Back

Establish, implement, and maintain an education methodology.


CONTROL ID
06671
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Train all personnel and third parties, as necessary., CC ID: 00785

This Control has the following implementation support Control(s):
  • Support certification programs as viable training programs., CC ID: 13268
  • Retrain all personnel, as necessary., CC ID: 01362
  • Tailor training to meet published guidance on the subject being taught., CC ID: 02217
  • Tailor training to be taught at each person's level of responsibility., CC ID: 06674
  • Conduct cross-training or staff backup training to minimize dependency on critical individuals., CC ID: 00786
  • Document all training in a training record., CC ID: 01423
  • Use automated mechanisms in the training environment, where appropriate., CC ID: 06752


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • in addition, the AI should clearly specify the accountability of the management and staff of its second line of defense (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defense, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices they use in e-banking and keep the passwords they use for accessing e-banking secure and secret. AIs should also observe the relevant provisions set out in the Code … (§ 4.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • in addition, the AI should clearly specify the accountability of the management and staff of its second line of defence (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defence, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices and the authentication factors (e.g. passwords and authentication tokens) used by the customers in the e-banking services. AIs should also observe the relevant provi… (§ 4.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • O10-1.5: The organization shall evaluate confirmation of security observance status results and reassess the content or other aspects of security education based on it. O80.1: The organization should conduct security policy education using security-related documents and ensure the education makes pe… (O10-1.5, O80.1, O80.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The training curriculum should include personal and corporate uses of Information Technology assets. (¶ 34(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include Internet usage, malware protection, e-mail usage, and social networking usage. (¶ 34(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include remote computing, physical protection, and mobile device usage. (¶ 34(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include password standards, authentication requirements, and access control. (¶ 34(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include responsibilities for end-user developed software and end-user configured software, e.g., databases and spreadsheets. (¶ 34(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include how to handle sensitive information and sensitive data. (¶ 34(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The training curriculum should include how to report information technology security incidents and information technology security concerns. (¶ 34(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should ensure that users are aware of the increased information technology security threats during remote computing sessions. (¶ 35, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The security training material should include, at a minimum, the following: the purpose of the training; how to recognize a security incident; who to contact for security-related information; the legitimate uses of the system; how to access and control media; how to secure accounts; information on p… (§ 3.2.9, § 3.2.10, Australian Government ICT Security Manual (ACSI 33))
  • The training measures and the qualifications should be documented and kept. (¶ 22.7, Good Practices For Computerized systems In Regulated GXP Environments)
  • The training should include ensuring expertise is available and used for providing advice on design, validation, operation, and installation of computerized systems. (¶ 1, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • The organization must have an ongoing training program that includes confidentiality. (CORE - 27(d), URAC Health Utilization Management Standards, Version 6)
  • Establish and regularly update a curriculum for each target group of employees considering: - Current and future business needs and strategy - Value of information as an asset - Corporate values (ethical values, control and security culture, etc.) - Implementation of new IT infrastructure and soft… (DS7.1 Identification of Education and Training Needs, CobiT, Version 4.1)
  • Develop a job specific curriculum and appropriate training program for the governing authority, management, the workforce, and the extended enterprise to fulfill their responsibilities. (OCEG GRC Capability Model, v. 3.0, P4.2 Define a Curriculum Plan, OCEG GRC Capability Model, v 3.0)
  • Identify what you will communicate to the different groups (goal is shortest training possible that has the greatest impact). (§ 4 ¶ 2 Bullet 9, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Identify how you will communicate the content—three categories of training: new, annual, and ongoing. (§ 4 ¶ 2 Bullet 10, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Develop and/or purchase training materials and content to meet requirements identified during program creation. (§ 4 ¶ 3 Bullet 1, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Verify that the security awareness program provides multiple methods of communicating awareness and educating employees. (§ 12.6.1.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the security awareness program provides several methods to communicate security awareness and to educate personnel. (Testing Procedures § 12.6.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that the security awareness program provides multiple methods of communicating awareness and educating employees. (§ 12.6.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Train users. The solution provider should provide the merchant with implementation instructions and possibly training materials. The implementation instructions and training materials should be understood and completed by any staff operating the payment-acceptance solution. (¶ 6.2.2, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • The organization should develop awareness programs to ensure all employees who may have knowledge of sensitive information do not disclose it. (Pg 15-I-11, Protection of Assets Manual, ASIS International)
  • Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques,… (Control 17.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should perform security skills assessment and appropriate training to fill gaps. (Critical Control 9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The training needed for each level of inspectors may be described in the authentication solution. (§ 4.5.4.3.9 ¶ 2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • Corporate ICT security policy elements. An organization should produce a corporate ICT (Information and Communications Technology) security policy based on the agreed corporate ICT security objectives and strategy. It is necessary to establish and maintain a corporate ICT security policy, consistent… (§ 4.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Program Delivery. An organization should develop a security awareness program which includes both interactive and promotional techniques. The focus of this part of an awareness program should be the deficiencies that were identified through the needs analysis. Employees need to gain an appreciation … (¶ 10.2.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization shall establish a skills development plan, including personnel categories, resource requirements, types and levels of training, training schedules, and training needs. (§ 6.2.4.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall develop or receive education, training, or mentoring resources, including training materials. (§ 6.2.4.