Back

Tailor training to meet published guidance on the subject being taught.


CONTROL ID
02217
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Effective customer education programmes tailored for the use of mobile devices should be in place as well as ongoing efforts to identify fake Internet banking Apps, if applicable, and notify customers promptly. (§ 7.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Effective customer education programmes tailored for the use of mobile devices should be in place as well as ongoing efforts to identify fake Internet banking Apps, if applicable, and notify customers promptly. (§ 7.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Educational training plans and curriculums must be developed to improve the technical skills of personnel, to provide business knowledge, and to ensure the security of the system. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. (App 2-1 Item Number VI.4.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O80.1: The organization should conduct security policy education using security-related documents and ensure the education makes personnel duties, responsibilities, and punishments understood. O80.3: The organization should ensure security training clarifies the roles of computer systems, how to pro… (O80.1, O80.3, O82.1(2), O83.2(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • If an applicant does not obtain a pass mark of 80%, the applicant may re- attempt the IRAP examination after waiting for a period of at least four (4) months. During this time, the applicant is expected to gain additional information security experience and knowledge, including the application of th… (12., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • achieve teaching IRAP learning objectives (54.a., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The information management training course should include the following: the definitions of information assurance and information risk; the organization's relationship to the business risk framework; the roles and responsibilities of the accounting officer, senior information risk owner, and informa… (Course Content ¶ 11, Guidance on Role Specific Training, March 2009)
  • Delivery mechanism ¶ 10: The organization should use e-learning methods for training, supplemented with local information, such as who to contact and where to find detailed guidance material, and with periodic reminders to users to be vigilant when handling protected personal data. Training should … (Delivery mechanism ¶ 10, Delivery mechanism ¶ 11, Delivery mechanism ¶ 13, Maintenance ¶ 14, Assessment ¶ 15 thru ¶ 18, Generic module structure ¶ 19, Course content ¶ 26, Course content ¶ 27, Outline Specification for DHR Information Awareness Training, March 2009)
  • An effective theft and fraud prevention program should include the following elements: educating managers and employees about the types and vulnerable areas of losses; encouraging employees to report incidents quickly; developing roles and responsibilities for investigating losses; taking immediate … (Pg 11-I-16, Pg 11-I-17, Pg 11-II-4, Revised Volume 1 Pg 2-III-14 thru Revised Volume 1 Pg 2-III-18, Protection of Assets Manual, ASIS International)
  • Education / training should be given to provide business users with the skills they need to correctly use business applications (including enterprise software, commercial off the shelf software, and desktop applications (e.g., those developed using spreadsheets)). (CF.02.04.02a, The Standard of Good Practice for Information Security)
  • Education / training should include practical recommendations for users to follow, such as understanding the Terms and Conditions when signing up to social networking websites. (CF.02.04.08b, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide business users with the skills they need to correctly use business applications (including enterprise software, commercial off the shelf software, and desktop applications (e.g., those developed using spreadsheets)). (CF.02.04.02a, The Standard of Good Practice for Information Security, 2013)
  • Education / training should include practical recommendations for users to follow, such as understanding the Terms and Conditions when signing up to social networking websites. (CF.02.04.08b, The Standard of Good Practice for Information Security, 2013)
  • Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who … (Control 17.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should perform a gap analysis on the training program to determine which security areas the employees are not following and use it to base the security program on. (Critical Control 9.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Industry security knowledge and benchmarking through networking, specialist security forums, and professional associations shall be maintained. (HRS-05, Cloud Controls Matrix, v3.0)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way… (CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding, CIS Controls, V8)
  • developments in the practice of auditing including the use of technology; (§ 7.6 ¶ 3(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • relevant standards including guidance/supporting documents and other requirements; (§ 7.6 ¶ 3(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • changes in sector or disciplines. (§ 7.6 ¶ 3(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • developing employee awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.5 ¶ 1 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • relevant to the day-to-day work of employees and illustrative of the industry, organization or sector concerned; (§ 7.2.2 ¶ 4 f), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • change in activities, products or services; (§ 7.2.2 ¶ 5 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • In addition to the guidance provided in ISO 31000:2018, 5.4.1, organizations should consider that the use of AI systems can increase the need for specialized training. (§ 5.4.1 ¶ 4, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • requirements for appropriate education, training and experience; (§ 8.5.2.