compliance controls are associated with this Policy definition 'Provide role-based security training' (4c385143-09fd-3a34-790c-a5fd9ec77ddc)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AT-3 |
FedRAMP_High_R4_AT-3 |
FedRAMP High AT-3 |
Awareness And Training |
Role-Based Security Training |
Shared |
n/a |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and
supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. |
link |
3 |
| FedRAMP_Moderate_R4 |
AT-3 |
FedRAMP_Moderate_R4_AT-3 |
FedRAMP Moderate AT-3 |
Awareness And Training |
Role-Based Security Training |
Shared |
n/a |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and
supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. |
link |
3 |
| hipaa |
0104.02a1Organizational.12-02.a |
hipaa-0104.02a1Organizational.12-02.a |
0104.02a1Organizational.12-02.a |
01 Information Protection Program |
0104.02a1Organizational.12-02.a 02.01 Prior to Employment |
Shared |
n/a |
User security roles and responsibilities are clearly defined and communicated. |
|
14 |
| hipaa |
0109.02d1Organizational.4-02.d |
hipaa-0109.02d1Organizational.4-02.d |
0109.02d1Organizational.4-02.d |
01 Information Protection Program |
0109.02d1Organizational.4-02.d 02.03 During Employment |
Shared |
n/a |
Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). |
|
20 |
| hipaa |
0122.05a2Organizational.3-05.a |
hipaa-0122.05a2Organizational.3-05.a |
0122.05a2Organizational.3-05.a |
01 Information Protection Program |
0122.05a2Organizational.3-05.a 05.01 Internal Organization |
Shared |
n/a |
The individual responsible for information security in the organization is qualified for the role. |
|
6 |
| hipaa |
1301.02e1Organizational.12-02.e |
hipaa-1301.02e1Organizational.12-02.e |
1301.02e1Organizational.12-02.e |
13 Education, Training and Awareness |
1301.02e1Organizational.12-02.e 02.03 During Employment |
Shared |
n/a |
Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. |
|
17 |
| hipaa |
1304.02e3Organizational.1-02.e |
hipaa-1304.02e3Organizational.1-02.e |
1304.02e3Organizational.1-02.e |
13 Education, Training and Awareness |
1304.02e3Organizational.1-02.e 02.03 During Employment |
Shared |
n/a |
Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. |
|
9 |
| hipaa |
1309.01x1System.36-01.x |
hipaa-1309.01x1System.36-01.x |
1309.01x1System.36-01.x |
13 Education, Training and Awareness |
1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections). |
|
6 |
| hipaa |
1310.01y1Organizational.9-01.y |
hipaa-1310.01y1Organizational.9-01.y |
1310.01y1Organizational.9-01.y |
13 Education, Training and Awareness |
1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. |
|
10 |
| hipaa |
1315.02e2Organizational.67-02.e |
hipaa-1315.02e2Organizational.67-02.e |
1315.02e2Organizational.67-02.e |
13 Education, Training and Awareness |
1315.02e2Organizational.67-02.e 02.03 During Employment |
Shared |
n/a |
The organization provides specialized security and privacy education and training appropriate to the employee's roles/responsibilities, including organizational business unit security POCs and system/software developers. |
|
6 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.per.4 Training |
mp.per.4 Training |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.3 Protection of web browsing |
mp.s.3 Protection of web browsing |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-53_R4 |
AT-3 |
NIST_SP_800-53_R4_AT-3 |
NIST SP 800-53 Rev. 4 AT-3 |
Awareness And Training |
Role-Based Security Training |
Shared |
n/a |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and
supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. |
link |
3 |
| NIST_SP_800-53_R5 |
AT-3 |
NIST_SP_800-53_R5_AT-3 |
NIST SP 800-53 Rev. 5 AT-3 |
Awareness and Training |
Role-based Training |
Shared |
n/a |
a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and
2. When required by system changes;
b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. |
link |
3 |
| PCI_DSS_v4.0 |
12.6.3 |
PCI_DSS_v4.0_12.6.3 |
PCI DSS v4.0 12.6.3 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Security awareness education is an ongoing activity |
Shared |
n/a |
Personnel receive security awareness training as follows:
• Upon hire and at least once every 12 months.
• Multiple methods of communication are used.
• Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. |
link |
8 |
| SWIFT_CSCF_v2022 |
12.1 |
SWIFT_CSCF_v2022_12.1 |
SWIFT CSCF v2022 12.1 |
12. Ensure Knowledge is Available |
Ensure quality of service to customers through SWIFT certified employees. |
Shared |
n/a |
Ensure quality of service to customers through SWIFT certified employees. |
link |
3 |
| SWIFT_CSCF_v2022 |
7.2 |
SWIFT_CSCF_v2022_7.2 |
SWIFT CSCF v2022 7.2 |
7. Plan for Incident Response and Information Sharing |
Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. |
Shared |
n/a |
Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). |
link |
11 |