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization may use a third party supplier for some or all of its records management training. (§ 6.2 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can be incorporated into the employee orientation program and documentation. (§ 6.4.2 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include classroom training at system change times or new job responsibilities. (§ 6.4.2 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include on-the-job training and coaching. (§ 6.4.2 ¶ 1(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include briefing sessions and seminars on specific issues. (§ 6.4.2 ¶ 1(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include short "how-to" booklets and leaflets that describe the record policies or practices. (§ 6.4.2 ¶ 1(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include computer-based presentations. (§ 6.4.2 ¶ 1(f), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include help text in the system. (§ 6.4.2 ¶ 1(g), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The records management training program can include training courses from professional organizations, educational institutions, or developed specifically for the organization. (§ 6.4.2 ¶ 1(h), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Auditors should develop, maintain and improve their competence through continual professional development and regular participation in audits (see 7. 6). (§ 7.1 ¶ 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Auditors and audit team leaders should continually improve their competence. Auditors should maintain their auditing competence through regular participation in management system audits and continual professional development. This may be achieved through means such as additional work experience, tra… (§ 7.6 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • practical and readily understood by employees; (§ 7.2.2 ¶ 4 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • sufficiently flexible to account for a range of techniques to accommodate the differing needs of organizations and employees; (§ 7.2.2 ¶ 4 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • This knowledge shall be maintained and be made available to the extent necessary. (7.1.6 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Instructions for the fulfilment of service requests shall be made available to persons involved in service request fulfilment. (§ 8.6.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • requirements for appropriate education, training and experience; (§ 8.5.2.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Train: Enable individuals to develop and maintain enterprise risk management competencies appropriate for assigned roles and responsibilities, reinforce standards of conduct and desired levels of competence, tailor training to specific needs, and consider a mix of delivery techniques, including clas… (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization should provide in-depth training that covers Incident Response, privacy policies and procedures, security policies and procedures, regulatory topics, legal topics, and other topics. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should review and update the training and awareness courses based on current regulatory policy and procedure requirements, legislative policy and procedure requirements, industry policy and procedure requirements, and organizational policy and procedure requirements. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The security program, in relation to protecting personal information, should include the allocation of training and other resources to support the security policy. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Principle: Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include: - defining cybersecurity training needs requirements; - identifying appropriate cybersecurity training update cycles; - delivering interactive training with… (Staff Training, Report on Cybersecurity Practices)
  • A Member's ISSP should contain a description of the Member's ongoing education and training relating to information security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment and be appropriate to the security … (Information Security Program Bullet 5 Employee Training ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Personnel and training (CIP-004); (B. R1. 1.1 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Personnel and training (CIP-004); (B. R1. 1.1 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • The NITC shall develop standardized training for Technical Surveillance Countermeasure personnel. (§ D.7, Intelligence Community Directive Number 702, Technical Surveillance Countermeasures)
  • Users should receive periodic refresher training. This training can be accomplished by computer-aided instruction; security posters; formal instruction; self-paced instruction; training films; and/or security bulletins. (§ 2-16.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization shall use periodic and situational notices to prevent and control fraud. (App B § 2.G, CMS Business Partners Systems Security Manual, Rev. 10)
  • Security awareness programs provide users with a basic understanding of security, and formal security training provides users with in-depth knowledge of specific security issues. The Information Assurance Manager should ensure a training program, to include security features, password guidance, Inte… (§ 2.2.1, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The Technical Surveillance Countermeasure training program shall include instruction on DoD 5240.1-R and its procedures. (§ 5.8.2, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • The organization must ensure that all cleared personnel are aware of their responsibility for reporting any pertinent information to the appropriate authorities. All cleared employees must receive some form of refresher security training and education at least annually. (§ 1-300, § 3-107, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • All employees must receive training on the IT security policies, procedures, and standards. (Password Protection, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
  • The baseline Security Awareness Training for all personnel with access to criminal justice information shall address the rules describing the responsibilities and expected behavior with regard to the usage of criminal justice information. (§ 5.2.1.1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address the implications of noncompliance. (§ 5.2.1.1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address the points of contact and individual actions for incident response. (§ 5.2.1.1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address Media Protection. (§ 5.2.1.1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address visitor control and physical access to spaces. (§ 5.2.1.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address how to protect information that is subject to confidentiality concerns, from hardcopy through destruction. (§ 5.2.1.1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address the proper handling and marking of criminal justice information. (§ 5.2.1.1(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address the threats, vulnerabilities, and risks associated with handling criminal justice information. (§ 5.2.1.1(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address social engineering. (§ 5.2.1.1(9), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with access to criminal justice information shall address dissemination and destruction. (§ 5.2.1.1(10), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address the rules describing the expected behavior and responsibilities about Information System usage. (§ 5.2.1.2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address password usage and password management, including creating passwords, how often to change passwords, and how to protect passwords. (§ 5.2.1.2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address protecting systems against trojan horses, viruses, worms, and other malicious code. (§ 5.2.1.2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address the dangers of unknown e-mail and unknown e-mail attachments. (§ 5.2.1.2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address web usage, including what is allowed, what is prohibited, and the monitoring of