| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AT-4 |
FedRAMP_High_R4_AT-4 |
FedRAMP High AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
AT-4 |
FedRAMP_Moderate_R4_AT-4 |
FedRAMP Moderate AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| hipaa |
0108.02d1Organizational.23-02.d |
hipaa-0108.02d1Organizational.23-02.d |
0108.02d1Organizational.23-02.d |
01 Information Protection Program |
0108.02d1Organizational.23-02.d 02.03 During Employment |
Shared |
n/a |
The organization ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with the risk management strategy and response priorities. |
|
8 |
| hipaa |
1302.02e2Organizational.134-02.e |
hipaa-1302.02e2Organizational.134-02.e |
1302.02e2Organizational.134-02.e |
13 Education, Training and Awareness |
1302.02e2Organizational.134-02.e 02.03 During Employment |
Shared |
n/a |
Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
|
19 |
| hipaa |
1305.02e3Organizational.23-02.e |
hipaa-1305.02e3Organizational.23-02.e |
1305.02e3Organizational.23-02.e |
13 Education, Training and Awareness |
1305.02e3Organizational.23-02.e 02.03 During Employment |
Shared |
n/a |
The organization maintains a documented list of each individual who completes the on-boarding process and maintains all training records for at least five years. |
|
3 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
| ISO27001-2013 |
C.7.2.a |
ISO27001-2013_C.7.2.a |
ISO 27001:2013 C.7.2.a |
Support |
Competence |
Shared |
n/a |
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects its
information security performance;
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. |
link |
3 |
| ISO27001-2013 |
C.7.2.b |
ISO27001-2013_C.7.2.b |
ISO 27001:2013 C.7.2.b |
Support |
Competence |
Shared |
n/a |
The organization shall:
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. |
link |
1 |
| ISO27001-2013 |
C.7.2.c |
ISO27001-2013_C.7.2.c |
ISO 27001:2013 C.7.2.c |
Support |
Competence |
Shared |
n/a |
The organization shall:
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken;
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. |
link |
1 |
| NIST_SP_800-53_R4 |
AT-4 |
NIST_SP_800-53_R4_AT-4 |
NIST SP 800-53 Rev. 4 AT-4 |
Awareness And Training |
Security Training Records |
Shared |
n/a |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None. |
link |
3 |
| NIST_SP_800-53_R5 |
AT-4 |
NIST_SP_800-53_R5_AT-4 |
NIST SP 800-53 Rev. 5 AT-4 |
Awareness and Training |
Training Records |
Shared |
n/a |
a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
b. Retain individual training records for [Assignment: organization-defined time period]. |
link |
3 |