Back

Review the current published guidance and awareness and training programs.


CONTROL ID
01245
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Train all personnel and third parties, as necessary., CC ID: 00785

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Reviewing the status of security awareness programmes (Information Security Committee ¶ 3 Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The training program should be conducted and updated at least annually and extended to all new and existing staff, contractors and vendors who have access to the FI’s IT resources and systems. (§ 3.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The training program should be endorsed by senior management. It should be reviewed and updated to ensure that the contents of the program remain current and relevant. The review should also take into consideration the evolving nature of technology as well as emerging risks. (§ 3.4.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The training programme should be reviewed periodically to ensure its contents remain current and relevant. The review should take into consideration changes in the FI's IT security policies, prevalent and emerging risks, and the evolving cyber threat landscape. (§ 3.6.4, Technology Risk Management Guidelines, January 2021)
  • The incident prevention plan may include a review of the employee training practices. (Step 4 Bullet 3, Key Steps for Organizations in Responding to Privacy Breaches)
  • The training effectiveness should be assessed periodically. (¶ 22.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • (Principle 7.42, ISACA Cross-Border Privacy Impact Assessment)
  • Identify when to review your security awareness program each year. (§ 4 ¶ 4 Bullet 1, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Review the training materials for personnel located at point-of-sale locations to verify it includes verifying an individual's identity who is claiming to be a repairman or maintenance person before granting them access to change or troubleshoot a device. (Testing Procedures § 9.9.3.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the training materials for personnel located at point-of-sale locations to verify it includes training about not installing, replacing, or returning devices absent verification. (Testing Procedures § 9.9.3.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the training materials for personnel located at point-of-sale locations to verify it includes training on being aware of suspicious behavior around the devices. (Testing Procedures § 9.9.3.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the training materials for personnel located at point-of-sale locations to verify it includes training on reporting suspicious behavior and indications of device substitution or tampering to appropriate personnel. (Testing Procedures § 9.9.3.a Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the security awareness program to verify personnel are aware of the importance of cardholder data security. (Testing Procedures § 12.6.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Process calls for conducting an awareness assessment to determine what further training needs the organization has. There are three basic tasks for this assessment: Establish the current level of awareness of the organization's BCM Specify the desired level of awareness and how this will be measured… (Stage 4.1 Process, Stage 4.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • An internal auditor can help an organization meet privacy objectives and contribute to good governance and accountability by reviewing the training and the materials, and inventorying the privacy awareness and training materials. (§ 2.2 (Privacy Controls) ¶ 3, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The security awareness program should be kept up-to-date with current practices and requirements. (CF.02.02.01f, The Standard of Good Practice for Information Security)
  • The security awareness program should be kept up-to-date with current practices and requirements. (CF.02.02.01f, The Standard of Good Practice for Information Security, 2013)
  • Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques,… (Control 17.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Perform gap analysis to see which skills employees need to implement the other Controls, and which behaviors employees are not adhering to, using this information to build a baseline training and awareness roadmap for all employees. (Control 17.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should validate security awareness with policies and training. (Critical Control 9.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. (CIS Control 17: Sub-Control 17.1 Perform a Skills Gap Analysis, CIS Controls, 7.1)
  • Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. (CIS Control 17: Sub-Control 17.1 Perform a Skills Gap Analysis, CIS Controls, V7)
  • ¶ 6 An organization should identify and implement appropriate safeguards for each IT system to reduce the risks to an acceptable level. These safeguards are implemented as outlined in the IT security plan. The implementation should be supported by an awareness and training program, which is importa… (¶ 6, ¶ 10.2.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below. 3. Security Awareness and Training All personnel who … (¶ 8.1.4(3), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The records training program should be reviewed on a regular basis and then providing the reports to management. (§ 6.5 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should assess the level of trainee satisfaction with the training courses. (§ 6.5 ¶ 3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The training program should be updated after the evaluation and review and those already trained should be furnished with the updates. (§ 6.5 ¶ 4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • reviewed regularly. (§ 7.2.3 ¶ 2 c), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • reviewed regularly. (§ 7.2.3 ¶ 2 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • periodically review current and future competency needs and requirements. (Section 7.2 ¶ 1 bullet 5, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • CSPs operating at impact level 6 are also required to meet the requirements of DoD 8570.01-M for their personnel. However, non-DoD CSPs at impact levels 2-5 are not subject to these requirements. CSPs at all impact levels are however, required to train security personnel as described in security con… (Section 5.6.2.4 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • An Awareness Training program should be provided to the DIB asset owner/operators and should focus on: • protecting DoD interests; • protecting Federal interests; • assuring the mission to the war fighters; and • fostering relationships with local responders and Federal, State, and local law… (§ 3.4 ¶ 1 thru 2, Defense Industrial Base Information Assurance Standard)
  • Review staff training programs and determine if they are appropriate for supporting policies. (App A Tier 1 Objectives and Procedures Objective 4:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implementing an ICS security program may bring changes to the way in which personnel access computer programs, applications, and the computer desktop itself. Organizations should design effective training programs and communication vehicles to help employees understand why new access and control met… (§ 6.2.2 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conduct periodic reviews/revisions of course content for accuracy, completeness alignment, and currency (e.g., course content documents, lesson plans, student texts, examinations, schedules of instruction, and course descriptions). (T0534, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review training documentation (e.g., Course Content Documents [CCD], lesson plans, student texts, examinations, Schedules of Instruction [SOI], and course descriptions). (T0224, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Privacy values, policies, and training are reviewed and any updates are communicated. (GV.MT-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should review all smart grid Information System design and procedure changes to determine if they should be included in the Security Awareness Training. (SG.AT-2 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Industrial Control System Security Awareness Training must include the initial and periodic review of Industrial Control System-specific policies, Standard Operating Procedures, vulnerabilities, and security trends. (App I § AT-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Industrial Control System security training must include the initial and periodic review of Industrial Control System-specific policies, Standard Operating Procedures, vulnerabilities, and security trends. (App I § AT-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Review training documentation (e.g., Course Content Documents [CCD], lesson plans, student texts, examinations, Schedules of Instruction [SOI], and course descriptions). (T0224, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct periodic reviews/revisions of course content for accuracy, completeness alignment, and currency (e.g., course content documents, lesson plans, student texts, examinations, schedules of instruction, and course descriptions). (T0534, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization reviews and updates the current security awareness and training policy {organizationally documented frequency}. (AT-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training procedures {organizationally documented frequency}. (AT-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training policy {organizationally documented frequency}. (AT-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training procedures {organizationally documented frequency}. (AT-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training policy {organizationally documented frequency}. (AT-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training procedures {organizationally documented frequency}. (AT-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training policy {organizationally documented frequency}. (AT-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security awareness and training procedures {organizationally documented frequency}. (AT-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CP-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (IR-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AT-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Bank management develop and maintain a plan to ensure that key employees and vendors have the expertise and skills to perform necessary functions and that they are properly trained. Management should allocate sufficient resources to hire and train employees and to ensure that adequate back-up exists… (¶ 36, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., TX-RAMP Security Controls Baseline Level 1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., TX-RAMP Security Controls Baseline Level 2)