Establish, implement, and maintain a risk assessment awareness and training program.
CONTROL ID 06453
CONTROL TYPE Business Processes
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a risk assessment program., CC ID: 00687
This Control has the following implementation support Control(s):
Disseminate and communicate information about risks to all interested personnel and affected parties., CC ID: 06718
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human err… (3.4.7 49, Final Report EBA Guidelines on ICT and security risk management)
provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users. (Article 9 4. ΒΆ 2(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
Decision-makers (including executive management; business unit heads; department heads; and owners of business applications, computer systems, networks, and systems under development) should be aware of the need to carry out information risk assessments for target environments within the organizatio… (SR.01.01.03, The Standard of Good Practice for Information Security)
The security awareness program should be based on the results of one or more documented information risk assessments. (CF.02.02.01g, The Standard of Good Practice for Information Security)
Decision-makers (including executive management; business unit heads; department heads; and owners of business applications, computer systems, networks, and systems under development) should be aware of the need to carry out information risk assessments for target environments within the organizatio… (SR.01.01.03, The Standard of Good Practice for Information Security, 2013)
The security awareness program should be based on the results of one or more documented information risk assessments. (CF.02.02.01g, The Standard of Good Practice for Information Security, 2013)
Managers are responsible for maintaining awareness of and complying with security policies, procedures and standards that are relevant to their area of responsibility. (IS-14, The Cloud Security Alliance Controls Matrix, Version 1.3)