Back

Conduct tests and evaluate training.


CONTROL ID
06672
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Train all personnel and third parties, as necessary., CC ID: 00785

This Control has the following implementation support Control(s):
  • Hire third parties to conduct training, as necessary., CC ID: 13167


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should test staff after initial and ongoing training to ensure they understand the relevance of the information technology security policies. (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material t… (Attachment B 1., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution could benefit from developing an initial, and ongoing, training and IT security awareness program. This would typically incorporate any changes in IT security vulnerabilities or the institution's IT security risk management framework. Sound practice would involve the tracking… (¶ 33, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests. (DS4.6 IT Continuity Plan Training, CobiT, Version 4.1)
  • Implement and manage the education program to ensure that each target audience achieves learning objectives and can apply knowledge and skills to their jobs. (OCEG GRC Capability Model, v. 3.0, P4.4 Implement Education, OCEG GRC Capability Model, v 3.0)
  • Conduct periodic assessments of organization security awareness and compare to baseline. (§ 4 ¶ 4 Bullet 3, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Interview a sample of personnel to verify they completed Security Awareness Training and are aware of the importance of cardholder data security. (Testing Procedures § 12.6.1.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Have employees completed awareness training and are they aware of the importance of cardholder data security? (12.6.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Have employees completed awareness training and are they aware of the importance of cardholder data security? (12.6.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Have employees completed awareness training and are they aware of the importance of cardholder data security? (12.6.1(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review training materials for personnel in POI environments to verify they include all elements specified in this requirement. (9.5.1.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who … (Control 17.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Use security skills assessments for each of the mission-critical roles to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs i… (Control 17.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques,… (Control 17.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should conduct periodic exercises to determine if employees and contractors are following the Information Security policies. (Critical Control 9.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. (§ 7.2 ¶ 1 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Where applicable, the organization should evaluate the effectiveness of the training and other actions taken to acquire the necessary competence to confirm the intended result is being achieved. (7.2 ¶ 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • training or competency requirements, including those for emergency response personnel and testing its effectiveness. (8.2 ¶ 4 Bullet 17, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The training program may monitor and record the skill levels against the training requirements. (§ 6.5 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; (§ 7.2.1 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • assessed for effectiveness; (§ 7.2.2 ¶ 4 h), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and (§ 7.2 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (§ 7.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and (§ 7.2 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • assessed for effectiveness; (§ 7.2.3 ¶ 2 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. (§ 7.2.1 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (7.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. (7.1.6 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (§ 7.2.1 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • assessed for effectiveness; (§ 7.2.3 ¶ 2 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; (Section 7.2 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; (§ 7.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • verify the knowledge and understanding of messages both at the end of an awareness session and at random between sessions; and (§ 7.3 Guidance ¶ 1(f), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Does the program include a scored test to evaluate successful completion? (§ E.4.2, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam within six (6) months of assignm… (§ 3.2.7 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Format of the business continuity training program. (VI Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Meeting regularly to discuss policy changes, testing plans, and training. (App A Objective 2:5h, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Resolving weaknesses identified in exercises, tests, and training. (App A Objective 2:5g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Maintenance and use of IT architecture knowledge. (App A Objective 2:9a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Allocated resources to support the software (e.g., financial and personnel) and determined that personnel have the expertise to maintain and patch the software. (App A Objective 13:5c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluates whether the institution has the necessary resources, personnel training, and testing to maximize the effectiveness of the controls. (App A Objective 6.5.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determines whether there is adequate training, including cybersecurity training, for institution staff. (App A Objective 2:6 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the adequacy of the institution's training programs. Determine whether the institution has or supports the following: (App A Objective 5:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management has effective hiring and training practices that include the following: (App A Objective 12:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review staff training programs and determine if they are appropriate for supporting policies. (App A Tier 1 Objectives and Procedures Objective 4:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Additionally, training programs should be carefully developed to ensure that each employee has received training relevant and necessary to his job functions. Further, ensure that the employees have demonstrated their competence in their job functions. (§ 6.2.13 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop or assist in the development of written tests for measuring and assessing learner proficiency. (T0323, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of course evaluations. (T0318, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that training meets the goals and objectives for cybersecurity training, education, or awareness. (T0467, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct learning needs assessments and identify requirements. (T0352, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or assist in the development of grading and proficiency standards. (T0319, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assess effectiveness and efficiency of instruction according to ease of instructional technology use and student learning, knowledge transfer, and satisfaction. (T0345, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must test the personnel's knowledge of the security policies and procedures to verify they understand their roles and responsibilities. (SG.AT-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must conduct the security responsibility testing on a defined frequency or when required due to technology or procedural changes. (SG.AT-6 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Develop or assist in the development of written tests for measuring and assessing learner proficiency. (T0323, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of grading and proficiency standards. (T0319, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assess effectiveness and efficiency of instruction according to ease of instructional technology use and student learning, knowledge transfer, and satisfaction. (T0345, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct learning needs assessments and identify requirements. (T0352, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that training meets the goals and objectives for cybersecurity training, education, or awareness. (T0467, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop or assist in the development of course evaluations. (T0318, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • ongoing employee training, (§ 38a-999b(b)(2)(D)(ii)(I), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)