Training and Awareness

Each organization should establish a routine and periodic training program for board/owners, managers, and staff. The extent of this program depends on individual needs. Some organizations require strict training due to regulatory compliance, while others should do this in an effort to educate and protect information systems. Most basic form of training acceptable in compliance environments is requiring all staff to read and sign all policies. However, that's generally insufficient, and most organizations include formal and informal training into their operations.

Category	Sub-Category	Name	Activity
Training and Awareness	General Awareness Training	Code of Conduct Training	[Workforce personnel as defined by the organization] complete a code of business conduct training.
Training and Awareness	General Awareness Training	General Security Awareness Training	[Workforce personnel as defined by the organization] complete security awareness training, which includes updates about relevant policies and how to report security events to the authorized response team. Records of training completion are documented and retained for tracking purposes.
Training and Awareness	Role-Based Training	Developer Security Training	[The organization's] software engineers are required to complete training based on secure coding techniques [in accordance with the organization-defined frequency].
Training and Awareness	Role-Based Training	Payment Card Processing Security Awareness Training	[The organization] personnel that interact with cardholder data systems receive awareness training to be aware of attempted tampering or replacement of devices. Training should include the following: • verify the identity of third- party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. • do not install, replace, or return devices without verification • be aware of suspicious behavior around devices (e.g., attempts by unknown persons to unplug or open devices) • report suspicious behavior and indications of device tampering or substitution to authorized personnel (e.g., to a manager or security officer)
Training and Awareness	Role-Based Training	Role-based Security Training	[The organization] personnel with key security responsibilities complete relevant role-based training [in accordance with the organization-defined frequency]: • personnel must complete training prior to obtaining access to privileged security systems • personnel with contingency responsibilities must complete role-based training [in accordance with the organization-defined frequency] • records of training completion are documented and retained for tracking purposes
Training and Awareness	Role-Based Training	Role-based Security Training: HIPAA	[The organization] personnel with access to personal health information (PHI) are required to attend and complete HIPAA privacy training.

No results found