Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
Security awareness training should educate personnel on their responsibilities and the necessary means for securing personal and sensitive data. Training should include the various regulatory and legal requirements that impact personal and sensitive data handling. Furthermore, training should occur regularly to incorporate changes in organizational procedures, processes, and policies.
- Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
- Verify that a definition of sensitive organizational and personal data exists, and is implemented.
- Verify, by Interviews or otherwise, that the training program has been implemented.
- Verify that the scope of the training program extends to all employees with access to such data.
- Examine policy and procedures for evidence of review.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.