Back

Train all personnel and third parties, as necessary.


CONTROL ID
00785
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671
  • Conduct tests and evaluate training., CC ID: 06672
  • Review the current published guidance and awareness and training programs., CC ID: 01245
  • Establish, implement, and maintain training plans., CC ID: 00828
  • Analyze and evaluate training records to improve the training program., CC ID: 06380


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is the primary responsibility of AIs to ensure that the risks posed by e-banking are properly managed and to educate and protect their customers. In the light of the inherent operational, reputation and legal risk as well as potential liquidity risk associated with e-banking, an AI's Board7, or i… (§ 3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices they use in e-banking and keep the passwords they use for accessing e-banking secure and secret. AIs should also observe the relevant provisions set out in the Code … (§ 4.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • sufficient audit trails (including system records and footage from closed-circuit television (CCTV)) of customers' transactions conducted through the terminals should be retained. Proper procedures and dual controls should also be implemented to reconcile the banknotes in the terminals against the r… (§ 7.3.2(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices and the authentication factors (e.g. passwords and authentication tokens) used by the customers in the e-banking services. AIs should also observe the relevant provi… (§ 4.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • App 2-1 Item Number I.6(2): The organization must identify all laws and regulations with which it must comply. It must establish a training system to inform and educate all stakeholders about the identified laws and regulations. App 2-1 Item Number VI.4.3(3): The organization must periodically provi… (App 2-1 Item Number I.6(2), App 2-1 Item Number VI.4.3(3), App 2-1 Item Number VI.4.3(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O81: The organization shall provide education related to the specific systems and applications personnel access in their duties. O81.1: The organization shall provide in-house and outside education to personnel, including contractor's staff, involved in developing, operating, or using computer syste… (O81, O81.1, O82, T42-1.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O80.2: The organization shall ensure all new employees receive security training. O82.1(1): The organization should provide education and training when new staff is assigned, software is changed, a new system is installed, and at other opportunities to ensure quick familiarization with operations a… (O80.2, O82.1(1), O89.1(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For normal computer system operations (including the case where an automated operations method is adopted), it is necessary to conduct education and training on operations whenever there are new staff assignments, new equipment installations, software changes, and upon other opportunities, in order … (P31.2. ¶ 1(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Strategy for periodic training and enhancing skills of information security personnel, requirement of continuous professional education (Critical components of information security 1) 2) p., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. (Article 25(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The outsourcer shall educate the outsourcee so that personal information of data subjects may not be lost, stolen, leaked, forged, altered, or damaged owing to the outsourcing of work, and supervise how the outsourcee processes such personal information safely by inspecting the status of processing,… (Article 26(4), Personal Information Protection Act)
  • Each member of the Board of Directors should receive refresher training on new or changed laws, regulations, risks to the organization, and more. (¶ 1.6, CODE OF CORPORATE GOVERNANCE 2005)
  • When the organization appoints a new member to the Board of Directors, he/she should receive initial training on his/her duties and an introduction to the organization's business and governance practices. The organization also should consider training new members of the Board in accounting, legal, a… (¶ 1.6, ¶ 1.8, CODE OF CORPORATE GOVERNANCE 2005)
  • The training program should be conducted and updated at least annually and extended to all new and existing staff, contractors and vendors who have access to the FI’s IT resources and systems. (§ 3.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • As more customers log onto FIs’ websites to access their accounts and conduct a wide range of financial transactions for personal and business purposes, the FI should put in place measures to protect customers who use online systems. In addition, the FI should educate its customers on security mea… (§ 12.1.10, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • It is important that incidents are accorded with the appropriate severity level. As part of incident analysis, the FI may delegate the function of determining and assigning incident severity levels to a centralised technical helpdesk function. The FI should train helpdesk staff to discern incidents … (§ 7.3.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The board of directors should undergo training to raise their awareness on risks associated with the use of technology and enhance their understanding of technology risk management practices. (§ 3.6.3, Technology Risk Management Guidelines, January 2021)
  • Personnel are provided with ongoing cyber security awareness training. (P13:, Australian Government Information Security Manual, March 2021)
  • System administrators are formally trained to manage gateways. (Security Control: 0612; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Users are trained on the secure use of a CDS before access to the CDS is granted. (Security Control: 0610; Revision: 6, Australian Government Information Security Manual, March 2021)
  • System administrators for gateways are formally trained on the operation and management of gateways. (Control: ISM-0612; Revision: 5, Australian Government Information Security Manual, June 2023)
  • System administrators for gateways are formally trained on the operation and management of gateways. (Control: ISM-0612; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Applicants must complete IRAP New Starter Training and pass the IRAP assessor examination. Refer to the IRAP assessor examination section for further details. (IRAP Membership Pre-requisite qualifications for IRAP assessors IRAP training and examination ¶ 1, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • completed IRAP New Starter Training and passed examination within the last 12 months (21.d., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • As directed, undertake IRAP-related learning and development activities. (IRAP Membership Maintaining IRAP assessor membership ICT security knowledge maintenance ¶ 1 4., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The organization must ensure all personnel with system access have sufficient information security awareness and training. (Control: 0251, Australian Government Information Security Manual: Controls)
  • The organization must provide all users with training on the secure operation of the system and the Information Security policies and procedures before they are granted unsupervised Access to the system. (Control: 0256, Australian Government Information Security Manual: Controls)
  • The organization must ensure personnel know what suspicious contact is and how to report it, especially from external sources using Internet services. (Control: 0817, Australian Government Information Security Manual: Controls)
  • The organization must document its labeling scheme and train users, if it uses non-textual protective markings due to operational security concerns. (Control: 1168, Australian Government Information Security Manual: Controls)
  • The organization must document the labeling scheme when it labels media with non-textual protective markings for security purposes and train personnel appropriately. (Control: 0334, Australian Government Information Security Manual: Controls)
  • All users on unclassified systems should be trained on the secure use and security risks of gateways before being granted Access to systems connected to a gateway. (Control: 0609, Australian Government Information Security Manual: Controls)
  • All users on classified systems must be trained on the secure use and security risks of gateways before being granted Access to systems connected to a gateway. (Control: 0610, Australian Government Information Security Manual: Controls)
  • The organization must ensure the System Administrators have been formally trained to manage the gateways. (Control: 0612, Australian Government Information Security Manual: Controls)
  • An APRA-regulated entity would regularly educate users, including both internal staff and contractors, as to their responsibilities regarding securing information assets. Common areas covered would typically include: (Attachment B 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • All personnel who access the organization's systems should have sufficient training and should be provided ongoing security training. Personnel should be told not to divulge any information that could be used to compromise the security of the organization. Users should be made aware of the maximum c… (§ 3.2.7, § 3.2.12, § 3.8.52, Australian Government ICT Security Manual (ACSI 33))
  • The organization should conduct user education. (Mitigation Strategy Effectiveness Ranking 8, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should educate users to avoid using weak passphrases. (Mitigation Strategy Effectiveness Ranking 8, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should educate users from reusing passphrases. (Mitigation Strategy Effectiveness Ranking 8, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should educate users to not use unapproved Universal serial bus devices. (Mitigation Strategy Effectiveness Ranking 8, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should educate users to not expose their e-mail addresses. (Mitigation Strategy Effectiveness Ranking 8, Strategies to Mitigate Targeted Cyber Intrusions)
  • (§ F.4.8, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The auditor trainee must complete 3 years of practical training, 2/3 of which must be with a registered audit firm or auditor. Auditors are required to participate in continuing education programs to maintain their professional skills. If they do not participate, they will be subject to penalties. (Art 10, Art 13, EU 8th Directive (European SOX))
  • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved … (Art. 39.1.(b), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexit… (Art. 13.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The management level must assume a role model function also when it comes to information security. Among other things, this includes that the management level takes into account all specified security rules, participates in training measures, and supports other managers regarding the execution of th… (§ 4.1(6) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Information security affects all employees without any exceptions. By acting responsibly and with quality awareness, every individual can avoid damages and contribute to success. Raising the awareness for information security and providing appropriate training measures for employees as well as for a… (§ 6 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • If new employees are employed or existing ones are given new tasks they must be provided with thorough training so they adjust to the new situation. This must also involve teaching them about the security-related aspects of the respective job. If employees leave the organisation or their responsibil… (§ 6 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The staff concerned must also receive training as to how to implement and apply the new security safeguards correctly. If such training is not performed, often the safeguards cannot be implemented and will lose their effect if the employees consider themselves as being informed sufficiently, frequen… (§ 9.5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The responsible staff is adequately trained. (1.2.4 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • Employees are trained and made aware. (2.1.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • When the persons in charge of processing are instructed on their duties, they will be told of their obligation to take necessary precautions to ensure the confidential component(s) of the authorization credentials are kept secret and any devices that are used or exclusively held by persons in charge… (Annex B.4, Italy Personal Data Protection Code)
  • Training activities must be planned to begin at the start of the employment relationship and when changes occur in the tasks and/or the implementation of new, significant means relevant to processing personal data. (Annex B.19.6, Italy Personal Data Protection Code)
  • The Supervisory Board is required to review, on an annual basis, the training program to identify any further education that members of the Board may need. (¶ III.3.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • All new Supervisory Board members must participate in an induction program that covers the responsibilities, financial affairs, legal affairs, financial reporting requirements, and any unique aspects of the business. (¶ III.3.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • Employees must be instructed about his/her duties. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate level with regard to the risks from the use and type of data that is being protected. (§ 14(2)3, Austria Data Protection Act)
  • The data controller must provide professional training to the personal data protection official(s). The training must correspond to the scope of this Act and the scope of international treaties on the protection of personal data. The Office may request proof that the professional training has taken … (§ 19(3), Slovak Republic Protection of Personal Data in Information Systems)
  • staff training; (§ 7.11 Bullet 10, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization is required to conduct information management training for the accounting officer, senior information risk owner, and information asset owner. The organization should invite the chair(s) of audit committee(s), staff members who directly assist delegates who are discharging their res… (Audience ¶ 4 thru ¶ 6, Guidance on Role Specific Training, March 2009)
  • After training, attendees should understand key concepts about information risk and its management and relationship with other types of risk; be able to lead cultural change to ensure staff members value, protect, and use information for the public benefit; understand the applicable laws and regulat… (AO/SIRO/IAO Training Specification ¶ 10, Guidance on Role Specific Training, March 2009)
  • The organization must verify all security officers have been given a joint security briefing on appointment or attended relevant training courses before, or at the earliest opportunity after appointment and they have the appropriate competencies and training. (Mandatory Requirement 9, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must verify all system users are familiar with the security operating procedures to use the system, they have received security training, and they are aware of how to report security issues. The organization must verify employees who manage and maintain system configuration and thos… (Mandatory Requirement 48, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must verify Board members who are responsible for security complete security and Risk Management familiarization when appointed; security officers receive a joint security briefing on appointment or attended relevant training courses before, or at the earliest opportunity after appo… (Mandatory Requirement 9, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must ensure that each security staff member has been trained to the appropriate level. (Mandatory Requirement 9.c, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must ensure all employees receive security awareness and training upon hiring and regularly, thereafter. (Mandatory Requirement 9.d, HMG Security Policy Framework, Version 6.0 May 2011)
  • Audience ¶ 8: All staff, regardless of grade and role, who access or manage protected personal data must attend training. Audience ¶ 9: Each department should consider if staff who do not handle protected personal data would benefit from training. (Audience ¶ 8, Audience ¶ 9, Outline Specification for DHR Information Awareness Training, March 2009)
  • Background ¶ 2: All government staff that handles personal protected data must complete training when they are hired and annually thereafter. Timing ¶ 23: Employees must complete e-learning and an assessment at the start of their employment, when they first move into a position that handles or man… (Background ¶ 2, Timing ¶ 23, Outline Specification for DHR Information Awareness Training, March 2009)
  • Directors should continually update their knowledge and skills required to perform their duties. (§ A.5, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • New directors should be formally inducted into the organization upon joining the Board. (§ A.5.1, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • Security awareness training for all personnel is called for. Employees should be made aware of the importance of information security and equipped with the proper resources, knowledge and skill to maintain information security. Employees that do incident response should be trained in security proced… (§ 4.2.2.2, OGC ITIL: Security Management)
  • Staff members should have the appropriate training and expertise necessary to do their jobs. (¶ 34, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization may consider supporting capability training for agencies to effectively perform their duties as part of its risk mitigation measures. (Annex III - Table Supply Chain Policy - Transparency on Taxes, Fees and Royalties Paid to Governments Bullet 4, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should conduct training, as appropriate. (Supplement on Gold Step 1: § I.B.3, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • (§ II.8, § II.35, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization educate and train the Board of Directors on cyber risk? (§ I.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • How often does your organization educate and train the Board of Directors on cyber risk? (§ I.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are all business associations, partners, contractors, or customers that have access to the company's computer systems made aware of the company's policies and procedures? (Table Row II.9, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are all employees trained on network security basics? (Table Row II.35, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is there a testing component to verify and validate the training? (Table Row II.38, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization provide or use comprehensive digital forensics training? (Table Row XII.26, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • § 2.2 (2.2.060) The organization should ensure that wired and wireless networking security training is included in the end user security program. § 2.3.2 (2.3.2.050) Users should be trained to turn off receivers and transmitters on wireless WLAN devices prior to entering a sensitive area and when… (§ 2.2 (2.2.060), § 2.3.2 (2.3.2.050), § 2.3.2 (2.3.2.080), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The conflict minerals policy must ensure individuals are trained. (§ B(I) ¶ 1(d), Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The conflict minerals policy must ensure that individuals are trained. (§ B(I)(f), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Once an organisation has voluntarily decided to certify under the EU-U.S. DPF, its effective compliance with the Principles is compulsory and enforceable. Under the Recourse, Enforcement and Liability Principle, EU-U.S. DPF organisations must provide effective mechanisms to ensure compliance with th… (2.2.7 (45), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In accordance with authority provided by the Clinger-Cohen Act (P.L. 104-106, Division E) and the Computer Security Act of 1987 (P.L. 100-235), the Office of Management and Budget (OMB) issued Circular No. A-130 to establish general binding guidance that applies to all federal agencies (including la… (3.1.1.2 (102), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The organization that has an ongoing training program should include training in current URAC standards as appropriate to job functions. (CORE - 27(b), URAC Health Utilization Management Standards, Version 6)
  • The organization that has an ongoing training program should include training on Conflict of Interest. (CORE - 27(c), URAC Health Utilization Management Standards, Version 6)
  • The organization should implement written policies and/or documented procedures addressing health literacy that provide relevant information and guidance to staff that interfaces directly with, or writes content for, consumers. (CORE - 40(c), URAC Health Utilization Management Standards, Version 6)
  • Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organisational goals. (PO7.4 Personnel Training, CobiT, Version 4.1)
  • Transfer knowledge and skills to allow end users to effectively and efficiently use the system in support of business processes. (AI4.3 Knowledge Transfer to End Users, CobiT, Version 4.1)
  • Transfer knowledge and skills to enable operations and technical support staff to effectively and efficiently deliver, support and maintain the system and associated infrastructure. (AI4.4 Knowledge Transfer to Operations and Support Staff, CobiT, Version 4.1)
  • Shopping sites and marketplaces shall educate their users and actively discourage an infringing activities. (Best Practices for Marketplace and Shopping Sites ¶ 1, Addressing the Sale of Counterfeits on the Internet)
  • Search engines should continuously educate trademark owners on their policies and procedures for dealing with counterfeiting abuse. (Best Practices for Search Sites ¶ 6, Addressing the Sale of Counterfeits on the Internet)
  • Educate the governing authority, management, the workforce, and the extended enterprise about expected conduct, and increase the skills and motivation needed to help the organization address opportunities, threats, and requirements. (OCEG GRC Capability Model, v. 3.0, P4 Education, OCEG GRC Capability Model, v 3.0)
