compliance controls are associated with this Policy definition 'Provide periodic security awareness training' (516be556-1353-080d-2c2f-f46f000d5785)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
AT-2 |
FedRAMP_High_R4_AT-2 |
FedRAMP High AT-2 |
Awareness And Training |
Security Awareness Training |
Shared |
n/a |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. |
link |
3 |
FedRAMP_Moderate_R4 |
AT-2 |
FedRAMP_Moderate_R4_AT-2 |
FedRAMP Moderate AT-2 |
Awareness And Training |
Security Awareness Training |
Shared |
n/a |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. |
link |
3 |
hipaa |
0109.02d1Organizational.4-02.d |
hipaa-0109.02d1Organizational.4-02.d |
0109.02d1Organizational.4-02.d |
01 Information Protection Program |
0109.02d1Organizational.4-02.d 02.03 During Employment |
Shared |
n/a |
Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). |
|
20 |
hipaa |
0111.02d2Organizational.2-02.d |
hipaa-0111.02d2Organizational.2-02.d |
0111.02d2Organizational.2-02.d |
01 Information Protection Program |
0111.02d2Organizational.2-02.d 02.03 During Employment |
Shared |
n/a |
Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data. |
|
9 |
hipaa |
0214.09j1Organizational.6-09.j |
hipaa-0214.09j1Organizational.6-09.j |
0214.09j1Organizational.6-09.j |
02 Endpoint Protection |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. |
|
13 |
hipaa |
1109.01b1System.479-01.b |
hipaa-1109.01b1System.479-01.b |
1109.01b1System.479-01.b |
11 Access Control |
1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. |
|
24 |
hipaa |
11220.01b1System.10-01.b |
hipaa-11220.01b1System.10-01.b |
11220.01b1System.10-01.b |
11 Access Control |
11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. |
|
26 |
hipaa |
1301.02e1Organizational.12-02.e |
hipaa-1301.02e1Organizational.12-02.e |
1301.02e1Organizational.12-02.e |
13 Education, Training and Awareness |
1301.02e1Organizational.12-02.e 02.03 During Employment |
Shared |
n/a |
Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. |
|
17 |
hipaa |
1302.02e2Organizational.134-02.e |
hipaa-1302.02e2Organizational.134-02.e |
1302.02e2Organizational.134-02.e |
13 Education, Training and Awareness |
1302.02e2Organizational.134-02.e 02.03 During Employment |
Shared |
n/a |
Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
|
19 |
hipaa |
1308.09j1Organizational.5-09.j |
hipaa-1308.09j1Organizational.5-09.j |
1308.09j1Organizational.5-09.j |
13 Education, Training and Awareness |
1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. |
|
12 |
hipaa |
1309.01x1System.36-01.x |
hipaa-1309.01x1System.36-01.x |
1309.01x1System.36-01.x |
13 Education, Training and Awareness |
1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections). |
|
6 |
hipaa |
1310.01y1Organizational.9-01.y |
hipaa-1310.01y1Organizational.9-01.y |
1310.01y1Organizational.9-01.y |
13 Education, Training and Awareness |
1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. |
|
10 |
hipaa |
1315.02e2Organizational.67-02.e |
hipaa-1315.02e2Organizational.67-02.e |
1315.02e2Organizational.67-02.e |
13 Education, Training and Awareness |
1315.02e2Organizational.67-02.e 02.03 During Employment |
Shared |
n/a |
The organization provides specialized security and privacy education and training appropriate to the employee's roles/responsibilities, including organizational business unit security POCs and system/software developers. |
|
6 |
hipaa |
1325.09s1Organizational.3-09.s |
hipaa-1325.09s1Organizational.3-09.s |
1325.09s1Organizational.3-09.s |
13 Education, Training and Awareness |
1325.09s1Organizational.3-09.s 09.08 Exchange of Information |
Shared |
n/a |
Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). |
|
11 |
hipaa |
1327.02e2Organizational.8-02.e |
hipaa-1327.02e2Organizational.8-02.e |
1327.02e2Organizational.8-02.e |
13 Education, Training and Awareness |
1327.02e2Organizational.8-02.e 02.03 During Employment |
Shared |
n/a |
The organization trains its workforce to ensure covered information is stored in organization-specified locations. |
|
5 |
hipaa |
1334.02e2Organizational.12-02.e |
hipaa-1334.02e2Organizational.12-02.e |
1334.02e2Organizational.12-02.e |
13 Education, Training and Awareness |
1334.02e2Organizational.12-02.e 02.03 During Employment |
Shared |
n/a |
The organization ensures that the senior executives have been trained in their specific roles and responsibilities. |
|
4 |
hipaa |
1336.02e1Organizational.5-02.e |
hipaa-1336.02e1Organizational.5-02.e |
1336.02e1Organizational.5-02.e |
13 Education, Training and Awareness |
1336.02e1Organizational.5-02.e 02.03 During Employment |
Shared |
n/a |
The organization’s security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and, (iv) how frequently security awareness and training is provided to all workforce members. |
|
7 |
ISO27001-2013 |
A.12.2.1 |
ISO27001-2013_A.12.2.1 |
ISO 27001:2013 A.12.2.1 |
Operations Security |
Controls against malware |
Shared |
n/a |
Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
link |
12 |
ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.per.4 Training |
