[csf.tools Note: Subcategories do not have detailed descriptions.]
NIST Special Publication 800-53 Revision 5
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and When required by system changes or following [Assignment: organization-defined events]; Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined…
Establish a security and privacy workforce development and improvement program.
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
NIST Special Publication 800-171 Revision 2
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The…
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel…
Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices…
Cloud Controls Matrix v3.0.1
A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment
Anti-malware awareness training, specific to mobile devices, shall be included in the provider’s information security awareness training.
The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company’s security awareness and training program.
Critical Security Controls Version 7.1
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
Critical Security Controls Version 8
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
NIST Special Publication 800-53 Revision 4
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.
The organization establishes an information security workforce development and improvement program.