Back

Document all training in a training record.


CONTROL ID
01423
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To track each person's education, the person in charge of education shall send a report of the education results to the person responsible for education. (O81.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should track all training that is accomplished. (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material t… (Attachment B 1., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution could benefit from developing an initial, and ongoing, training and IT security awareness program. This would typically incorporate any changes in IT security vulnerabilities or the institution's IT security risk management framework. Sound practice would involve the tracking… (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Do the people in your IRS have the necessary competencies to perform their duties and are records kept to demonstrate this? (Operation ¶ 21, ISO 22301: Self-assessment questionnaire)
  • Participation in training and awareness measures is documented. (2.1.3 Requirements (should) Bullet 5, Information Security Assessment, Version 5.1)
  • The organization shall maintain records of all staff members who have and have not completed training and assessments so managers and personnel can be reminded and remedial action can be taken to help personnel reach the passing mark. (Assessment ¶ 17, Outline Specification for DHR Information Awareness Training, March 2009)
  • training that the organization provides on implementing the commitments. (Disclosure 2-24 ¶ 1(a)(iv), GRI 2: General Disclosures, 2021)
  • The records for the initial and ongoing operator training must be kept with the documentation and records for the validation of the computer system. (¶ 15.3 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The training measures and the qualifications should be documented and kept. (¶ 22.7, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should have an ongoing training program that includes documentation of all training provided for staff. (CORE - 27(e), URAC Health Utilization Management Standards, Version 6)
  • Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organise timely training sessions. Record registration (including prerequisites), attendance and training session perfo… (DS7.2 Delivery of Training and Education, CobiT, Version 4.1)
  • Implement tracking mechanisms to record who completes the training and when. (§ 4 ¶ 3 Bullet 5, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Examine the training records to verify software developers received secure coding techniques training, including how to avoid common coding vulnerabilities and how sensitive data is handled in memory. (Testing Procedures § 6.5.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Records must be maintained for education, training, experience, skills, and qualifications. (§ 3.2.4(e), BS 25999-2, Business continuity management. Specification, 2007)
  • The organization must ensure that all training and associated records are retained by the organization. (§ 4.4.2 ¶ 1, § 4.4.2 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • All training should be documented with a list of attendees for each class. Tests should be signed by both the person being tested and the instructor. (Revised Volume 1 Pg 7-II-17, Protection of Assets Manual, ASIS International)
  • The organization shall keep education, training, skills, and experience records. (§ 6.2.2(e), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should identify the necessary competencies to achieve the intended outcome of the environmental management system and address gaps, including taking actions when needed to acquire the necessary competence. Documented information can be useful to ensure that identified competency nee… (7.2 ¶ 4, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall maintain training records. (§ 6.2.4.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • retain appropriate documented information, including evidence of competence. (§ 7.2.1 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • recorded and retained. (§ 7.2.2 ¶ 4 j), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The service provider shall maintain appropriate records for training, education, skills, and experience. (§ 4.4.2 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Training exercises should be documented with the results and steps taken to address exceptions and failures. Records should be kept on all training. (§ 5.9.2(b), § 5.9.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1 d), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Training records shall be retained as documented information. (§ 7.2.3 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Appropriate documented information shall be available as evidence of competence. (§ 7.2.1 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • retain appropriate documented information as evidence of competence. (7.2 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retain appropriate documented information-as evidence of competence. (§ 7.2.1 ¶ 1 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Training records shall be retained as documented information. (§ 7.2.3 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • retain appropriate documented information as evidence of competence; and (Section 7.2 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • retain appropriate documented information as evidence of competence. (§ 7.2 ¶ 1 d), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must monitor employee attendance at the privacy training and awareness courses. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must maintain training records. (§ 5.13.5, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Are there training logs for employees with access to client Protected Health Information to meet the privacy and security obligations required by the Health Information Portability and Accountability Act? (§ P.2.8, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Employees must acknowledge, electronically or in writing, that they received security and awareness training. The organization must maintain a record of the security awareness and training subjects covered. (CSR 1.1.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The airport operator must maintain a record of all training for each Airport Security Coordinator (ASC) for at least 180 days after he/she is no longer an ASC. (§ 1542.3, § 1542.213(d), 49 CFR Part 1542, Airport Security)
  • The organization must maintain training records for the training programs it offers and records on which employees participated. (§ 3-107, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • All training shall be documented. (§ 820.25(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The training program must be documented in accordance with the requirements of § 164.530(j). (§ 164.530(b)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. (§ 164.530(b)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Training records must contain the date and location of the training; time and duration; a description of the training; the name of the instructor; a list of attendees and their signatures; and results of any testing. The training records must be kept for at least 3 years. (§ 27.255(a)(1), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • Specific information system security training records and individual basic security awareness training records shall be documented, kept current, and maintained by the criminal justice information services systems officer, state identification board, or the compact officer. (§ 5.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Records of individual basic security awareness training and specific information system security training shall be documented, kept current, and maintained by the CSO/SIB Chief/Compact Officer. Maintenance of training records can be delegated to the local level. (§ 5.2.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Records of individual basic security awareness training and specific information system security training shall be documented, kept current, and maintained by the CSO/SIB Chief/Compact Officer. Maintenance of training records can be delegated to the local level. (§ 5.2.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains evidence of contingency testing/training by providers [FedRAMP Assignment: annually]. (CP-8(4)(c) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., FedRAMP Security Controls High Baseline, Version 5)
  • Obtain evidence of contingency testing and training by providers [FedRAMP Assignment: annually]. (CP-8(4)(c), FedRAMP Security Controls High Baseline, Version 5)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., FedRAMP Security Controls Low Baseline, Version 5)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization should maintain a record of all employees' initial and refresher training. (§ 6.2, Exhibit 4 AT-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the organization maintains records of all security awareness and specific system security training each individual has attended and that specific responsibilities and actions are defined for the implementation of the security training… (AT-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. (CP-8(4) ¶ 1(c) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must maintain Awareness and Training records for all users in accordance with the training and records retention policy. (SG.AT-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must maintain a list of security responsibilities to use for testing each user. (SG.AT-6 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must document and monitor individual information system security training activities, including basic Security Awareness Training and specific system security training. (App F § AT-4.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and (AT-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. (CP-8(4)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. (CP-8(4) ¶ 1(c), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., TX-RAMP Security Controls Baseline Level 1)
  • Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (AT-4a., TX-RAMP Security Controls Baseline Level 2)