policy;
Incorporate lessons learned from internal or external security incidents or breaches into role-based training;
Incorporate the minimum following topics into the appropriate role-based training content:
All individuals with unescorted access to a physically secure location
Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information Penalties
Reporting Security Events
Incident Response Training
System Use Notification
Physical Access Authorizations
Physical Access Control
Monitoring Physical Access
Visitor Control
Personnel Sanctions
General User: A user, but not a process, who is authorized to use an information system. In addition to AT-3 (d) (1) above, include the following topics:
Criminal Justice Information
Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information
Personally Identifiable Information
Information Handling
Media Storage
Media Access
Audit Monitoring, Analysis, and Reporting
Access Enforcement
Least Privilege
System Access Control
Access Control Criteria
System Use Notification
Session Lock
Personally Owned Information Systems
Password
Access Control for Display Medium
Encryption
Malicious Code Protection
Spam and Spyware Protection
Cellular Devices
Mobile Device Management
Wireless Device Risk Mitigations
Wireless Device Malicious Code Protection
Literacy Training and Awareness/Social Engineering and Mining
Identification and Authentication (Organizational Users)
Media Protection
Privileged User: A user that is authorized (and, therefore, trusted) to perform security-relevant functions that general users are not authorized to perform. In addition to AT-3 (d) (1) and (2) above, include the following topics:
Access Control
System and Communications Protection and Information Integrity
Patch Management
Data backup and storage—centralized or decentralized approach
Most recent changes to the CJIS Security Policy
Organizational Personnel with Security Responsibilities: Personnel with the responsibility to ensure the confidentiality, integrity, and availability of CJI and the implementation of technology in a manner compliant with the CJISSECPOL. In addition to AT-3 (d) (1), (2), and (3) above, include the following topics:
Local Agency Security Officer Role
Authorized Recipient Security Officer Role2
Additional state/local/tribal/territorial or federal agency roles and responsibilities
Summary of audit findings from previous state audits of local agencies
Findings from the last FBI CJIS Division audit
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.