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • A Member's ISSP should contain a description of the Member's ongoing education and training relating to information security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment and be appropriate to the security … (Information Security Program Bullet 5 Employee Training ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • To meet the accessibility standards for persons with disabilities, video and multimedia products shall meet the following requirements: (1) training and informational video and multimedia productions that support the agency's mission and contains speech or other audio information needed to comprehen… (§ 1194.24(c), § 1194.24(d), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • CSR 1.1.1: The organization must include the following topics and procedures in the security training program: awareness training; security reminders; and education on malicious software, the importance of monitoring login success/failure and how to report discrepancies, and password management. CSR… (CSR 1.1.1, CSR 1.1.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 820.25(b)(1): During training, personnel shall be made aware of device defects that can result from the incorrect performance of their jobs. § 820.25(b)(2): Personnel who conduct verification and validation activities shall be made aware of defects and errors that they may encounter. § 820.70(d… (§ 820.25(b)(1), § 820.25(b)(2), § 820.70(d), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform … (§ 5.1.1.5 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Determine whether management develops customer awareness and education efforts that address both retail (consumer) and commercial account holders. (App A Objective 6.26, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Providing information security personnel with security updates and training sufficient to address relevant security risks; and (§ 314.4 ¶ 1(e)(3), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • To facilitate ongoing security and privacy education and training for organizational personnel; (PM-15a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. (AT-3(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide literacy training on the advanced persistent threat. (AT-2(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide literacy training on the cyber threat environment; and (AT-2(6)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • To facilitate ongoing security and privacy education and training for organizational personnel; (PM-15a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • To facilitate ongoing security education and training for organizational personnel; (PM-15a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implementing an ICS security program may bring changes to the way in which personnel access computer programs, applications, and the computer desktop itself. Organizations should design effective training programs and communication vehicles to help employees understand why new access and control met… (§ 6.2.2 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Topics that may be addressed in training, depending on the roles and functions that involve Personally Identifiable Information, include the definition of Personally Identifiable Information; applicable privacy laws, regulations, and policies; roles and responsibilities for protecting Personally Ide… (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should provide initial employee training and periodic retraining on the use and operation of physical security controls. (App F § AT-3(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should provide initial employee training and periodic retraining on the use and operation of environmental controls. (App F § AT-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization provides {organizationally documented personnel} with initial and {organizationally documented frequency} training in the employment and operation of environmental controls. (AT-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides {organizationally documented roles} with initial and {organizationally documented frequency} training in the employment and operation of environmental controls. (AT-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides {organizationally documented personnel} with initial and {organizationally documented frequency} training in the employment and operation of physical security controls. (AT-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides {organizationally documented roles} with initial and {organizationally documented frequency} training in the employment and operation of physical security controls. (AT-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. (AT-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. (AT-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • To facilitate ongoing security education and training for organizational personnel; (PM-15a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. (AT-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. (AT-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide literacy training on the advanced persistent threat. (AT-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide literacy training on the cyber threat environment; and (AT-2(6)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • To facilitate ongoing security and privacy education and training for organizational personnel; (PM-15a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. (AT-3(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. (AT-3(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide literacy training on the advanced persistent threat. (AT-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide literacy training on the cyber threat environment; and (AT-2(6)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • To facilitate ongoing security and privacy education and training for organizational personnel; (PM-15a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. (AT-3(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Regularly train employees, including all new, temporary and contract employees, in their roles and responsibilities in your incident response plan. (Part II ¶ 3, California OPP Recommended Practices on Notification of Security Breach, May 2008)