PR.AT-1: All users are informed and trained

PF v1.0 References:

Description

[csf.tools Note: Subcategories do not have detailed descriptions.]

Related Controls

NIST Special Publication 800-53 Revision 5

AT-2: Literacy Training and Awareness

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and When required by system changes or following [Assignment: organization-defined events]; Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined…

PM-14: Testing, Training, and Monitoring

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

NIST Special Publication 800-171 Revision 2

3.2.1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The…

3.2.2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel…

3.2.3: Provide security awareness training on recognizing and reporting potential indicators of insider threat

Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices…

Cloud Controls Matrix v3.0.1

HRS-09: Training / Awareness

A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.

HRS-10: User Responsibility

All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment

MOS-01: Anti-Malware

Anti-malware awareness training, specific to mobile devices, shall be included in the provider’s information security awareness training.

MOS-05: Awareness and Training

The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company’s security awareness and training program.

Critical Security Controls Version 8

14: Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

16: Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

17: Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

NIST Special Publication 800-53 Revision 4

AT-2: Security Awareness Training

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.

Critical Security Controls Version 7.1

17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.