TA-01—General Security Awareness Training

>Control Description

Organization personnel complete security awareness training, which includes annual updates about relevant policies and how to report security events to the authorized response team. Records of training completion are documented and retained for tracking purposes.

Theme

People

Type

Preventive

Policy/Standard

Training & Awareness Procedure

>Implementation Guidance

1. Ensure that the requirements for completion of security awareness training are defined in the Organization's Compliance Training Policy and Security Awareness Training Standard. 2. Ensure that the Organization's Security Awareness Training Material is well defined, documented, and up to date. 3. Ensure that there is a record of active employees and contractors maintained and updated by the organization. 4. Ensure that security awareness training is provided on a regular basis and the progress of all contractors and employees participating in the training tracked and documented..

>Testing Procedure

1. Inspect Organization's Compliance Training Policy and Security Awareness Training Standard to determine whether requirements for completion of security awareness training are defined. 2. Inspect Organization's Security Awareness Training material to determine whether it details: Version history of the SAT to determine materials are updated during the audit period. How to report security events to the appropriate response team 3. Obtain the list of active employees and contractors. 4. For a sample of active employees and contractors, obtain and inspect the security awareness training completion records to determine whether training is completed annually and completion is tracked and documented.