  • Train and educate personnel on the risks of introducing unauthorized wireless devices to the network, and to immediately report if they notice the appearance of any "new" devices in their environment or if a device is missing or stolen. (3.1.1 B, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Train and educate personnel on the risks of introducing unauthorized wireless devices to the network, and to immediately report if they notice the appearance of any 'new' devices in their environment. (3.2.4 F, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Appropriate training must be provided to personnel with security breach response responsibilities. (PCI DSS Requirements § 12.10.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3). (A3.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Upon hire and at least once every 12 months. (12.6.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine information security policies and procedures to verify that PCI DSS and/or information security training is required at least once every 12 months for each role with PCI DSS compliance responsibilities. (A3.1.4.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented results of periodic training of incident response personnel and interview personnel to verify training is performed at the frequency defined in the entity's targeted risk analysis performed for this requirement. (12.10.4.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Have employees completed awareness training and are they aware of the importance of cardholder data security? (PCI DSS Question 12.6.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is appropriate training provided to staff with security breach response responsibilities? (PCI DSS Question 12.10.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Have employees completed awareness training and are they aware of the importance of cardholder data security? (PCI DSS Question 12.6.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is appropriate training provided to staff with security breach response responsibilities? (PCI DSS Question 12.10.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Train users. The solution provider should provide the merchant with implementation instructions and possibly training materials. The implementation instructions and training materials should be understood and completed by any staff operating the payment-acceptance solution. (¶ 6.2.2, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Upon hire and at least once every 12 months. (12.6.3 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Upon hire and at least once every 12 months. (12.6.3 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization's staff should be trained on the fraud risk and security issues associated with Internet transactions and on the Cardholder Information Security Program (CISP). (Pg 21, Pg 60, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. (§ 3 Principle 4 Points of Focus: Attracts, Develops, and Retains Individuals, COSO Internal Control - Integrated Framework (2013))
  • The organization must ensure all personnel assigned business continuity responsibilities have the competence to perform their tasks by determining the necessary competencies; conducting an analysis on personnel training needs; providing the training; ensuring the personnel gain the necessary compete… (§ 3.2.4, BS 25999-2, Business continuity management. Specification, 2007)
  • IT auditors need to be properly trained. The training strategy should develop the auditors expertise in a broad range of topics. This can be done by ensuring there are different auditors who are subject matter experts for certain technologies. (§ 6.2 (IT Auditor Retention Strategy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must implement an effective privacy program that includes training. (§ 2.2 (Privacy Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Personnel shall be trained in the awareness, detection, avoidance, disposition, and mitigation of suspect, fraudulent, and counterfeit parts. (§ 4.1.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The organization must ensure procedures have been developed, implemented, and maintained to make persons working for or on behalf of the organization aware of significant threats, hazards, and risks, and the related actual or potential effects, that are associated with their work; procedures for inc… (§ 4.4.2 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization must ensure that any person who performs tasks and has the potential to cause, prevent, mitigate, respond to, or be affected by significant threats, hazards, and risks has been trained or has an appropriate education or experience. (§ 4.4.2 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should provide either internal or external training to employees to help them better perform their jobs. Before a strike occurs, non-striking personnel should be trained on threats and confrontations with strikers, and supervisory personnel should receive refresher training on emerg… (Pg 1-I-13, Pg 1-I-A1, Pg 13-I-6, Revised Volume 1 Pg 1-I-9, Revised Volume 2 Pg 1-I-33, Revised Volume 2 Pg 1-I-42, Protection of Assets Manual, ASIS International)
  • Users should be educated in how to protect the confidentiality and integrity of e-mail messages (e.g., by the use of encryption, digital certificates, and digital signatures). (CF.15.01.11, The Standard of Good Practice for Information Security)
  • Users should be educated in how to protect the confidentiality and integrity of instant messages (e.g., by the use of encryption, digital certificates, and digital signatures). (CF.15.02.05, The Standard of Good Practice for Information Security)
  • Development staff should be trained in how to use and follow all aspects of the system development methodology. (CF.17.01.07, The Standard of Good Practice for Information Security)
  • The impact of hazards should be minimized by training staff in the use of fire extinguishers. (CF.19.03.04b-1, The Standard of Good Practice for Information Security)
  • The impact of hazards should be minimized by training staff in the use of emergency / safety equipment. (CF.19.03.04b-2, The Standard of Good Practice for Information Security)
  • The impact of hazards should be minimized by training staff in emergency evacuation procedures. (CF.19.03.04b-3, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering protection against malware, which warn users how to reduce the risk of malware infection. (CF.10.02.01b, The Standard of Good Practice for Information Security)
  • Users should be informed about the ways in which malware can install itself on computing devices. (CF.10.02.02b, The Standard of Good Practice for Information Security)
  • Users should be informed about the prevalence of malware and associated risks (e.g., unauthorized access to critical business applications, corruption of critical business information, or leakage of sensitive information). (CF.10.02.02a, The Standard of Good Practice for Information Security)
  • Users should be informed about the common symptoms of malware (e.g., poor system performance, unexpected application behavior, sudden termination of an application). (CF.10.02.02c, The Standard of Good Practice for Information Security)
  • Users should be notified quickly of significant new malware-related risks (e.g., by e-mail, freeware, or suspicious websites). (CF.10.02.03b, The Standard of Good Practice for Information Security)
  • The risk of malware infection should be reduced by warning users not to try to manually resolve malware problems (absent specialist assistance, such as a help desk). (CF.10.02.04d, The Standard of Good Practice for Information Security)
  • The information security function should represent a 'centre of excellence' for Information Security by developing security skills for staff throughout the organization. (CF.01.02.03b-2, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide staff with the skills they need to assess security requirements. (CF.02.04.01b, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide staff with the skills they need to propose Information Security controls. (CF.02.04.01c, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide staff with the skills they need to ensure that security controls function effectively in the business environments in which they are applied. (CF.02.04.01d, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use computer equipment (including desktop computers, laptops, ultrabooks, tablets and smartphones). (CF.02.04.02b, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use specialist equipment (e.g., scanning devices, bar code readers, data capture appliances, and monitoring equipment). (CF.02.04.02c, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use portable storage media (e.g., compact disks, digital video disks, magnetic tapes, computer disks, and portable storage devices). (CF.02.04.02d, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use networking technologies such as local area networks, Wireless Local Area Networks, Voice over Internet Protocol, Internet, and Bluetooth. (CF.02.04.02e, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use telephony and conferencing equipment, including teleconference and videoconference facilities (e.g., speakers, cameras, and display screens) and online web-based collaboration. (CF.02.04.02f, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use office equipment, including printers, photocopiers, facsimile machines, scanners, and multifunction devices. (CF.02.04.02g, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use access control mechanisms (e.g., passwords, tokens, and biometrics). (CF.02.04.02h, The Standard of Good Practice for Information Security)
  • Education / training given to business users should include guidance on how to protect information, and cover creating and protecting electronic files. (CF.02.04.03a, The Standard of Good Practice for Information Security)
  • Education / training given to business users should include guidance on how to protect information, and cover classifying and labeling information. (CF.02.04.03b, The Standard of Good Practice for Information Security)
  • Education / training given to business users should include guidance on how to protect information, and cover removing unnecessary metadata from electronic documents. (CF.02.04.03c, The Standard of Good Practice for Information Security)
  • Education / training given to business users should include guidance on how to protect information, and cover deleting unwanted information once no longer required. (CF.02.04.03d, The Standard of Good Practice for Information Security)
  • Education / training given to business users should include guidance on how to protect information, and cover separating business and personal information. (CF.02.04.03e, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting business applications (e.g., using templates instead of existing documents to create new electronic documents or using validation routines when d… (CF.02.04.04a, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting equipment (e.g., using file-based encryption to protect electronic files stored on mobile devices, portable storage media, and in transit, and pa… (CF.02.04.04b, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting access control mechanisms (e.g., by physically removing smartcards from the reader when leaving computers unattended). (CF.02.04.04c, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting connectivity (e.g., disabling communication settings, encrypting wireless networks, and using a Virtual Private Network when connecting to the co… (CF.02.04.04d, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting locations in which they work (e.g., locking paper documents away overnight and logging off or locking desktop personal computers and laptops when… (CF.02.04.04e, The Standard of Good Practice for Information Security)
