compliance controls are associated with this Policy definition 'Document security and privacy training activities' (524e7136-9f6a-75ba-9089-501018151346)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AT-1 |
FedRAMP_High_R4_AT-1 |
FedRAMP High AT-1 |
Awareness And Training |
Security Awareness And Training Policy Andprocedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| FedRAMP_High_R4 |
AT-4 |
FedRAMP_High_R4_AT-4 |
FedRAMP High AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
AT-1 |
FedRAMP_Moderate_R4_AT-1 |
FedRAMP Moderate AT-1 |
Awareness And Training |
Security Awareness And Training Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| FedRAMP_Moderate_R4 |
AT-4 |
FedRAMP_Moderate_R4_AT-4 |
FedRAMP Moderate AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| hipaa |
0108.02d1Organizational.23-02.d |
hipaa-0108.02d1Organizational.23-02.d |
0108.02d1Organizational.23-02.d |
01 Information Protection Program |
0108.02d1Organizational.23-02.d 02.03 During Employment |
Shared |
n/a |
The organization ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with the risk management strategy and response priorities. |
|
8 |
| hipaa |
0124.05a3Organizational.1-05.a |
hipaa-0124.05a3Organizational.1-05.a |
0124.05a3Organizational.1-05.a |
01 Information Protection Program |
0124.05a3Organizational.1-05.a 05.01 Internal Organization |
Shared |
n/a |
An information security management committee is chartered and active. |
|
2 |
| hipaa |
1302.02e2Organizational.134-02.e |
hipaa-1302.02e2Organizational.134-02.e |
1302.02e2Organizational.134-02.e |
13 Education, Training and Awareness |
1302.02e2Organizational.134-02.e 02.03 During Employment |
Shared |
n/a |
Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
|
19 |
| hipaa |
1305.02e3Organizational.23-02.e |
hipaa-1305.02e3Organizational.23-02.e |
1305.02e3Organizational.23-02.e |
13 Education, Training and Awareness |
1305.02e3Organizational.23-02.e 02.03 During Employment |
Shared |
n/a |
The organization maintains a documented list of each individual who completes the on-boarding process and maintains all training records for at least five years. |
|
3 |
| hipaa |
1314.02e2Organizational.5-02.e |
hipaa-1314.02e2Organizational.5-02.e |
1314.02e2Organizational.5-02.e |
13 Education, Training and Awareness |
1314.02e2Organizational.5-02.e 02.03 During Employment |
Shared |
n/a |
The organization conducts an internal annual review of the effectiveness of its security and privacy education and training program, and updates the program to reflect risks identified in the organization's risk assessment. |
|
4 |
| hipaa |
1324.07c1Organizational.3-07.c |
hipaa-1324.07c1Organizational.3-07.c |
1324.07c1Organizational.3-07.c |
13 Education, Training and Awareness |
1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets |
Shared |
n/a |
Employees, contractors and third-party system users are aware of the limits existing for their use of the organization's information and assets associated with information processing facilities and resources; and they are responsible for their use of any information resource and of any use carried out under their responsibility. |
|
8 |
| hipaa |
1327.02e2Organizational.8-02.e |
hipaa-1327.02e2Organizational.8-02.e |
1327.02e2Organizational.8-02.e |
13 Education, Training and Awareness |
1327.02e2Organizational.8-02.e 02.03 During Employment |
Shared |
n/a |
The organization trains its workforce to ensure covered information is stored in organization-specified locations. |
|
5 |
| hipaa |
1334.02e2Organizational.12-02.e |
hipaa-1334.02e2Organizational.12-02.e |
1334.02e2Organizational.12-02.e |
13 Education, Training and Awareness |
1334.02e2Organizational.12-02.e 02.03 During Employment |
Shared |
n/a |
The organization ensures that the senior executives have been trained in their specific roles and responsibilities. |
|
4 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
| ISO27001-2013 |
C.4.4 |
ISO27001-2013_C.4.4 |
ISO 27001:2013 C.4.4 |
Context of the organization |
Information security management system |
Shared |
n/a |
The organization shall establish, implement, maintain and continually improve an information security
management system, in accordance with the requirements of this International Standard. |
link |
5 |
| ISO27001-2013 |
C.5.1.a |
ISO27001-2013_C.5.1.a |
ISO 27001:2013 C.5.1.a |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
a) ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization; |
link |
6 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.a |
ISO27001-2013_C.5.2.a |
ISO 27001:2013 C.5.2.a |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization. |
link |
4 |
| ISO27001-2013 |
C.5.2.b |
ISO27001-2013_C.5.2.b |
ISO 27001:2013 C.5.2.b |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
b) includes information security objectives (see 6.2) or provides the framework for setting information
security objectives. |
link |
4 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| ISO27001-2013 |
C.5.2.e |
ISO27001-2013_C.5.2.e |
ISO 27001:2013 C.5.2.e |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
e) be available as documented information. |
link |
4 |
| ISO27001-2013 |
C.5.2.f |
ISO27001-2013_C.5.2.f |
ISO 27001:2013 C.5.2.f |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
f) be communicated within the organization. |
link |
4 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.per.4 Training |
mp.per.4 Training |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.s.3 Protection of web browsing |
mp.s.3 Protection of web browsing |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-53_R4 |
AT-1 |
NIST_SP_800-53_R4_AT-1 |
NIST SP 800-53 Rev. 4 AT-1 |
Awareness And Training |
Security Awareness And Training Policy Andprocedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| NIST_SP_800-53_R4 |
AT-4 |
NIST_SP_800-53_R4_AT-4 |
NIST SP 800-53 Rev. 4 AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| NIST_SP_800-53_R5 |
AT-1 |
NIST_SP_800-53_R5_AT-1 |
NIST SP 800-53 Rev. 5 AT-1 |
Awareness and Training |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] awareness and training policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
2 |
| NIST_SP_800-53_R5 |
AT-4 |
NIST_SP_800-53_R5_AT-4 |
NIST SP 800-53 Rev. 5 AT-4 |
Awareness and Training |
Training Records |
Shared |
n/a |
a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
b. Retain individual training records for [Assignment: organization-defined time period]. |
link |
3 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| PCI_DSS_v4.0 |
12.6.1 |
PCI_DSS_v4.0_12.6.1 |
PCI DSS v4.0 12.6.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Security awareness education is an ongoing activity |
Shared |
n/a |
A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data. |
link |
2 |
| SWIFT_CSCF_v2022 |
7.2 |
SWIFT_CSCF_v2022_7.2 |
SWIFT CSCF v2022 7.2 |
7. Plan for Incident Response and Information Sharing |
Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. |
Shared |
n/a |
Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). |
link |
11 |