Establish, implement, and maintain a security awareness program.
CONTROL ID 11746
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain training plans., CC ID: 00828
This Control has the following implementation support Control(s):
Establish, implement, and maintain a security awareness and training policy., CC ID: 14022
Include configuration management procedures in the security awareness program., CC ID: 13967
Include media protection in the security awareness program., CC ID: 16368
Document security awareness requirements., CC ID: 12146
Include remote access in the security awareness program., CC ID: 13892
Document the goals of the security awareness program., CC ID: 12145
Compare current security awareness assessment reports to the security awareness baseline., CC ID: 12150
Establish and maintain management's commitment to supporting the security awareness program., CC ID: 12151
Establish and maintain a steering committee to guide the security awareness program., CC ID: 12149
Document the scope of the security awareness program., CC ID: 12148
Establish, implement, and maintain a security awareness baseline., CC ID: 12147
Encourage interested personnel to obtain security certification., CC ID: 11804
Disseminate and communicate the security awareness program to all interested personnel and affected parties., CC ID: 00823
Monitor and measure the effectiveness of security awareness., CC ID: 06262
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Moreover, AIs should formulate an effective awareness programme reminding staff at least annually of the importance of complying with the data security policies and procedures, prompt reporting of potential leakage or loss of customer data and the possible disciplinary actions for any violations. (Annex B. ¶ 2, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
It is necessary to implement education and training periodically and in a structured manner. It is necessary to establish systems which make sure that new employees from both schools and other companies take security training. It is also desirable to conduct education and training when security-rela… (C14.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
It is acknowledged that the human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness programme. The programme may be periodically updated keeping in view changes in information security, thre… (Critical components of information security 9) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Information security related awareness sessions to users/officials including senior officials and board members (Information Security Governance ¶ 4 Bullet 10, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
A comprehensive IT security awareness training program should be established to enhance the overall IT security awareness level in the organisation. The training program should include information on IT security policies and standards as well as individual responsibility in respect of IT security an… (§ 3.4.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
A comprehensive IT security awareness training programme should be established to maintain a high level of awareness among all staff in the FI. The content of the training programme should minimally include information on the prevailing cyber threat landscape and its implications, the FI's IT securi… (§ 3.6.1, Technology Risk Management Guidelines, January 2021)
Educate employees on ICT security threats and protection measures for personal data. This includes the organisation's ICT security policies, standards and procedures. (Annex A1: Security Awareness 12, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
situational awareness and intelligence; (16(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material t… (Attachment B 1., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
A regulated institution could benefit from developing an initial, and ongoing, training and IT security awareness program. This would typically incorporate any changes in IT security vulnerabilities or the institution's IT security risk management framework. Sound practice would involve the tracking… (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
an indication of the education, awareness-raising and training programmes relating to the national strategy on the security of network and information systems; (Art. 7.1(d), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
providing dynamic risk and incident analysis and situational awareness; (ANNEX I ¶ 1(2)(a)(iv), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT … (Art. 5.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexit… (Art. 13.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
implement, as appropriate, relevant operational conclusions resulting from the tests referred to in point (g) and from post-incident analysis into the ICT risk assessment process and develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilienc… (Art. 16.1. ¶ 2(h), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
training and awareness-raising for information security, (§ 8.1 Subsection 5 ¶ 2 Bullet 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Information security affects all employees without any exceptions. By acting responsibly and with quality awareness, every individual can avoid damages and contribute to success. Raising the awareness for information security and providing appropriate training measures for employees as well as for a… (§ 6 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
The implementation of the security safeguards should be evaluated at regular intervals by means of internal audits. These also serve the purpose of collecting and evaluating the experiences made in dayto-day practice. In addition to audits, it is also necessary to perform drills and awareness-raisin… (§ 7.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Finally, all members of staff should be made aware of the fact that commitment, co-operation and responsible behaviour are expected of them not only with regard to the fulfilment of tasks in general, but also with regard to the fulfilment of the "information security" task. (§ 3.4.4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Programmes to promote information security via training and awareness-raising activities may also be announced. (§ 3.4.3 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Train and raise awareness of affected employees (§ 9.5 Subsection 2 Bullet 10, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
A security training and awareness-raising programme tailored to specific target groups on the topic of information security is available and mandatory for all internal and external employees of the cloud provider. The programme is updated at regular intervals with respect to the applicable policies … (Section 5.3 HR-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Regular and documented instruction on known basic threats and (Section 5.3 HR-03 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
Reaction to occurrence of malware, (2.1.3 Requirements (should) Bullet 1 Sub-Bullet 3, Information Security Assessment, Version 5.1)
The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed. (B6.b ¶ 1, NCSC CAF guidance, 3.1)
Document security awareness program including all previously listed steps within âCreating the Security Awareness Program,â âImplementing Security Awareness,â and âSustaining Security Awareness.â (§ 4 ¶ 5 Bullet 1, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
Include wireless security awareness in training programs for all users of wireless technologies (4.6.1 D, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. (12.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. (12.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. (12.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policies and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (12.6 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
Examine security awareness program procedures and documentation and perform the following: (12.6.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Review the security awareness program to verify it provides awareness to all personnel about the cardholder data security policy and procedures. (12.6.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Reviewed at least once every 12 months, and (12.6.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data. (12.6.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine security awareness program materials to verify the program includes multiple methods of communicating awareness and educating personnel. (12.6.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine security awareness program content, evidence of reviews, and interview personnel to verify that the security awareness program is in accordance with all elements specified in this requirement. (12.6.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine security awareness training content to verify it includes all elements specified in this requirement. (12.6.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
