Review the current published guidance, training, and awareness programs.

UCF ID: 01245
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 7.3, Exam Tier II Obj F.4; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 4.1 Process, Stage 4.3 Process; The Standard of Good Practice for Information Security, SM2.4.1(g); ISACA Cross-Border Privacy Impact Assessment, Principle 7.42; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 36; Defense Industrial Base Information Assurance Standard, § 3.4 ¶ 1 thru 2; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 6, ¶ 10.2.2; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.4(3)

Banking and Finance Guidance

[Exam Tier I Obj 7.3, Exam Tier II Obj F.4, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

Bank management develop and maintain a plan to ensure that key employees and vendors have the expertise and skills to perform necessary functions and that they are properly trained. Management should allocate sufficient resources to hire and train employees and to ensure that adequate back-up exists if a critical person leaves. Training may include technical course work, attendance at industry conferences, participation in industry working groups, as well as time allotment for appropriate staff to keep abreast of important technological and market developments. Training also includes outreach to customers to ensure that a bank's customers understand how to use or access a bank's technology products and services and that they are able to do so in an appropriate and sound manner. [¶ 36, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

An Awareness Training program should be provided to the DIB asset owner/operators and should focus on: • protecting DoD interests; • protecting Federal interests; • assuring the mission to the war fighters; and • fostering relationships with local responders and Federal, State, and local law enforcement/civil authorities for business recovery planning. The Awareness Training should also notify the asset owner/operators of the protection measures that have been applied to their proprietary and business-sensitive information, along with an overview of the DoD information-sharing responsibilities and procedures. [§ 3.4 ¶ 1 thru 2, Defense Industrial Base Information Assurance Standard]

ISO Guidance

¶ 6 An organization should identify and implement appropriate safeguards for each IT system to reduce the risks to an acceptable level. These safeguards are implemented as outlined in the IT security plan. The implementation should be supported by an awareness and training program, which is important for the effectiveness of the safeguards.
¶ 10.2.2 Program Delivery. An organization should develop a security awareness program which includes both interactive and promotional techniques. The focus of this part of an awareness program should be the deficiencies that were identified through the needs analysis. Employees need to gain an appreciation and understanding that IT assets are valuable and that the threats to those are real.
One benefit derived from such an organizational security awareness program is that it provides employees an opportunity to participate in the security program. Interactive techniques (staff meetings, training courses, etc.) provide two way communications that allow participants and security personnel to validate the concepts and requirements that resulted from the needs analysis. Promotional techniques (video, E-mail security banners, posters, publications, etc.) are single directional communications methods which allow management to broadcast concepts, information, and attitude in an inexpensive manner. [¶ 6, ¶ 10.2.2, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below.
3. Security Awareness and Training
All personnel who use, develop, support and have access to IT equipment should receive regular security awareness briefings and material. This should ensure that the personnel are aware of the importance of the information processed to the business, associated threats, vulnerabilities and risks, and thus understand why safeguards are needed. Users should also be trained to use IT facilities correctly, to avoid errors. For selected personnel, e.g. IT security officers, security administrators, more specific security training might be necessary. [¶ 8.1.4(3), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

Process calls for conducting an awareness assessment to determine what further training needs the organization has. There are three basic tasks for this assessment:
Establish the current level of awareness of the organization’s BCM
Specify the desired level of awareness and how this will be measured
Identify the nature and scope of the ‘training gap’ to be bridged by the campaign.
Process requires an organization to solicit and collate feedback on specific training events. Look for trends underlying multiple training events such as particular modules within a training course that consistently draw criticism. The organization should also monitor the effectiveness of training programs in the long and short term and periodically monitor awareness to see if training is sticking with employees. [Stage 4.1 Process, Stage 4.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Security awareness programs should be reviewed to ensure that all individuals are receiving appropriate information about the importance of the information security program. [SM2.4.1(g), The Standard of Good Practice for Information Security]

EU Guidance

[Principle 7.42, ISACA Cross-Border Privacy Impact Assessment]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.