Reviewing published guidance, training, and awareness programs currently in place.

Status: Live

The organization will review confidentiality, integrity, availability, and accountability guidance and training provided to ensure end user awareness. [UCF ID 01245]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 7.3, Exam Tier II Obj F.4; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 4.1 Process, Stage 4.3 Process; The Standard of Good Practice for Information Security, SM2.4.1(g); Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.12.2; ISACA Cross-Border Privacy Impact Assessment, Principle 7.42; Archer Control Table, ATCS-599

Banking and Finance Guidance

[Exam Tier I Obj 7.3, Exam Tier II Obj F.4, FFIEC IT Examination Handbook – Information Security]

General Guidance

Process calls for conducting an awareness assessment to determine what further training needs the organization has. There are three basic tasks for this assessment:
Establish the current level of awareness of the organization’s BCM
Specify the desired level of awareness and how this will be measured
Identify the nature and scope of the ‘training gap’ to be bridged by the campaign.
Process requires an organization to solicit and collate feedback on specific training events. Look for trends underlying multiple training events such as particular modules within a training course that consistently draw criticism. The organization should also monitor the effectiveness of training programs in the long and short term and periodically monitor awareness to see if training is sticking with employees. [Stage 4.1 Process, Stage 4.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Security awareness programs should be reviewed to ensure that all individuals are receiving appropriate information about the importance of the information security program. [SM2.4.1(g), The Standard of Good Practice for Information Security]

[Ch 5.12.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

EU Guidance

[Principle 7.42, ISACA Cross-Border Privacy Impact Assessment]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.