Back

Establish, implement, and maintain training plans.


CONTROL ID
00828
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Train all personnel and third parties, as necessary., CC ID: 00785

This Control has the following implementation support Control(s):
  • Train personnel to recognize conditions of diseases or sicknesses, as necessary., CC ID: 14383
  • Develop or acquire content to update the training plans., CC ID: 12867
  • Include portions of the visitor control program in the training plan., CC ID: 13287
  • Include ethical culture in the training plan, as necessary., CC ID: 12801
  • Include in scope external requirements in the training plan, as necessary., CC ID: 13041
  • Include duties and responsibilities in the training plan, as necessary., CC ID: 12800
  • Include risk management in the training plan, as necessary., CC ID: 13040
  • Conduct Archives and Records Management training., CC ID: 00975
  • Conduct personal data processing training., CC ID: 13757
  • Include the cloud service usage standard in the training plan., CC ID: 13039
  • Establish, implement, and maintain a security awareness program., CC ID: 11746
  • Establish, implement, and maintain an environmental management system awareness program., CC ID: 15200
  • Conduct secure coding and development training for developers., CC ID: 06822
  • Conduct tampering prevention training., CC ID: 11875
  • Train interested personnel and affected parties to collect digital forensic evidence., CC ID: 08658
  • Conduct crime prevention training., CC ID: 06350


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Educational training plans and curriculums must be developed and updated in accordance with the human resource management policies. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. (App 2-1 Item Number VI.4.3(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should define the extent and content of the training, responsible personnel, required time, and other parameters. (O82.1(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is acknowledged that the human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness programme. The programme may be periodically updated keeping in view changes in information security, thre… (Critical components of information security 9) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Keep ICT security awareness training for employees updated and conduct such training regularly. (Annex A1: Security Awareness 13, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The information security awareness and training program should include the purpose of the Awareness and Training program. (Control: 0922 Bullet 1, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include security appointments and contact names. (Control: 0922 Bullet 2, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the legitimate uses of software, system accounts, and information. (Control: 0922 Bullet 3, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include account security, including shared passwords. (Control: 0922 Bullet 4, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the security risks of exposing e-mail addresses and other personal details unnecessarily. (Control: 0922 Bullet 5, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the authorization requirements for applications, data, and databases. (Control: 0922 Bullet 6, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the security risks of the Internet and other non-agency systems. (Control: 0922 Bullet 7, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the reporting of suspected anomalies or suspected compromises. (Control: 0922 Bullet 8, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include the reporting requirements for suspected compromises, cyber security incidents, and suspected anomalies. (Control: 0922 Bullet 9, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include classifying, controlling, marking, sanitizing, and storing media. (Control: 0922 Bullet 10, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include protecting workstations from unauthorized access. (Control: 0922 Bullet 11, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include notifying the support section whenever system access is no longer needed. (Control: 0922 Bullet 12, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include observing the rules and regulations that govern the authorized use and secure operation of the systems. (Control: 0922 Bullet 13, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to physically damage the systems. (Control: 0255 Bullet 1, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to strain, bypass, or test the system security measures. (Control: 0255 Bullet 2, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to use or introduce unauthorized equipment or software onto the system. (Control: 0255 Bullet 3, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to assume the privileges or roles of other personnel. (Control: 0255 Bullet 4, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to gain Access to information that they do not have authorization for. (Control: 0255 Bullet 5, Australian Government Information Security Manual: Controls)
  • The information security awareness and training program should include advice for personnel not to try to relocate equipment absent the proper authorization. (Control: 0255 Bullet 6, Australian Government Information Security Manual: Controls)
  • The organization should develop an initial and ongoing training program. (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The security training material should include, at a minimum, the following: the purpose of the training; how to recognize a security incident; who to contact for security-related information; the legitimate uses of the system; how to access and control media; how to secure accounts; information on p… (§ 3.2.9, § 3.2.10, Australian Government ICT Security Manual (ACSI 33))
  • Users must be able to demonstrate the following after information risk awareness training: an understanding of the types of information they handle and the its value; their responsibility for protecting the information; an understanding of the personal consequences if they do not protect the informa… (Information Risk Awareness Minimum Training Specification ¶ 25, Outline Specification for DHR Information Awareness Training, March 2009)
  • Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organise timely training sessions. Record registration (including prerequisites), attendance and training session perfo… (DS7.2 Delivery of Training and Education, CobiT, Version 4.1)
  • Establish and regularly update a curriculum for each target group of employees considering: - Current and future business needs and strategy - Value of information as an asset - Corporate values (ethical values, control and security culture, etc.) - Implementation of new IT infrastructure and soft… (DS7.1 Identification of Education and Training Needs, CobiT, Version 4.1)
  • Develop or acquire content that does not exist in the current curriculum or education plan and modify any content that needs updating in to meet current learning objects. (OCEG GRC Capability Model, v. 3.0, P4.3 Develop or Acquire Content, OCEG GRC Capability Model, v 3.0)