mp.per.4 Training |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.3 Protection of web browsing |
mp.s.3 Protection of web browsing |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
NIST_SP_800-171_R2_3 |
.2.1 |
NIST_SP_800-171_R2_3.2.1 |
NIST SP 800-171 R2 3.2.1 |
Awareness and Training |
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards,& procedures related to the security of those systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. [SP 800-50] provides guidance on security awareness and training programs. |
link |
2 |
NIST_SP_800-53_R4 |
AT-2 |
NIST_SP_800-53_R4_AT-2 |
NIST SP 800-53 Rev. 4 AT-2 |
Awareness And Training |
Security Awareness Training |
Shared |
n/a |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. |
link |
3 |
NIST_SP_800-53_R5 |
AT-2 |
NIST_SP_800-53_R5_AT-2 |
NIST SP 800-53 Rev. 5 AT-2 |
Awareness and Training |
Literacy Training and Awareness |
Shared |
n/a |
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and
2. When required by system changes or following [Assignment: organization-defined events];
b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. |
link |
3 |
|
op.exp.6 Protection against harmful code |
op.exp.6 Protection against harmful code |
404 not found |
|
|
|
n/a |
n/a |
|
63 |
PCI_DSS_v4.0 |
12.6.3 |
PCI_DSS_v4.0_12.6.3 |
PCI DSS v4.0 12.6.3 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Security awareness education is an ongoing activity |
Shared |
n/a |
Personnel receive security awareness training as follows:
• Upon hire and at least once every 12 months.
• Multiple methods of communication are used.
• Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. |
link |
8 |
SOC_2 |
CC1.4 |
SOC_2_CC1.4 |
SOC 2 Type 2 CC1.4 |
Control Environment |
COSO Principle 4 |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Policies and Practices — Policies and practices reflect expectations of
competence necessary to support the achievement of objectives.
• Evaluates Competence and Addresses Shortcomings — The board of directors and
management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
• Attracts, Develops, and Retains Individuals — The entity provides the mentoring
and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.
• Plans and Prepares for Succession — Senior management and the board of directors
develop contingency plans for assignments of responsibility important for internal
control.
Additional point of focus specifically related to all engagements using the trust services criteria:Page 16
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
• Considers the Background of Individuals — The entity considers the background of
potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.
• Considers the Technical Competency of Individuals — The entity considers the
technical competency of potential and existing personnel, contractors, and vendor
employees when determining whether to employ and retain the individuals.
• Provides Training to Maintain Technical Competencies — The entity provides
training programs, including continuing education and training, to ensure skill sets
and technical competency of existing personnel, contractors, and vendor employees
are developed and maintained |
|
5 |
SOC_2 |
CC2.2 |
SOC_2_CC2.2 |
SOC 2 Type 2 CC2.2 |
Communication and Information |
COSO Principle 14 |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Internal Control Information — A process is in place to communicate required information to enable all personnel to understand and carry out their
internal control responsibilities.
• Communicates With the Board of Directors — Communication exists between
management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
• Provides Separate Communication Lines — Separate communication channels,
such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are inoperative or ineffective.
• Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of • Communicates Responsibilities — Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their
responsibilities, and have the information necessary to carry out those responsibilities.
• Communicates Information on Reporting Failures, Incidents, Concerns, and Other
Matters — Entity personnel are provided with information on how to report systems
failures, incidents, concerns, and other complaints to personnel.
• Communicates Objectives and Changes to Objectives — The entity communicates
its objectives and changes to those objectives to personnel in a timely manner.
• Communicates Information to Improve Security Knowledge and Awareness — The
entity communicates information to improve security knowledge and awareness and
to model appropriate security behaviors to personnel through a security awareness
training program |
|
9 |
SWIFT_CSCF_v2022 |
7.2 |
SWIFT_CSCF_v2022_7.2 |
SWIFT CSCF v2022 7.2 |
7. Plan for Incident Response and Information Sharing |
Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. |
Shared |
n/a |
Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). |
link |
11 |