  • Education / training should be provided to enable Information Security specialists to understand the business environment. (CF.02.04.06a, The Standard of Good Practice for Information Security)
  • Education / training should be provided to enable Information Security specialists to run security-related projects. (CF.02.04.06b, The Standard of Good Practice for Information Security)
  • Education / training should be provided to enable Information Security specialists to communicate effectively (e.g., making presentations, facilitating meetings, or influencing management). (CF.02.04.06c, The Standard of Good Practice for Information Security)
  • Education / training should be provided to enable Information Security specialists to perform specialist security activities (e.g., information risk assessment, forensic investigations, and Business Continuity planning). (CF.02.04.06d, The Standard of Good Practice for Information Security)
  • Education / training should include practical recommendations for users to follow, such as adhering to the organization's policy on social networking. (CF.02.04.08a, The Standard of Good Practice for Information Security)
  • Education / training should include practical recommendations for users to follow, such as withholding the elements of the user's personal life that don't need to be made public. (CF.02.04.08c, The Standard of Good Practice for Information Security)
  • Education / training should include practical recommendations for users to follow, such as taking control of personal information (e.g., by resisting the urge to make a blog entry when tired or upset and avoiding publication of work related information on websites). (CF.02.04.08d, The Standard of Good Practice for Information Security)
  • Education / training should include practical recommendations for users to follow, such as being sceptical (e.g., to help detect social engineering attacks). (CF.02.04.08e, The Standard of Good Practice for Information Security)
  • Users of the Public Key Infrastructure should be made aware of the purpose and function of the Public Key Infrastructure. (CF.08.06.08a, The Standard of Good Practice for Information Security)
  • Users of the Public Key Infrastructure should be made aware of how to use the Public Key Infrastructure (e.g., using encryption and digital signatures). (CF.08.06.08c, The Standard of Good Practice for Information Security)
  • The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by providing Digital Rights Management users with security education / training. (CF.08.08.08a, The Standard of Good Practice for Information Security)
  • Threats relating to money laundering should be mitigated by liaising with external party specialists in money laundering prevention. (CF.11.02.08d, The Standard of Good Practice for Information Security)
  • Staff who work in remote environments should be equipped with the necessary skills to perform required security tasks (e.g., restricting access, performing backups, and encrypting key files). (CF.14.01.02b, The Standard of Good Practice for Information Security)
  • Critical spreadsheets should be supported by documented standards / procedures, which covers training of individuals that use spreadsheets. (CF.13.02.01a, The Standard of Good Practice for Information Security)
  • Individuals that use and develop critical spreadsheets should be trained in how to use them effectively. (CF.13.02.02a, The Standard of Good Practice for Information Security)
  • Individuals that use and develop critical spreadsheets should be trained in how to protect the information they store and process. (CF.13.02.02b, The Standard of Good Practice for Information Security)
  • Individuals that use and develop Critical spreadsheets should be trained in how to develop security-related functionality (e.g., when writing macros, conducting error checking, and performing calculations in cells). (CF.13.02.02c, The Standard of Good Practice for Information Security)
  • Critical databases should be supported by documented standards / procedures, which covers training of individuals that use databases. (CF.13.03.01a, The Standard of Good Practice for Information Security)
  • Individuals that use and develop critical databases should be trained in how to use them effectively. (CF.13.03.02a, The Standard of Good Practice for Information Security)
  • Individuals that use and develop critical databases should be trained in how to protect the information they store and process. (CF.13.03.02b, The Standard of Good Practice for Information Security)
  • Individuals that use and develop critical databases should be trained in how to develop required functionality securely. (CF.13.03.02c, The Standard of Good Practice for Information Security)
  • The information security function should be adequately resourced in terms of security tools or techniques (e.g., information risk assessment methodologies, forensic investigation software, and an enterprise-wide security architecture). (CF.01.02.07c, The Standard of Good Practice for Information Security)
  • Users should be educated in how to protect the confidentiality and integrity of e-mail messages (e.g., by the use of encryption, digital certificates, and digital signatures). (CF.15.01.11, The Standard of Good Practice for Information Security, 2013)
  • Users should be educated in how to protect the confidentiality and integrity of instant messages (e.g., by the use of encryption, digital certificates, and digital signatures). (CF.15.02.05, The Standard of Good Practice for Information Security, 2013)
  • Development staff should be trained in how to use and follow all aspects of the system development methodology. (CF.17.01.07, The Standard of Good Practice for Information Security, 2013)
  • The impact of hazards should be minimized by training staff in the use of fire extinguishers. (CF.19.03.04b-1, The Standard of Good Practice for Information Security, 2013)
  • The impact of hazards should be minimized by training staff in the use of emergency / safety equipment. (CF.19.03.04b-2, The Standard of Good Practice for Information Security, 2013)
  • The impact of hazards should be minimized by training staff in emergency evacuation procedures. (CF.19.03.04b-3, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering protection against malware, which warn users how to reduce the risk of malware infection. (CF.10.02.01b, The Standard of Good Practice for Information Security, 2013)
  • Users should be informed about the ways in which malware can install itself on computing devices. (CF.10.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Users should be informed about the prevalence of malware and associated risks (e.g., unauthorized access to critical business applications, corruption of critical business information, or leakage of sensitive information). (CF.10.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Users should be informed about the common symptoms of malware (e.g., poor system performance, unexpected application behavior, sudden termination of an application). (CF.10.02.02c, The Standard of Good Practice for Information Security, 2013)
  • Users should be notified quickly of significant new malware-related risks (e.g., by e-mail, freeware, or suspicious websites). (CF.10.02.03b, The Standard of Good Practice for Information Security, 2013)
  • The risk of malware infection should be reduced by warning users not to try to manually resolve malware problems (absent specialist assistance, such as a help desk). (CF.10.02.04d, The Standard of Good Practice for Information Security, 2013)
  • The information security function should represent a 'centre of excellence' for Information Security by developing security skills for staff throughout the organization. (CF.01.02.03b-2, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide staff with the skills they need to assess security requirements. (CF.02.04.01b, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide staff with the skills they need to propose Information Security controls. (CF.02.04.01c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide staff with the skills they need to ensure that security controls function effectively in the business environments in which they are applied. (CF.02.04.01d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use computer equipment (including desktop computers, laptops, ultrabooks, tablets and smartphones). (CF.02.04.02b, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use specialist equipment (e.g., scanning devices, bar code readers, data capture appliances, and monitoring equipment). (CF.02.04.02c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use portable storage media (e.g., compact disks, digital video disks, magnetic tapes, computer disks, and portable storage devices). (CF.02.04.02d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use networking technologies such as local area networks, Wireless Local Area Networks, Voice over Internet Protocol, Internet, and Bluetooth. (CF.02.04.02e, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use telephony and conferencing equipment, including teleconference and videoconference facilities (e.g., speakers, cameras, and display screens) and online web-based collaboration. (CF.02.04.02f, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use office equipment, including printers, photocopiers, facsimile machines, scanners, and multifunction devices. (CF.02.04.02g, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to correctly use access control mechanisms (e.g., passwords, tokens, and biometrics). (CF.02.04.02h, The Standard of Good Practice for Information Security, 2013)
  • Education / training given to business users should include guidance on how to protect information, and cover creating and protecting electronic files. (CF.02.04.03a, The Standard of Good Practice for Information Security, 2013)
  • Education / training given to business users should include guidance on how to protect information, and cover classifying and labeling information. (CF.02.04.03b, The Standard of Good Practice for Information Security, 2013)
  • Education / training given to business users should include guidance on how to protect information, and cover removing unnecessary metadata from electronic documents. (CF.02.04.03c, The Standard of Good Practice for Information Security, 2013)
  • Education / training given to business users should include guidance on how to protect information, and cover deleting unwanted information once no longer required. (CF.02.04.03d, The Standard of Good Practice for Information Security, 2013)
