Back

Include in scope external requirements in the training plan, as necessary.


CONTROL ID
13041
CONTROL TYPE
Training
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • IRAP assessors are required to maintain and demonstrate an in depth understanding of the ISM and IRAP by meeting the following elements: (IRAP Membership Maintaining IRAP assessor membership ICT security knowledge maintenance ¶ 1, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • Maintain an up-to-date knowledge of changes ISM. (IRAP Membership Maintaining IRAP assessor membership ICT security knowledge maintenance ¶ 1 2., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: – standards and procedures f… (§ 7.2.2 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Establishes goals and objectives for supporting the BCM program as part of the entity's performance management process. (App A Objective 9:1b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Provides training to support awareness and policy compliance. (App A Objective 6.8.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should mitigate the risks posed by users by doing the following: - Establishing and administering security screening in IT hiring practices. - Establishing and administering a user access program for physical and logical access. - Employing segregation of duties. - Obtaining agreements… (II.C.7 User Security Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Training processes that support the goals and objectives of the institution. (App A Objective 5:6 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • For the ICS environment, this must include control system-specific information security awareness and training for specific ICS applications. In addition, an organization must identify, document, and train all personnel having significant ICS roles and responsibilities. Awareness and training must c… (§ 6.2.2 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)