user activity. (§ 5.2.1.2(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address spam. (§ 5.2.1.2(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address physical security. (§ 5.2.1.2(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address physical security issues and wireless security issues for handheld devices. (§ 5.2.1.2(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address the use of encryption and the transmission of sensitive information and classified information over the Internet, including policies, procedures, and the techn… (§ 5.2.1.2(9), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address the physical security issues and Information Security issues for laptops. (§ 5.2.1.2(10), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address if personally owned equipment and software is allowed or not. (§ 5.2.1.2(11), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address access control issues, including Separation of Duties and least privilege. (§ 5.2.1.2(12), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address what individual accountability means in the agency. (§ 5.2.1.2(13), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address the use of acknowledgment statements for passwords, personal use and gain, and access to systems and data. (§ 5.2.1.2(14), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address desktop security, including battery backup devices, the use of screensavers, allowed access to systems, and restricting a visitor's view of information on a co… (§ 5.2.1.2(15), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for personnel with physical access and logical access to criminal justice information shall address how to protect system information, archived information, and information on backup media that is subject to confidentiality concerns until its destruction. (§ 5.2.1.2(16), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline security awareness training for personnel with physical access and logical access to criminal justice information shall address the risks, vulnerabilities, and threats associated with accessing the criminal justice information services systems and services. (§ 5.2.1.2(17), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for all Information Technology personnel, such as security administrators, System Administrators, and Network Administrators, shall address how to protect systems from worms, viruses, trojan horses, and other malicious code by conducting scans and updating de… (§ 5.2.1.3(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for all Information Technology personnel, such as security administrators, System Administrators, and Network Administrators, shall address data backup and storage. (§ 5.2.1.3(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for all Information Technology personnel, such as security administrators, System Administrators, and Network Administrators, shall address the timely application of security patches. (§ 5.2.1.3(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for all Information Technology personnel, such as security administrators, System Administrators, and Network Administrators, shall address access control measures. (§ 5.2.1.3(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The baseline Security Awareness Training for all Information Technology personnel, such as security administrators, System Administrators, and Network Administrators, shall address network infrastructure protection measures. (§ 5.2.1.3(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The organization must document and monitor its security awareness and training program. (§ 5.6.3, Exhibit 4 AT-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The security awareness training materials should be examined for specific requirements for the system or application on which the users are being trained. (AT-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Conduct interactive training exercises to create an effective learning environment. (T0030, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Design training curriculum and course content based on requirements. (T0450, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Plan instructional strategies such as lectures, demonstrations, interactive exercises, multimedia presentations, video courses, web-based courses for most effective learning environment in conjunction with educators and trainers. (T0380, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Create training courses tailored to the audience and physical environment. (T0442, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Deliver training courses tailored to the audience and physical/virtual environments. (T0443, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of course assignments. (T0317, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Apply concepts, procedures, software, equipment, and/or technology applications to students. (T0444, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with other team members or partner organizations to develop a diverse program of information materials (e.g., web pages, briefings, print materials). (T0601, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct learning needs assessments and identify requirements. (T0352, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify gaps in our understanding of target technology and developing innovative collection approaches. (T0720, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Plan non-classroom educational techniques and formats (e.g., video courses, mentoring, web-based courses). (T0520, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Organizational policy should include the training prerequisites for gaining Access to Personally Identifiable Information. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must develop, document, disseminate, review, and update a formally, documented security awareness and training policy that addresses purpose, responsibilities, roles, scope, management commitment, compliance, and coordination among organizational entities. (App F § AT-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The security awareness program for the Industrial Control System must have the same requirements as the security awareness and training policy for the organization. (App I § AT-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Industrial Control System security training program must have the same requirements as the organization's security awareness and training policy. (App I § AT-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Conduct interactive training exercises to create an effective learning environment. (T0030, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct learning needs assessments and identify requirements. (T0352, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Plan non-classroom educational techniques and formats (e.g., video courses, mentoring, web-based courses). (T0520, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Create training courses tailored to the audience and physical environment. (T0442, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Apply concepts, procedures, software, equipment, and/or technology applications to students. (T0444, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Deliver training courses tailored to the audience and physical/virtual environments. (T0443, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Design training curriculum and course content based on requirements. (T0450, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of course assignments. (T0317, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with other team members or partner organizations to develop a diverse program of information materials (e.g., web pages, briefings, print materials). (T0601, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. (AT-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. (AT-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. (AT-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. (AT-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • All screeners are required to participate in training to ensure they are proficient in using the new technologies and to stay up-to-date in recognizing new threats and weapons. (§ 111(a), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)