  • Education / training given to business users should include guidance on how to protect information, and cover separating business and personal information. (CF.02.04.03e, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting business applications (e.g., using templates instead of existing documents to create new electronic documents or using validation routines when d… (CF.02.04.04a, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting equipment (e.g., using file-based encryption to protect electronic files stored on mobile devices, portable storage media, and in transit, and pa… (CF.02.04.04b, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting access control mechanisms (e.g., by physically removing smartcards from the reader when leaving computers unattended). (CF.02.04.04c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting connectivity (e.g., disabling communication settings, encrypting wireless networks, and using a Virtual Private Network when connecting to the co… (CF.02.04.04d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide business users with the skills they need to apply Information Security controls associated with protecting locations in which they work (e.g., locking paper documents away overnight and logging off or locking desktop personal computers and laptops when… (CF.02.04.04e, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be provided to enable Information Security specialists to understand the business environment. (CF.02.04.06a, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be provided to enable Information Security specialists to run security-related projects. (CF.02.04.06b, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be provided to enable Information Security specialists to communicate effectively (e.g., making presentations, facilitating meetings, or influencing management). (CF.02.04.06c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be provided to enable Information Security specialists to perform specialist security activities (e.g., information risk assessment, forensic investigations, and Business Continuity planning). (CF.02.04.06d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should include practical recommendations for users to follow, such as adhering to the organization's policy on social networking. (CF.02.04.08a, The Standard of Good Practice for Information Security, 2013)
  • Education / training should include practical recommendations for users to follow, such as withholding the elements of the user's personal life that don't need to be made public. (CF.02.04.08c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should include practical recommendations for users to follow, such as taking control of personal information (e.g., by resisting the urge to make a blog entry when tired or upset and avoiding publication of work related information on websites). (CF.02.04.08d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should include practical recommendations for users to follow, such as being sceptical (e.g., to help detect social engineering attacks). (CF.02.04.08e, The Standard of Good Practice for Information Security, 2013)
  • Users of the Public Key Infrastructure should be made aware of the purpose and function of the Public Key Infrastructure. (CF.08.06.08a, The Standard of Good Practice for Information Security, 2013)
  • Users of the Public Key Infrastructure should be made aware of how to use the Public Key Infrastructure (e.g., using encryption and digital signatures). (CF.08.06.08c, The Standard of Good Practice for Information Security, 2013)
  • The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by providing Digital Rights Management users with security education / training. (CF.08.08.08a, The Standard of Good Practice for Information Security, 2013)
  • Threats relating to money laundering should be mitigated by liaising with external party specialists in money laundering prevention. (CF.11.02.08d, The Standard of Good Practice for Information Security, 2013)
  • Staff who work in remote environments should be equipped with the necessary skills to perform required security tasks (e.g., restricting access, performing backups, and encrypting key files). (CF.14.01.02b, The Standard of Good Practice for Information Security, 2013)
  • Critical spreadsheets should be supported by documented standards / procedures, which covers training of individuals that use spreadsheets. (CF.13.02.01a, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop critical spreadsheets should be trained in how to use them effectively. (CF.13.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop critical spreadsheets should be trained in how to protect the information they store and process. (CF.13.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop Critical spreadsheets should be trained in how to develop security-related functionality (e.g., when writing macros, conducting error checking, and performing calculations in cells). (CF.13.02.02c, The Standard of Good Practice for Information Security, 2013)
  • Critical databases should be supported by documented standards / procedures, which covers training of individuals that use databases. (CF.13.03.01a, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop critical databases should be trained in how to use them effectively. (CF.13.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop critical databases should be trained in how to protect the information they store and process. (CF.13.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Individuals that use and develop critical databases should be trained in how to develop required functionality securely. (CF.13.03.02c, The Standard of Good Practice for Information Security, 2013)
  • The information security function should be adequately resourced in terms of security tools or techniques (e.g., information risk assessment methodologies, forensic investigation software, and an enterprise-wide security architecture). (CF.01.02.07c, The Standard of Good Practice for Information Security, 2013)
  • System and network administrators, along with all individuals who have direct responsibility for system operations and security, should upgrade their skills and get certified. This is necessary because many vulnerabilities are never removed because these personnel do not know what to do about the vu… (Action 1.1.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online tr… (Control 17.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques,… (Control 17.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should verify that software development personnel are trained in writing secure code. (Critical Control 6.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should train key personnel on the backup process and the restoration process. (Critical Control 8.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce… (BCR-11, Cloud Controls Matrix, v3.0)
  • Contractors, employees and third party users shall be made aware of their responsibility to report all Information Security events in a timely manner. (IS-23, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Deliver training to address the skills gap identified to positively impact workforce members' security behavior. (CIS Control 17: Sub-Control 17.2 Deliver Training to Fill the Skills Gap, CIS Controls, 7.1)
  • Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous … (CIS Control 17: Sub-Control 17.3 Implement a Security Awareness Program, CIS Controls, 7.1)
  • Deliver training to address the skills gap identified to positively impact workforce members' security behavior. (CIS Control 17: Sub-Control 17.2 Deliver Training to Fill the Skills Gap, CIS Controls, V7)
  • Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous … (CIS Control 17: Sub-Control 17.3 Implement a Security Awareness Program, CIS Controls, V7)
  • All parties involved in the integration process shall receive training to meet the requirements of the authentication solution provider and the authentication solution specifier. (§ 4.3.3.4, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • Security Training. Specific security training is required for personnel with tasks and responsibilities related to IT security, this is in addition to the general security awareness program. The degree of depth of security training should be dependent on the overall importance IT security has for th… (¶ 10.3, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • § 6.2.2(b): The organization shall provide personnel training. § 6.4: The organization shall ensure all personnel required to work under special conditions are trained or supervised. (§ 6.2.2(b), § 6.4(c), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. (§ 7.2 ¶ 1 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • define required competence and adequate training; (§ 6.6 ¶ 1 Bullet 6, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • Persons assigned a role related to the EMS must be competent to perform that role. This includes employees and contractors whose work can affect the organization's environmental performance or compliance obligations. An organization should determine the necessary competence for such a specific role … (§ 5.7 ¶ 3, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The organization shall provide skill development training to all personnel. (§ 6.2.4.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall confirm that the operators have received the appropriate range and level of competence during training. (§ 6.4.4.3(b)(1)(iii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • (§ 11, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • All personnel with responsibility for records must receive the appropriate training. (§ 6.3 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • audit experience acquired under the supervision of an auditor competent in the same discipline. (§ 7.2.4 ¶ 1(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • education/training and experience in a specific management system discipline and sector that contribute to the development of overall competence; (§ 7.2.4 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • experience in a relevant technical, managerial or professional position involving the exercise of judgement, decision making, problem solving and communication with managers, professionals, peers, customers and other relevant interested parties; (§ 7.2.4 ¶ 1(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • successfully completing training programmes that cover generic auditor knowledge and skills; (§ 7.2.4 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • participate in training in accordance with the compliance management system; (§ 5.3.6 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; (§ 7.2.1 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The service provider shall provide training, as necessary, to achieve the necessary competence. (§ 4.4.2 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and (§ 7.2 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (§ 7.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization and service providers should ensure all staff are appropriately trained and training records are kept. New staff should get introductory training when they join the organization and specific staff members should receive advanced training to help them prepare to carry out their key t… (§ 5.9.5, § 5.9.6, § 6.3.9(c), § 6.3.9(d), § 6.4.6, § 7.5.8(d), § 7.5.8(e), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • External parties that are involved in outsourcing, including subcontractors, should be made aware of their responsibilities and liabilities for supporting service provider services. This can be accomplished by the service provider providing periodic briefings for all outsourced vendors. Organization… (§ 5.6.2, § 5.9.1, § 5.9.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and (§ 7.2 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (A.7.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The security awareness training program should be relevant to the person's responsibilities and skills. Training should be an ongoing process. It should include who to contact for security advice, how to report a security incident, and information on known threats. (§ 8.2.2, ISO 27002 Code of practice for information security management, 2005)
  • A formal training session should be included to introduce personnel to the security policies and expectations before they are granted access to information. (§ 8.2.2, ISO 27002 Code of practice for information security management, 2005)
