Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 2 of 8
3. Does the Tribe or TGRA’s organization-level
awareness and training policy address its
purpose
5
, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance?
Is the policy is consistent with applicable laws,
executive orders, directives, regulations, policies,
standards, and guidelines?
Has the Tribe or TGRA developed procedures to
facilitate the implementation of the awareness and
training policy and the associated awareness and
training controls?
____
____
____
____
____
____
____
____
____
AT-1, a.1(a)
AT-1, a.1(b)
AT-1, a.2
4. Based on inquiry and record examination, has the
Tribe or TGRA designated organizational
personnel with information security awareness
and training responsibilities to manage the
development, documentation, and dissemination
of the awareness and training policy and
procedures?
____
____
____
AT-1, b
5. Based on inquiry and record examination, does
the Tribe or TGRA review and update the current
awareness and training policy annually and
following changes in the information system
operating environment, when security incidents
occur or when changes to the CJIS Security Policy
are made?
____
____
____
AT-1, c.1
6. Based on inquiry and record examination, does
the Tribe or TGRA review and update its
procedures annually and following changes in
information system operating environment, when
security incidents occur or when changes in the
CJIS Security Policy are made?
____
____
____
AT-1, c.2
7. Based on inquiry and record examination, does
the Tribe or TGRA provide security and privacy
literacy training to system users (including
managers, senior executives, and contractors) as
part of initial training for new users prior to the
users accessing CJI and annually thereafter?
____
____
____
AT-2, a.1
5
See Question 1.