  • Verify that processes require training in secure Coding techniques for developers. (§ 6.5.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that processes require training in secure coding techniques for developers. (§ 6.5.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Training should include information on verifying the identity of third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. (PCI DSS Requirements § 9.9.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Training should include information on not installing, replacing, or returning devices absent verification. (PCI DSS Requirements § 9.9.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Training should include information on being aware of suspicious behavior around the devices. (PCI DSS Requirements § 9.9.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices that capture payment card data via direct physical interaction with… (PCI DSS Question 9.9.3(a) Bullet 1, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Do training materials for personnel at point-of-sale locations include not installing, replacing, or returning devices that capture payment card data via direct physical interaction with the card without verification? (PCI DSS Question 9.9.3(a) Bullet 2, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • The Chief Audit Executive should develop a training plan for his/her auditors. The training strategy should develop the auditors expertise in a broad range of topics. This can be done by ensuring there are different auditors who are subject matter experts for certain technologies. This will require … (§ 6.2 (IT Auditor Retention Strategy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must identify training needs for the management of threats, hazards, and risks and the organizational resilience management system. The organization must provide the training and or take other action to meet its training needs. (§ 4.4.2 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should use various methods to train employees. Some of the methods that can be used include bulletins and posters, discussions in staff meetings, articles in the company newsletter, and security awareness presentations. Security officer training guidelines have been developed by the… (Pg 1-I-13, Revised Volume 1 Pg 7-II-17, Protection of Assets Manual, ASIS International)
  • The Security Awareness Training program should include proven defenses against the latest known attack techniques and specific, incident-based scenarios on the threats that organization faces. (Critical Control 9.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • A Security Awareness Training program shall be established for all contractors, third party users and employees of the organization and mandated when appropriate. (IS-11, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • determine training needs associated with its environmental aspects and its environmental management system; (§ 7.2 ¶ 1 c), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Top management has a key responsibility for building awareness in an organization in relation to the environmental management system and environmental performance, in order to enhance knowledge and promote behaviour that supports the organization's environmental policy commitments. This includes mak… (7.3 ¶ 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The formal training program will only be effective when the staff sees that the management is committed to implementing the policies and procedures. (§ 6.2 ¶ 3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • updated as required; (§ 7.2.2 ¶ 4 i), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Organizations and service providers should ensure the staff training is commensurate with assigned tasks and responsibilities. Types of training include: introductory training to provide basic awareness and understanding; advanced level training to train staff with specific knowledge and skills; con… (§ 5.9.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization shall provide relevant personnel with training on a regular basis, from the time of commencement of employment and at planned intervals determined by the organization. (§ 7.2.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall provide relevant personnel with training on a regular basis, from the time of commencement of employment and at planned intervals determined by the organization. (§ 7.2.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The knowledge shall be relevant, usable and available to appropriate persons. (§ 7.6 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Infection prevention and control (IPC) practices in communities and health facilities should be reviewed and enhanced to prepare for treatment of patients with COVID-19, and prevent transmission to staff, all patients/visitors and in the community. (Pillar 6: Infection prevention and control, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The human resource function helps promote competence by assisting management in developing job descriptions and roles and responsibilities, facilitating training, and evaluating individual performance for managing risk. Management considers the following factors when developing competence requiremen… (Establishing and Evaluating Competence ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization should have a formal documented process to train the employees that handle complaints and disputes on the resolution and escalation processes. (Table Ref 10.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Principle: Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include: - defining cybersecurity training needs requirements; - identifying appropriate cybersecurity training update cycles; - delivering interactive training with… (Staff Training, Report on Cybersecurity Practices)
  • Users should receive periodic refresher training. This training can be accomplished by computer-aided instruction; security posters; formal instruction; self-paced instruction; training films; and/or security bulletins. (§ 2-16.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The training curriculum must include details of the instruction methods used; give the trainees the opportunity to ask questions; and include topics on unescorted access authority, challenge procedures, control and display of badges, restrictions on sensitive security information, and any other topi… (§ 1542.213, 49 CFR Part 1542, Airport Security)
  • Training materials may be comprised of videos, online security courses, company magazine articles, etc. (Pg 39, C-TPAT Supply Chain Security Best Practices Catalog)
  • The organization must implement an Information Assurance training program. (PRTN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • To each member of the covered entity's workforce by no later than the compliance date for the covered entity; (§ 164.530(b)(2)(i)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The agency coordinator shall be responsible for scheduling initial training and testing, the training and continuing education of employees and operators, the supervision and integrity of the system, and certification testing and the required reports by national crime information center. (§ 3.2.7, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The federal bureau of investigation criminal justice information services division information security officer shall develop and participate in the information security training programs for Information Security Officers and provide a feedback mechanism to measure the success and effectiveness of t… (§ 3.2.10(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam within six (6) months of assignm… (§ 3.2.7 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Objectives of business continuity training. (VI Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Alignment of business continuity training with strategies. (VI Action Summary ¶ 2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the BCM training program, including board training, is updated as significant changes occur. (App A Objective 9:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Allocates resources for necessary training to maintain knowledge. (App A Objective 13:7a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensures that hiring and training practices are governed by appropriate policies to maintain competent and trained staff. (App A Objective 2:8 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the HR function has processes for compensation planning, performance reviews, knowledge transfer mechanisms, training, and mentoring. (App A Objective 5:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Internal or external training programs. (App A Objective 5:6 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether financial institution management has established a training program to ensure that all parties involved are trained