  • developing personnel awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.3 ¶ 1 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • participate in training as required. (§ 5.3.4 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. (§ 7.2.1 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • This knowledge shall be maintained and be made available to the extent necessary. (7.1.6 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (7.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • participate in training as required. (§ 5.3.4 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • developing personnel awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.3 ¶ 1 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (Section 7.2 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; (§ 7.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and (§ 7.2 ¶ 1 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (§ 7.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • ensure that the competence evolves over time as necessary and that it meets expectations. (§ 7.2 Guidance ¶ 1(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: – standards and procedures f… (§ 7.2.2 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Education and training. Everyone involved in all stages of the use of AI should receive adequate training to ensure that they acquire and deploy the requisite skills. (§ 6.7.5 ¶ 3 Bullet 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The organization should take steps ahead of time to coordinate with and prepare records management personnel, Information Technology staff, managers, and users for the potential demands of litigation. (Comment 5.b ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • The organization should provide training on the organizational policies and procedures for preserving and producing potentially relevant Electronically Stored Information and the processes for identifying, locating, preserving, retrieving, and producing information that may be relevant or required f… (Comment 5.b ¶ 2, The Sedona Principles Addressing Electronic Document Production)
  • Identify, train, and designate spokespeople (Pillar 1 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. (CC1.4 ¶ 3 Bullet 3 Attracts, Develops, and Retains Individuals, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 ¶ 4 Bullet 3 Provides Training to Maintain Technical Competencies, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • training staff and communicating to staff information about the organization's policies and practices; and (Schedule 1 4.1.4(c), Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Mentor: Provide guidance on the individual's performance regarding standards of conduct and competence, align the individual's skills and expertise with the entity's strategy and business objectives, and help the individual to adapt to an evolving business context. (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Train: Enable individuals to develop and maintain enterprise risk management competencies appropriate for assigned roles and responsibilities, reinforce standards of conduct and desired levels of competence, tailor training to specific needs, and consider a mix of delivery techniques, including clas… (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • All users are informed and trained. (PR.AT-1, CRI Profile, v1.2)
  • The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. (Awareness and Training (PR.AT), CRI Profile, v1.2)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Competence is derived from a synthesis of education and experience. It begins with a mastery of the common body of knowledge required for designation as a certified public accountant. The maintenance of competence requires a commitment to learning and professional improvement that must continue thro… (0.300.060.03, AICPA Code of Professional Conduct, August 31, 2016)
  • § V.B.7 Instill awareness and training employees on the proper handling of personal information. § VI.C organizational staff are responsible for implementing the Program shall be trained in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. (§ V.B.7, § VI.C, AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009)
  • The organization should ensure all personnel who protect the privacy and security of personal information receive training related to privacy and security matters. (ID 1.2.6, AICPA/CICA Privacy Framework)
  • The entity's security policies include providing training and other resources to support the system security policies. (Security Prin. and Criteria Table § 1.2 k, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include providing training and other resources to support the system availability and related security policies. (Availability Prin. and Criteria Table § 1.2 k, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include providing training and other resources to support the system processing integrity and related security policies. (Processing Integrity Prin. and Criteria Table § 1.2 k, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include providing training and other resources to support the system confidentiality and related security policies. (Confidentiality Prin. and Criteria Table § 1.2 k, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Training should be an ongoing process to help employees keep pace with evolving environments. (Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The organization should provide privacy training and awareness to all personnel who are responsible for implementing or initiating new systems and changes, and the users of new or revised applications and processes. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Employees should be trained to authenticate an individual's identity before granting access to personal information. (Table Ref 6.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Employees should be trained to authenticate an individual's identity before granting a request to change sensitive information or personal information. (Table Ref 6.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 Provides Training to Maintain Technical Competencies, Trust Services Criteria)
  • The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. (CC1.4 Attracts, Develops, and Retains Individuals, Trust Services Criteria)
  • The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. (CC1.4 ¶ 3 Bullet 3 Attracts, Develops, and Retains Individuals, Trust Services Criteria, (includes March 2020 updates))
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 ¶ 4 Bullet 3 Provides Training to Maintain Technical Competencies, Trust Services Criteria, (includes March 2020 updates))
  • Trains staff, as appropriate, to implement the licensee's information security program; and (Section 7 ¶ 1.B., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Training and educational curriculum must be developed and implemented by the organization to support the disaster/emergency management and business continuity programs (referred to as the program). The training objective is to create awareness and enhance the skills necessary to create, implement, m… (§ 5.13, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • A Member's ISSP should contain a description of the Member's ongoing education and training relating to information security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment and be appropriate to the security … (Information Security Program Bullet 5 Employee Training ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • All NITC members shall coordinate Technical Surveillance Countermeasure training programs. (§ D.4.b, Intelligence Community Directive Number 702, Technical Surveillance Countermeasures)
  • Senior Officials of the Intelligence Community shall ensure Technical Surveillance Countermeasure personnel receive standardized training. (§ E.3.e, Intelligence Community Directive Number 702, Technical Surveillance Countermeasures)
  • The organization should develop and provide training on the proper measures for addressing counterfeiting. (§ 2 Item 10, Overarching DoD Counterfeit Prevention Guidance, Memorandum for Secretaries of the Military Departments, Directors of the Defense Agencies)
  • Users should be briefed on how to safeguard passwords, told not to disclose their passwords, and told to notify the Information Systems Security Officer about any password misuses or other dangerous practices. Any user who accesses the information system should be required to attend security awarene… (§ 2-15.g, § 2-16.a, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 2.2 ¶ 3: CMS business partners should encourage systems security personnel to pursue security accreditation. § 2.2 ¶ 5: The primary system security officer should earn at least 40 hours of continuing professional education credits every year. (§ 2.2 ¶ 3, § 2.2 ¶ 5, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.1.2: Before access is granted to CMS sensitive data or information, the organization must provide security awareness and training to all information system users, including senior executives, managers, employees, and contractors. Security awareness training must be accomplished annually, at a … (CSR 1.1.2, CSR 1.1.7. CSR 3.2.1, CSR 3.2.2, CSR 5.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must provide security training to employees when they are hired or promoted and the training must be customized or adjusted based on their roles and responsibilities. (CSR 1.1.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Train staff to implement the bank holding company's information security program. (§ III.C(2), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Train staff, as necessary, to effectively implement the Program; and (§ 248.201 (e)(3), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Departments and agencies which plan, implement, and manage Technical Surveillance Countermeasure programs shall train personnel in Technical Surveillance Countermeasure techniques. (§ 149.2(a)(3), 32 CFR Part 149, Policy of Technical Surveillance Countermeasures)
  • All Airport Security Coordinators (ASCs) must have completed the appropriate training before assuming the duties of the position. Individuals must be properly trained before being granted unescorted access to secured areas. (§ 1542.3, § 1542.213, 49 CFR Part 1542, Airport Security)
  • Personnel should be trained in the Bank Secrecy Act (BSA) requirements and the organization's BSA compliance and anti-money laundering policies and procedures. The training should be ongoing and cover any changes in the BSA and the consequences of not complying with the policies and procedures. (Pg 6, Pg 7, Pg 86, Obj 3 (Personnel), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The Director of the Office of Management and Budget will monitor the development and implementation of the information resources management training program for all executive agency personnel. (§ 5112(i), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The agency head must ensure personnel are sufficiently trained to assist the agency in complying with the requirements of Title 44, Chapter 35, Subchapter III and all related policies, procedures, standards, and guidelines. Each agency must implement security awareness training to train personnel, i… (§ 3544(a)(4), § 3544(b)(4), Federal Information Security Management Act of 2002, Deprecated)
  • ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; (§ 3554(a)(4), Federal Information Security Modernization Act of 2014)
