HRS-12: Personal and Sensitive Data Awareness and Training

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: HRS-09: Training / Awareness, HRS-10: User Responsibility.

Control Statement

Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.

Implementation Guidance

Security awareness training should educate personnel on their responsibilities and the necessary means for securing personal and sensitive data. Training should include the various regulatory and legal requirements that impact personal and sensitive data handling. Furthermore, training should occur regularly to incorporate changes in organizational procedures, processes, and policies.

Auditing Guidance

  1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
  2. Verify that a definition of sensitive organizational and personal data exists, and is implemented.
  3. Verify, by Interviews or otherwise, that the training program has been implemented.
  4. Verify that the scope of the training program extends to all employees with access to such data.
  5. Examine policy and procedures for evidence of review.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.