Back

Analyze and evaluate training records to improve the training program.


CONTROL ID
06380
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Train all personnel and third parties, as necessary., CC ID: 00785

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O83.1: The organization shall analyze and evaluate the training results to provide feedback for the training program and the contingency plans. O84.3: The organization shall analyze and evaluate training results for feedback to be applied to future training. (O83.1, O84.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The results of training conducted should be subject to proper analysis and evaluation to provide feedback for future training (C17.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Following the implementation of education, it is necessary for the person responsible for education in financial institutions to receive a report of the results from the person in charge of the education in order to track the state of educational acquisition by personnel. (C15.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to evaluate the results of the confirmation of security observance status and to reassess the content or other aspects of security education accordingly. (C13.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The training effectiveness should be assessed periodically. (¶ 22.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests. (DS4.6 IT Continuity Plan Training, CobiT, Version 4.1)
  • Evaluate education and training content delivery upon completion for relevance, quality, effectiveness, the retention of knowledge, cost and value. The results of this evaluation should serve as input for future curriculum definition and the delivery of training sessions. (DS7.3 Evaluation of Training Received, CobiT, Version 4.1)
  • Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organise timely training sessions. Record registration (including prerequisites), attendance and training session perfo… (DS7.2 Delivery of Training and Education, CobiT, Version 4.1)
  • Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility). (§ 4 ¶ 4 Bullet 4, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • The training program should be evaluated based on the successful operation of the records system by the employees and may require measurements against the level of training and operational audits. (§ 6.5 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • where appropriate, based on an assessment of gaps in employee knowledge and competence; (§ 7.2.2 ¶ 4 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Appropriate documented information is required as evidence of competence. The organization should therefore retain documentation about the necessary competence affecting information security performance and how this competence is met by relevant persons. (§ 7.2 Guidance ¶ 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Employee training and management; (Section 4.C ¶ 1(4)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The federal bureau of investigation criminal justice information services division information security officer shall develop and participate in the information security training programs for Information Security Officers and provide a feedback mechanism to measure the success and effectiveness of t… (§ 3.2.10(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Every individual within an enterprise should receive appropriate training to enable them to understand the importance of C-SCRM to their enterprise, their specific roles and responsibilities, and as it relates to processes and procedures for reporting incidents. This training can be integrated into … (3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. (3.2.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Recommend revisions to curriculum and course content based on feedback from previous training sessions. (T0535, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate the effectiveness and comprehensiveness of existing training programs. (T0101, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate the effectiveness and comprehensiveness of existing training programs. (T0101, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Recommend revisions to curriculum and course content based on feedback from previous training sessions. (T0535, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. (AT-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. (AT-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employee training and management. (Section 27-62-4(c)(4) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Employee training and management; (Part VI(c)(3)(D)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Employee training and management. (§ 8604.(c)(4) a., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Employee training and management; (§431:3B-202(b)(4)(A), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Employee training and management. (Sec. 17.(4)(A), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Employee training and management. (507F.4 3.d.(1), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Employee training and management. (§2504.C.(4)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Employee training and management; (§2264 3.D.(1), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Employee training and management. (Sec. 555.(3)(d)(i), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • employee training and management; (§ 60A.9851 Subdivision 3(4)(i), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Employee training and management; (§ 83-5-807 (3)(d)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Employee training and management; (§ 420-P:4 III.(d)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Employee training and management; (26.1-02.2-03. 3.d.(1), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Employee training and management; (Section 3965.02 (C)(4)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • employee training and management; (SECTION 38-99-20. (C)(4)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Employee training and management; (§ 56-2-1004 (3)(D)(i), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Employee training and management. (§ 601.952(2)(c)1., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)