GV.AT-P1: The workforce is informed and trained on its roles and responsibilities
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AT-2: Literacy Training and Awareness
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and When required by system changes or following [Assignment: organization-defined events]; Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined…
AT-3: Role-based Training
Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and When required by system changes; Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and Incorporate…
PM-13: Security and Privacy Workforce
Establish a security and privacy workforce development and improvement program.
PM-14: Testing, Training, and Monitoring
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Cloud Controls Matrix v3.0.1
HRS-09: Training / Awareness
A security awareness training program shall be established for all contractors, third-party users, and employees of the organization and mandated when appropriate. All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
HRS-10: User Responsibility
All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment
MOS-01: Anti-Malware
Anti-malware awareness training, specific to mobile devices, shall be included in the provider’s information security awareness training.
MOS-05: Awareness and Training
The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company’s security awareness and training program.
Critical Security Controls Version 8
14: Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
NIST Special Publication 800-53 Revision 4
AT-2: Security Awareness Training
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.
AT-3: Role-Based Security Training
The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.
PM-13: Information Security Workforce
The organization establishes an information security workforce development and improvement program.
PM-14: Testing, Training, And Monitoring
The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner; Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk…
Critical Security Controls Version 7.1
17: Implement a Security Awareness and Training Program
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.