Back

Tailor training to be taught at each person's level of responsibility.


CONTROL ID
06674
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should align the person's roles and responsibilities to the exact degree and content of the information security awareness and training. (Control: 0253, Australian Government Information Security Manual: Controls)
  • A regulated institution would typically implement source code review (both peer reviews, as well as automated analysis reviews) as part of the software testing strategy to identify insecure code. Source code reviews are normally conducted by an individual other than the original author. The individu… (Attachment D ¶ 3, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexit… (Art. 13.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The programme takes different profiles into account and includes further information for posts and employees who have extensive authorisations or access to sensitive data. External employees of service providers and suppliers of the cloud provider, who contribute to the development or operation of t… (Section 5.3 HR-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The entity provides a privacy awareness program about its privacy policies and related matters, and provides specific training for selected personnel depending on their roles and responsibilities. (M1.2 Privacy awareness and training, Privacy Management Framework, Updated March 1, 2020)
  • Personnel in responsible positions should receive training for managing and using systems in their field of responsibility. (¶ 1, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Identify who you will be targeting—different roles may require different/additional training (employees, IT personnel, developers, senior leadership). (§ 4 ¶ 2 Bullet 8, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components? (2.2.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Personnel shall be trained, as appropriate for their duties, in avoiding, detecting, mitigating, and disposing of suspect fraudulent and counterfeit parts. (§ 4.2.10.a, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Personnel directly handling electronic parts shall be trained in ways to detect suspect fraudulent or counterfeit parts. (§ 4.2.10.b, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Personnel who are responsible for detecting fraudulent or counterfeit parts with specialized technology and methods shall be trained to ensure their competence in its use. (§ 4.2.10.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Personnel who are responsible for detecting fraudulent or counterfeit parts with radiographic inspection shall be trained and certified to NAS-410 National Aerospace Standard or its equivalent. (§ 4.2.10.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The Pandemic Response Plan leadership will be identified as a small team which will oversee the creation and updates of the plan. The leadership will also be responsible for developing internal expertise on the transmission of diseases and other areas such as second wave phenomenon to guide planning… (4.1, Pandemic Response Planning Policy)
  • A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational pr… (HRS-10, Cloud Controls Matrix, v3.0)
  • The organization should identify the necessary competencies to achieve the intended outcome of the environmental management system and address gaps, including taking actions when needed to acquire the necessary competence. Documented information can be useful to ensure that identified competency nee… (7.2 ¶ 4, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • changes in the needs of the individual and the organization responsible for the conduct of the audit; (§ 7.6 ¶ 3(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • tailored to the obligations and compliance risks related to the roles and responsibilities of the employee; (§ 7.2.2 ¶ 4 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • relevant to the day-to-day work of employees and illustrative of the industry, organization or sector concerned; (§ 7.2.2 ¶ 4 f), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • change of position or responsibilities; (§ 7.2.2 ¶ 5 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • appropriate to the roles of personnel and the compliance risks to which personnel are exposed; (§ 7.2.3 ¶ 2 a), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • appropriate to the roles of personnel and the compliance risks to which personnel are exposed; (§ 7.2.3 ¶ 2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the services relevant to their work; (§ 7.3 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall determine and maintain the knowledge necessary to support the operation of the SMS and the services. (§ 7.6 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • requirements for appropriate education, training and experience; (§ 8.5.2.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • To prepare for succession, the board of directors and management must develop contingency plans for assigning responsibilities important to enterprise risk management. In particular, succession plans for key executives need to be defined, and succession candidates should be trained, coached, and men… (Preparing for Succession ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Train: Enable individuals to develop and maintain enterprise risk management competencies appropriate for assigned roles and responsibilities, reinforce standards of conduct and desired levels of competence, tailor training to specific needs, and consider a mix of delivery techniques, including clas… (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Personnel are furnished specific training based on their roles and responsibilities. (Generally Accepted Privacy Principles and Criteria § 1.2.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should provide specific training to personnel based on their roles and responsibilities. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Is security training commensurate with levels of responsibilities and access? (§ E.4.4, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • Do constituents responsible for Information Security undergo additional training? (§ E.4.5, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • The training for System Administrators must include Public Key Infrastructure awareness. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • The training for System Administrators must include how to configure the system for certificate-based logon. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • The training for System Administrators must include how to configure the system for digital signatures. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • The training for System Administrators must include how to configure the system to encrypt e-mail. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • The training for System Administrators must include how to configure the system for web server certificates. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance officer must designate personnel who can override false rejections and ensure they have the proper training for implementing the fallback procedures and verifying a user's identity. (§ 4.5.2 ¶ BIO6040, DISA Access Control STIG, Version 2, Release 3)