appropriately. If yes, describe the training programs for financial institution and customer staff. (App A Tier 2 Objectives and Procedures N.10 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the institution's training program adequately protects the integrity of funds transfer data. Ensure: ▪ The institution conducts training in a test environment that does not jeopardize the integrity of live data or memo files. ▪ There are adequate controls to protect the confidential… (Exam Tier II Obj 9.5, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Establish a security and privacy workforce development and improvement program. (PM-13 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Are developed and maintained; and (PM-14a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Every individual within an enterprise should receive appropriate training to enable them to understand the importance of C-SCRM to their enterprise, their specific roles and responsibilities, and as it relates to processes and procedures for reporting incidents. This training can be integrated into … (3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Are developed and maintained; and (PM-14a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish a security and privacy workforce development and improvement program. (PM-13 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Training requirements for personnel validating evidence SHALL be based on the policies, guidelines, or requirements of the CSP or RP. (5.2.2 ¶ 3, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Provide awareness training [Assignment: organization-defined frequency] focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are … (3.2.1e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • (§ 3.8, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The security awareness training materials should be examined for specific requirements for the system, application, role, and/or responsibility for which the users are being trained. (AT-2.2, AT-3.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Are developed and maintained; and (PM-14a.1., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization establishes an information security workforce development and improvement program. (PM-13 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Recommend revisions to curriculum and course content based on feedback from previous training sessions. (T0535, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of learning objectives and goals. (T0321, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of on-the-job training materials or programs. (T0322, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of training policies and protocols for cyber training. (T0365, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Create interactive learning exercises to create an effective learning environment. (T0357, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assist in the development of individual/collective development, training, and/or remediation plans. (T0320, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Plan and manage the delivery of knowledge management projects. (T0185, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist with the development of privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations. (T0926, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Prepare for and provide subject matter expertise to exercises. (T0772, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide input and assist in the development of plans and guidance. (T0789, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Participate in development of training curriculum and course content. (T0451, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Plan and coordinate the delivery of classroom techniques and formats (e.g., lectures, demonstrations, interactive exercises, multimedia presentations) for the most effective learning environment. (T0519, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations (T0880, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide input to implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials (T0528, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should implement a training plan. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Organizational policy should include the training periodicity. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must develop, document, disseminate, review, and update formal, documented procedures that facilitate implementation procedures for the training procedures and associated controls. (App F § AT-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Plan and manage the delivery of knowledge management projects. (T0185, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of on-the-job training materials or programs. (T0322, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of learning objectives and goals. (T0321, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of training policies and protocols for cyber training. (T0365, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Plan and coordinate the delivery of classroom techniques and formats (e.g., lectures, demonstrations, interactive exercises, multimedia presentations) for the most effective learning environment. (T0519, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Recommend revisions to curriculum and course content based on feedback from previous training sessions. (T0535, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Participate in development of training curriculum and course content. (T0451, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Prepare for and provide subject matter expertise to exercises. (T0772, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations (T0880, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide input to implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials (T0528, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist with the development of privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations. (T0926, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assist in the development of individual/collective development, training, and/or remediation plans. (T0320, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Create interactive learning exercises to create an effective learning environment. (T0357, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide input and assist in the development of plans and guidance. (T0789, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures. (AR-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; (AR-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization establishes an information security workforce development and improvement program. (PM-13 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Incorporate lessons learned from internal or external security or privacy incidents into role-based training. (AT-3c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish a security and privacy workforce development and improvement program. (PM-13 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Management should clearly state its commitment to employee competence and support the organization's policy for training. (§ II.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • A program for the hiring and training of security screeners must be established by the Under Secretary of Transportation for Security. (§ 111(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
  • Provide security training, to include incident response training, to personnel assigned security duties upon hiring and annually thereafter. (Table 1: Personnel Training Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • A program for the hiring and training of security screeners must be established by the Under Secretary of Transportation for Security. Computer-based training facilities should be made available for security screeners at the airport and should be easily accessible. (§ 44935(e)(1), § 44935(i), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment. (§ 500.14 Training and Monitoring (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)