Reviewed at least once every 12 months, and (12.6.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data. (12.6.2 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data. (12.6.2 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Reviewed at least once every 12 months, and (12.6.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data. (12.6.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques,… (Control 17.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational pr… (HRS-10, Cloud Controls Matrix, v3.0)
Anti-malware awareness training, specific to mobile devices, shall be included in the provider's information security awareness training. (MOS-01, Cloud Controls Matrix, v3.0)
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate throu… (CIS Control 17: Implement a Security Awareness and Training Program, CIS Controls, 7.1)
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous … (CIS Control 17: Sub-Control 17.3 Implement a Security Awareness Program, CIS Controls, 7.1)
Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards and business requirements (CIS Control 17: Sub-Control 17.4 Update Awareness Content Frequently, CIS Controls, 7.1)
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate throu… (CIS Control 17: Implement a Security Awareness and Training Program, CIS Controls, V7)
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous … (CIS Control 17: Sub-Control 17.3 Implement a Security Awareness Program, CIS Controls, V7)
Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards and business requirements (CIS Control 17: Sub-Control 17.4 Update Awareness Content Frequently, CIS Controls, V7)
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. (CIS Control 14: Security Awareness and Skills Training, CIS Controls, V8)
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, o… (CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program, CIS Controls, V8)
In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. (§ 12.2.1 Health-specific control, ISO 27799:2016 Health informatics â Information security management in health using ISO/IEC 27002, Second Edition)
The cloud service provider should provide awareness, education and training for employees, and request contractors to do the same, concerning the appropriate handling of cloud service customer data and cloud service derived data. This data can contain information confidential to a cloud service cust… (§ 7.2.2 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
The entity communicates information to improve privacy knowledge and awareness and to model appropriate behaviors to personnel through a privacy awareness training program. (CC2.2 ¶ 5 Bullet 1 Communicates Information to Improve Privacy Knowledge and Awareness, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program. (PR.AT-3.2, CRI Profile, v1.2)
The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them. (RS.CO-5.3, CRI Profile, v1.2)
Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program. (PR.AT-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them. (RS.CO-5.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Reading documents about the service organization's security awareness and training programs, communication of code of conduct, employee handbooks, information security policies, incident notification procedures, and other available documentation to understand the service organization's processes for… (¶ 3.59 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Each Responsible Entity shall implement one or more cyber security training program(s) appropriate to individual roles, functions, or responsibilities that collectively includes each of the applicable requirement parts in CIP-004-6 Table R2 â Cyber Security Training Program. [Violation Risk Factor… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity's personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems. (CIP-004-6 Table R1 Part 1.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity's personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems. (CIP-004-7 Table R1 Part 1.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
Each Responsible Entity shall implement one or more cyber security training program(s) appropriate to individual roles, functions, or responsibilities that collectively includes each of the applicable requirement parts in CIP-004-7 Table R2 â Cyber Security Training Program. [Violation Risk Factor… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
Cyber security awareness; (B. R1. 1.2 1.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
Cyber security awareness; (B. R1. 1.2 1.2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (§ 164.308(a)(5)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Develop and participate in information security training programs for the CSOs and ISOs, and provide a means by which to acquire feedback to measure the effectiveness and success of such training. (§ 3.2.10 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Develop and participate in information security training programs for the CSOs and ISOs, and provide a means by which to acquire feedback to measure the effectiveness and success of such training. (§ 3.2.10 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Users' email accounts and Internet browsers are common access points used by threat actors to gain unauthorized access, obtain or compromise sensitive data, or initiate fraud. These attacks frequently take advantage of misconfigured applications, operating systems, and unpatched vulnerabilities by u… (Section 7 ¶ 1, Authentication and Access to Financial Institution Services and Systems)
Includes shadow IT in security awareness training. (App A Objective 4:5b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Facilitation of annual information security and awareness training and ongoing security-related communications to employees. (App A Objective 2.5.l, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Provides training to support awareness and policy compliance. (App A Objective 6.8.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Common awareness and enforcement mechanisms between lines of business and information security. (App A Objective 3.2.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether the information security program is integrated with the institution's lines of business, support functions, and management of third parties. (App A Objective 2.1.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should develop and implement an information security program that does the following:
- Supports the institution's IT risk management (ITRM) process by identifying threats, measuring risk, defining information security requirements, and implementing controls.
- Integrates with lines of … (II Information Security Program Management, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should mitigate the risks posed by users by doing the following:
- Establishing and administering security screening in IT hiring practices.
- Establishing and administering a user access program for physical and logical access.
- Employing segregation of duties.
- Obtaining agreements… (II.C.7 User Security Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Ensure the existence of a process to promote sound understanding and analysis of threats, events, assets, and controls. (App A Objective 7:4 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
Providing information security awareness and training programs. (App A Objective 12:5 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
Implement policies and procedures to ensure that personnel are able to enact your information security program by: (§ 314.4 ¶ 1(e), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
The organizationâs personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. (PR.AT Awareness and Training, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. (PR.AT Awareness and Training, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Oversee the information security training and awareness program. (T0157, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals. (T0384, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Work with business teams and senior management to ensure awareness of "best practices" on privacy and data security issues. (T0868, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Oversee the information security training and awareness program. (T0157, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Work with business teams and senior management to ensure awareness of "best practices" on privacy and data security issues. (T0868, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct on-going privacy training and awareness activities (T0882, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
an active and ongoing employee security awareness program that is mandatory for all employees who may have access to confidential information provided by the state contracting agency that, at a minimum, advises such employees of the confidentiality of the information, the safeguards required to prot… (¶ 4e-70(b)(2)(D), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organization, a regime of operation, procedures, including for complaints and … (Art. 50, Brazilian Law No. 13709, of August 14, 2018)