  • The Information Assurance training must include familiarizing users with their assigned responsibilities. (PRTN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Ensure each LASO receives enhanced security awareness training (ref. Section 5.2). (§ 3.2.2 ¶ 1(2)(f), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Summary of audit findings from previous state audits of local agencies. (§ 5.2.2 ¶ 2 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Assess whether management tailors training to the target audience, based on the audience's needs. The target audience could include: (App A Objective 9:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Inventories the current skillsets for BCM and identifies and addresses any training gaps. (App A Objective 9:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Obtains sufficient knowledge for management and personnel to interpret dashboards and reports. (App A Objective 3:9e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Appropriate training for IT support personnel to perform their duties, if IT support software is used. (App A Objective 16:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-3c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-3c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-3c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., FedRAMP Security Controls High Baseline, Version 5)
  • Before authorizing access to the system, information, or performing assigned duties, and [FedRAMP Assignment: at least annually] thereafter; and (AT-3a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., FedRAMP Security Controls Low Baseline, Version 5)
  • Before authorizing access to the system, information, or performing assigned duties, and [FedRAMP Assignment: at least annually] thereafter; and (AT-3a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Before authorizing access to the system, information, or performing assigned duties, and [FedRAMP Assignment: at least annually] thereafter; and (AT-3a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Have key employees received training on network controls, application controls, and security controls? (IT - WLANS Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The C-SCRM Strategy and Implementation Plan should address the acquisition security-relevant foundational elements necessary to implement a C-SCRM program. To support the strategy, enterprise leaders should promote the value and importance of C-SCRM within acquisitions and ensure that sufficient, de… (3.1.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Those individuals who have more significant roles in managing cybersecurity risks throughout the supply chain should receive tailored C-SCRM training that helps them understand the scope of their responsibilities, the specific processes and procedure implementations for which they are responsible, a… (3.3. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provide leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities. (T0206, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Correlate training and learning to business or mission requirements. (T0437, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Create training courses tailored to the audience and physical environment. (T0442, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Individuals who have been granted access to personally identifiable information should receive appropriate training and, where applicable, specific role-based training. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should conduct training on how to interact with the media about security incidents. (§ 5.1 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Training for personnel with contingency plan responsibilities should focus on familiarizing them with ISCP roles and teaching skills necessary to accomplish those roles. This approach helps ensure that staff is prepared to participate in tests and exercises as well as actual outage events. Training … (§ 3.5.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Individual responsibilities (Activation and Notification, Recovery, and Reconstitution Phases). (§ 3.5.2 ¶ 1 Bullet 6, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should determine what the content of the security training will be based on the roles and responsibilities and the organizational requirements. (SG.AT-3 Supplemental Guidance, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The security engineering principles must include the ongoing secure development training requirements for smart grid system developers. (SG.SA-8 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. (3.2.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. (3.2.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Provide leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities. (T0206, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Create training courses tailored to the audience and physical environment. (T0442, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Correlate training and learning to business or mission requirements. (T0437, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequenc… (AR-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: (AT-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and (AT-3a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind (PR.AT-01, The NIST Cybersecurity Framework, v2.0)
  • Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind (PR.AT-02, The NIST Cybersecurity Framework, v2.0)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, TX-RAMP Security Controls Baseline Level 1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., TX-RAMP Security Controls Baseline Level 1)
  • Before authorizing access to the information system or performing assigned duties; (AT-3a., TX-RAMP Security Controls Baseline Level 2)
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities: (AT-3 Control, TX-RAMP Security Controls Baseline Level 2)