  • Steps must be taken by the business entity to ensure employee training and supervision for the implementation of the data security program. (§ 302(b), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The information assurance manager must ensure that all System Administrators have been trained on how to administer and implement Public Key Infrastructure and public key encryption. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • Users must be trained on the password policies and requirements. (§ 3.4.3 ¶ AC34.170, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance officer must verify that all users are trained on the proper security procedures and handling procedures for Department of Defense-issued hardware tokens. (§ 3.4.4 ¶ AC34.210, DISA Access Control STIG, Version 2, Release 3)
  • The security manager must ensure users are trained on the requirement for changing Personal Identification Numbers and combinations. (§ 3.5.5 ¶ AC35.010, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance officer must ensure the enrollment administrator has received training on the use of the biometric software and capture device to obtain an acceptable user template; the User Identification and authorization requirements; and how to identify when a template is unacceptable … (§ 4.3.2 ¶ BIO3030, DISA Access Control STIG, Version 2, Release 3)
  • Remote users must be trained in how to use a VPN client to access a DoD network or resource. (§ 5.7, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • All System Administrators should be properly trained in how to perform their daily tasks as System Administrators. (§ 3.2, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • All Administrators should be properly trained before conducting their administrator duties. (§ 3.1 (1.006), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • All System Administrators should be properly trained on how to perform their Administration duties. (§ 3.2, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Verify users are trained on the appropriate security procedures for bringing or not bringing wireless devices into the SCIF. (§ 2 (WIR0180), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Wireless PEDs should not be permitted in Sensitive Compartmented Information Facilities (SCIFs), unless they have been approved in accordance with Director Central Intelligence Directive (DCID) 6/9 or 6/3. (§ 2.1 (WIR0180), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Before a user is issued a Windows Mobile device, he/she should be trained on: the requirement that personally owned PEDs (Portable Electronic Devices) cannot be used to process, transmit, receive, or store official information, unless approved; the requirement that the user will sign a forfeiture ag… (§ 2.2 (WIR3050), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • Before a user is issued a Windows Mobile device, he/she should be trained on: the requirement that personally owned PEDs (Portable Electronic Devices) cannot be used to process, transmit, receive, or store official information, unless approved; the requirement that the user will sign a forfeiture ag… (§ 2.2 (WIR2050), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The organization must provide employees with anti-counterfeit education and training. (§ 3.i, DoD Instruction 4140.67, DoD Counterfeit Prevention Policy)
  • All DoD Technical Surveillance Countermeasure agents shall receive technical surveillance countermeasures training at approved training facilities. (§ 5.8.2, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • The organization must train personnel on the use of the vulnerability assessment tools. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Information Assurance training must include familiarization with roles in related plans, such as Disaster Recovery, Incident Response, and Configuration Management. (PRTN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must provide initial training, refresher training, and debriefings to all cleared employees. The Facility Security Officer (FSO) must complete security training within 1 year of being assigned as the FSO. The FSO must ensure that all employees who can make derivative classification … (§ 1-201, § 1-205, § 3-102, § 4-102, § 9-302.g, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The cognizant security authority must provide the initial security briefings to the Facility Security Officer. Employees must undergo an initial security briefing prior to being granted classified access. The briefing includes threat awareness, a security classification overview, reporting requireme… (§ 3-103, § 3-106, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Technical Surveillance Countermeasure personnel shall receive Technical Surveillance Countermeasure training at approved facilities. (§ 10.b, SECNAV Instruction 3850.4, Technical Surveillance Countermeasures (TSCM) Program)
  • A medical device manufacturer shall establish procedures to identify training needs and ensure personnel are trained for their assigned responsibilities. All training shall be documented. (§ 820.25(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • All employees must be trained on the policies and procedures for protecting health information as required by their job function. (§ 164.530(b)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A new employee must receive training within a reasonable time period. (§ 164.530(b)(2)(i)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Train all affected parties who take part in policies and procedures regarding the transmission, storage, processing, or disclosure of Individually Identifiable Health Information. (§ 164.530(b)(2)(i)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (§ 164.530(b)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The facility must ensure all employees have proper security training and participate in drills and exercises. (§ 27.230(a)(11), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The organization should ensure a training program is in place for critical DIB asset owners/operators who do not have a security program. (§ 6.1.1 Table 6-2 Goal 6, Defense Industrial Base Information Assurance Standard)
  • The National Strategy to Secure Cyberspace specifically calls for a "cybersecurity" awareness program. (§ III, The National Strategy to Secure Cyberspace, February 2003)
  • Agencies that maintain a system of records shall train all persons on rules and requirements for conduct, including, but not limited to, other rules and procedures and on the penalties for noncompliance. (§ 552a(e)(9), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • The federal bureau of investigation criminal justice information services division information security officer shall develop and participate in the information security training programs for Information Security Officers and provide a feedback mechanism to measure the success and effectiveness of t… (§ 3.2.10(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam within six (6) months of assignm… (§ 3.2.7 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam within six (6) months of assignm… (§ 3.2.7 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Annual information security training is provided. (Domain 1: Assessment Factor: Training and Culture, TRAINING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Provision of training to employees on approved solutions. (App A Objective 11:1e Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Updates the related policy or procedures or provides additional training. (App A Objective 13:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Training staff to operate and maintain the entity's equipment and systems. (App A Objective 14:1f Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintains appropriate mainframe security expertise. (App A Objective 13:6h Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Training to prepare staff for their short- and long-term security responsibilities. (App A Objective 2.9.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Backup personnel are identified and trained. (App A Objective 5:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Trained personnel; and (TIER II OBJECTIVES AND PROCEDURES D.2. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Audit management should ensure all audit staff members are trained appropriately and should develop a continuing education program. (Pg 9, Exam Tier II Obj D.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management (responsibility for disaster declaration and deal… (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Management should establish a training program to ensure employees can use the application after it has been implemented. (Pg 21, FFIEC IT Examination Handbook - Development and Acquisition)
  • All personnel should be trained on the technology they use for their jobs and the organization's rules for using that technology. (Pg 30, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should develop a training program to ensure all employees maintain their expertise and skills. (Pg 12, FFIEC IT Examination Handbook - Management)
  • The organization should conduct training and awareness programs for new personnel to help promote understanding and awareness of the organization's policies. (Pg 27, FFIEC IT Examination Handbook - Management)
  • Training should be an ongoing process to ensure all personnel remain knowledgeable in their skills. (Pg 5, Pg 32, Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine whether the institution has taken steps to ensure that originators are properly educated about their obligations for handling ARC and POP source documentation and all other NACHA rules. (App A Tier 1 Objectives and Procedures Objective 8:7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Staff should be trained appropriately to ensure the operational reliability of daily tasks. (Pg 36, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should assess the risks associated with employee training. (§ 314.4(b)(1), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; (§ 314.4 ¶ 1(e)(1), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Financial institutions or creditors that are required to implement an Identity Theft Prevention Program must ensure all necessary staff members are trained to effectively implement the Program. (§ 41.90(e)(3), § 222.90(e)(3), § 334.90(e)(3), § 571.90(e)(3), § 681.2(e)(3), § 717.90(e)(3), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • (SP-3.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., FedRAMP Security Controls High Baseline, Version 5)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., FedRAMP Security Controls High Baseline, Version 5)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., FedRAMP Security Controls Low Baseline, Version 5)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., FedRAMP Security Controls Low Baseline, Version 5)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Personnel must be trained about the threat of technical surveillance. (§ 12.a, Marine Corps Order 5511.11D; Technical Surveillance Countermeasures (TSCM) Program)
