PR.AT-4: Senior executives understand their roles and responsibilities

PF v1.0 References:

GV.AT-P2

Description

[csf.tools Note: Subcategories do not have detailed descriptions.]

NIST Special Publication 800-53 Revision 5

AT-3: Role-based Training

Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and When required by system changes; Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and Incorporate…

PM-13: Security and Privacy Workforce

Establish a security and privacy workforce development and improvement program.

NIST Special Publication 800-171 Revision 2

3.2.1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The…

3.2.2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel…

Cloud Controls Matrix v3.0.1

GRM-05: Management Support/Involvement

Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.

HRS-07: Roles / Responsibilities

Roles and responsibilities of contractors, employees, and third-party users shall be documented as they relate to information assets and security.

Critical Security Controls Version 8

14: Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

NIST Special Publication 800-53 Revision 4

AT-3: Role-Based Security Training

The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.

PM-13: Information Security Workforce

The organization establishes an information security workforce development and improvement program.

Critical Security Controls Version 7.1

17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.