compliance controls are associated with this Policy definition 'Provide contingency training' (de936662-13dc-204c-75ec-1af80f994088)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-3 |
FedRAMP_High_R4_CP-3 |
FedRAMP High CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-3 |
FedRAMP_Moderate_R4_CP-3 |
FedRAMP Moderate CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| hipaa |
1304.02e3Organizational.1-02.e |
hipaa-1304.02e3Organizational.1-02.e |
1304.02e3Organizational.1-02.e |
13 Education, Training and Awareness |
1304.02e3Organizational.1-02.e 02.03 During Employment |
Shared |
n/a |
Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. |
|
9 |
| hipaa |
1311.12c2Organizational.3-12.c |
hipaa-1311.12c2Organizational.3-12.c |
1311.12c2Organizational.3-12.c |
13 Education, Training and Awareness |
1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization’s employees are provided with crisis management awareness and training. |
|
3 |
| hipaa |
1313.02e1Organizational.3-02.e |
hipaa-1313.02e1Organizational.3-02.e |
1313.02e1Organizational.3-02.e |
13 Education, Training and Awareness |
1313.02e1Organizational.3-02.e 02.03 During Employment |
Shared |
n/a |
The organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within 90 days of assuming an incident response role or responsibility; when required by information system changes; and within every 365 days thereafter. |
|
3 |
| hipaa |
1669.12d1Organizational.8-12.d |
hipaa-1669.12d1Organizational.8-12.d |
1669.12d1Organizational.8-12.d |
16 Business Continuity & Disaster Recovery |
1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The business continuity planning framework addresses a specific, minimal set of information security requirements. |
|
6 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.per.4 Training |
mp.per.4 Training |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.3 Protection of web browsing |
mp.s.3 Protection of web browsing |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-53_R4 |
CP-3 |
NIST_SP_800-53_R4_CP-3 |
NIST SP 800-53 Rev. 4 CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-3 |
NIST_SP_800-53_R5_CP-3 |
NIST SP 800-53 Rev. 5 CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
a. Provide contingency training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
|
op.cont.1 Impact analysis |
op.cont.1 Impact analysis |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.2 Continuity plan |
op.cont.2 Continuity plan |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| SWIFT_CSCF_v2022 |
9.1 |
SWIFT_CSCF_v2022_9.1 |
SWIFT CSCF v2022 9.1 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
link |
8 |