M3 Awareness and Training

Dozuki System Automated Release

08/17/2022 by Dozuki System

Printed Copies Are Uncontrolled

Wiki ID: 94

Author: Dozuki System

Release: Dozuki System Automated Release [Minor]

Revision ID: 1414

Revision Date: 07-26-19

Author: Vitória Reis (and 2 other contributors)

OBJECTIVE

To maintain an awareness and training policy outlining the approach to identifying relevant topics, enrollment of stakeholders, and documentation of activities

PERFORMANCE INDICATOR

Trend in the number of employees that have not successfully participated in the awareness and training program.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

Unsuitable awareness and training policy
Non-comprehensive training identification approach
Accidental information leaks due to lack of awareness
Software malfunction due to lack of trained personnel

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

M3.1.1 -P2 - AWARENESS AND TRAINING POLICY

OBJECTIVE

To ensure that all person(s) carrying out work effecting information security are sufficiently aware of information security requirements and controls, and are adequately competent.

PERFORMANCE INDICATOR

Percentage of actions (planned training, participation in conferences, etc.) that have not been carried out as planned.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

Non-compliance with controls due to a lack of awareness
Not noticing security breaches
Incompetent information security personnel
Promoting a culture of disinterest in information security matters

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

M3.2.1 - P2 - AWARENESS AND TRAINING PROGRAM

OBJECTIVE

To ensure that all personnel who are assigned responsibilities in information security are competent to perform the required tasks.

PERFORMANCE INDICATOR

Percentage of identified information security training requirements that have been met with satisfactory results.

AUTOMATION GUIDANCE

Web-based training modules (internally or externally created) can be used to implement trainings. This can also be used to automatically update staff training records, as well as to capture CPE credits needed to maintain security certifications.

RELEVANT THREATS AND VULNERABILITIES

Software malfunction due to lack of trained personnel
Error in use due to undelivered training

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

Release Notes

M3 Awareness and Training

M3.1 AWARENESS AND TRAINING POLICY

M3.2 AWARENESS AND TRAINING PLANNING

M3.3 SECURITY TRAINNING