  • Provide training for appropriate personnel. (§ 748.2 (c)(4), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Train staff to implement the credit union's information security program. (§ 748 Appendix A. III.C.2., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Do staff members receive training to comply with the information security program? (IT - 748 Compliance Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the audit staff receive adequate Information Technology training? (IT - Audit Program Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the staff trained to add custom signatures to the Intrusion Detection System? (IT - IDS IPS Q 32, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has training been furnished to the individuals that are responsible for router maintenance or router support? (IT - Routers Q 16, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Provide the appropriate level of security training. (§ 4.3.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • § 4.3.3 Bullet 2: Ensure that the hiring process incorporates the necessary knowledge, skills, and abilities to fulfill each role that involves accessing and using ePHI. § 4.9.2 Bullet 5: Identify any required training associated with the Business Associate Agreement or arrangement. (§ 4.3.3 Bullet 2, § 4.9.2 Bullet 5, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • AI capabilities, targeted usage, goals, and expected benefits and costs compared with appropriate benchmarks are understood. (MAP 3, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • The IT staff should be trained to maintain the systems, networks, and applications in accordance with the security standards. (§ 3.1.2 ¶ 3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The CSP SHALL require operators to have undergone a training program to detect potential fraud and to properly perform a supervised remote proofing session. (5.3.3.2 ¶ 2.5, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the se… (§ 3 Awareness and Training (AT), FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • All users are informed and trained (PR.AT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • All users are informed and trained (PR.AT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • All users are informed and trained. (PR.AT-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • (§ 3.8, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure security awareness and training policies and procedures are documented, reviewed, and updated; personnel with security roles are properly trained; initial and refresher training is provided according to the organization's defined freq… (AT-1, AT-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizational records and documents should be examined to ensure new employees are initially trained prior to being granted access to the system. (AT-2.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Bluetooth users should be made aware of the responsibilities associated with using Bluetooth devices, such as measures to take to protect the Bluetooth device from theft, turning off the device when not in use, and performing device pairing in a physically secure area and as infrequently as possible… (Pg ES-2, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • For the ICS environment, this must include control system-specific information security awareness and training for specific ICS applications. In addition, an organization must identify, document, and train all personnel having significant ICS roles and responsibilities. Awareness and training must c… (§ 6.2.2 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should ensure all IEEE 802.11 users are properly trained on the secure use of the wireless network. Network administrators should be fully aware of the security risks that WLANs and wireless devices pose. They should ensure security policy compliance and be aware of the steps to tak… (§ 6.2 Par 5, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • Users of organizationally owned mobile devices should be trained on procedures to follow and precautions to take when using the device. (§ 4.1, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Develop and deliver technical training to educate others or meet customer needs. (T0315, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide subject matter expertise to the development of cyber operations specific indicators. (T0585, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assist and advise interagency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives. (T0581, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide expertise to course of action development. (T0582, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide enterprise cybersecurity and supply chain risk management guidance. (T0525, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide subject-matter expertise and support to planning/developmental forums and working groups as appropriate. (T0761, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide subject matter expertise to development of exercises. (T0765, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide subject matter expertise to website characterizations. (T0771, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct on-going privacy training and awareness activities (T0882, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. (Awareness and Training (GV.AT-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Individuals who have been granted access to personally identifiable information should receive appropriate training and, where applicable, specific role-based training. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Training for personnel with contingency plan responsibilities should focus on familiarizing them with ISCP roles and teaching skills necessary to accomplish those roles. This approach helps ensure that staff is prepared to participate in tests and exercises as well as actual outage events. Training … (§ 3.5.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must train authorized individuals to verify that nonpublic information is not contained in the publicly accessible information. (SG.AC-20 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must provide all smart grid Information System users with basic security awareness briefings on a defined frequency. (SG.AT-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must provide users with security-related training before access is authorized to the smart grid Information System or performing their assigned duties. (SG.AT-3 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must include training in the planning process for implementing the security plans. (SG.AT-7 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must train incident response personnel on their roles and responsibilities. (SG.IR-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish and implement role-based security training to all Information System users prior to initial system access. (App F § AT-3(i), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and implement role-based security training when required by system changes. (App F § AT-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must train authorized individuals on how to ensure publicly accessible information does not include nonpublic information. (App F § AC-22.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and implement role-based security training to all Information System users when required by system changes. (App F § AT-3(ii), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should clear and indoctrinate every user who accesses a system that processes, stores, or transmits classified information to the highest classification level on the information on the system. (App F § PS-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should verify every user who accesses a system that processes, stores, or transmits classified information which requires formal indoctrination is formally indoctrinated for all relevant types of information on the system. (App F § PS-3(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide enterprise cybersecurity and supply chain risk management guidance. (T0525, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide subject-matter expertise and support to planning/developmental forums and working groups as appropriate. (T0761, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide subject matter expertise to development of exercises. (T0765, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide subject matter expertise to website characterizations. (T0771, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and deliver technical training to educate others or meet customer needs. (T0315, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide subject matter expertise to the development of cyber operations specific indicators. (T0585, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide expertise to course of action development. (T0582, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assist and advise interagency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives. (T0581, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. (PS-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization trains {organizationally documented personnel} to detect counterfeit information system components (including hardware, software, and firmware). (SA-19(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization trains {organizationally documented roles} to detect counterfeit information system components (including hardware, software, and firmware). (SA-19(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes an information security workforce development and improvement program. (PM-13, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII. (UL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. (PS-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware). (SA-19(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequenc… (AR-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. (PS-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. (PS-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). (SR-11(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (AT-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware). (SA-19(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Users should be trained on a regular basis on the requirements for removing information from media. Users who perform or verify the purging, clearing, and destroying of media should be trained on the equipment, techniques, and procedures for doing such. (§ 6.b(1), US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007)
  • Train staff to implement the national bank's or Federal savings association's information security program. (§ III. C. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may als… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 3, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Security screeners may not use any screening equipment, unless they have been specifically trained on it and have passed a test on its operation. (§ 111(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
  • Ensure that all persons requiring access to the organization's pipeline cyber assets receive cybersecurity awareness training. (Table 2: Awareness and Training Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • The organization should provide either internal or external training to employees to help them better perform their jobs. Before a strike occurs, non-striking personnel should be trained on threats and confrontations with strikers, and supervisory personnel should receive refresher training on emerg… (§ 44935(c), § 44935(d), § 44935(g), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • The minimum employment standards must include initial training and retraining requirements. (§ 44935(a), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • All users shall be trained in security responsibilities before gaining access to the system. The training shall ensure users know the rules of the system, be in accordance with National Institute of Standards and Technology (NIST) and U.S. Office of Personnel Management (OPM) requirements, and notif… (§ A.3.a.2.b, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., TX-RAMP Security Controls Baseline Level 1)
  • Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (AC-22b., TX-RAMP Security Controls Baseline Level 2)