Security Control 9:
Security Skills Assessment and Appropriate Training to Fill Gaps

Find knowledge gaps, and fill them with exercises and training: Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

9.1

Have employees and contractors on at least an annual basis take security awareness training in order to ensure they understand the information security policies and procedures, as well as their role in those procedures.

REQ REQ REQ

9.2

If necessary, develop security awareness training for various personnel job descriptions.

[additional details]

The training should include specific, incident-based scenarios showing the threats the unit faces, and should present proven defenses against the latest attack techniques.

REQ REQ REQ

9.3

Provide awareness sessions for users who are not following policies after they have received appropriate training.

REQ REQ REQ

Additional Reading