Back

Include duties and responsibilities in the training plan, as necessary.


CONTROL ID
12800
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

This Control has the following implementation support Control(s):
  • Conduct bespoke roles and responsibilities training, as necessary., CC ID: 13192


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • responsibilities with respect to any end-user developed/configured software (including spreadsheets, databases and office automation); (Attachment B 2(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • responsibilities with respect to any end user developed/configured software (including spreadsheets, databases and office automation); (¶ 34(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A regulated institution would regularly educate users as to their responsibilities regarding securing IT assets. Common areas covered would normally include: (¶ 34, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organise timely training sessions. Record registration (including prerequisites), attendance and training session perfo… (DS7.2 Delivery of Training and Education, CobiT, Version 4.1)
  • Establish and regularly update a curriculum for each target group of employees considering: - Current and future business needs and strategy - Value of information as an asset - Corporate values (ethical values, control and security culture, etc.) - Implementation of new IT infrastructure and soft… (DS7.1 Identification of Education and Training Needs, CobiT, Version 4.1)
  • Develop a plan to educate the governing authority, management, the workforce, and the extended enterprise about their responsibilities and expected conduct. (OCEG GRC Capability Model, v. 3.0, P4.1 Define an Awareness and Education Plan, OCEG GRC Capability Model, v 3.0)
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 ¶ 4 Bullet 1 Communicates Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 Communicates Responsibilities, Trust Services Criteria)
  • The entity communicates its objectives to personnel to enable them to carry out their responsibilities. (CC2.2 Communicates System Objectives, Trust Services Criteria)
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 ¶ 4 Bullet 1 Communicates Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The entity communicates its objectives to personnel to enable them to carry out their responsibilities. (CC2.2 ¶ 5 Bullet 2 Communicates System Objectives, Trust Services Criteria, (includes March 2020 updates))
  • Security training is key to the human element of information security. All users with authorized access to CJI should be made aware of their individual responsibilities and expected behavior when accessing CJI and the systems which process CJI. LASOs require enhanced training on the specific duties … (§ 5.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Individual accountability—explain what this means in the agency. (§ 5.2.1.3 ¶ 1(13), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Individual accountability—explain what this means in the agency. (§ 5.2.1.3 ¶ 1 13., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Those individuals who have more significant roles in managing cybersecurity risks throughout the supply chain should receive tailored C-SCRM training that helps them understand the scope of their responsibilities, the specific processes and procedure implementations for which they are responsible, a… (3.3. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)