Content library
CyberFundamentals (Belgium)
PR.AT-1: All users are informed and trained.

How to fill the requirement

CyberFundamentals (Belgium)

PR.AT-1: All users are informed and trained.

Task name
Priority
Status
Theme
Policy
Other requirements
Staff guidance and training procedure in cyber security
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

T11: Turvallisuuskoulutus ja -tietoisuus
Katakri
4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO27 Full
1. Task description

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Personnel guidelines for avoiding phishing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Email and phishing
Email and web browser
requirements

Task is fulfilling also these other security requirements

13.2.1: Information transfer policies and procedures
ISO27 Full
13.2.3: Electronic messaging
ISO27 Full
PR.AT-1: Awareness
NIST
HAL-12: Ohjeet
Julkri
5.14: Information transfer
ISO27k1 Full
1. Task description

The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.

General security competence and awareness of personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO27 Full
7.2.1: Management responsibilities
ISO27 Full
PR.AT-1: Awareness
NIST
1. Task description

Personnel under the direction of the entire organization must be aware:

  • how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
  • the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.

Maintaining a log of cyber security trainings
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

T11: Turvallisuuskoulutus ja -tietoisuus
Katakri
7.2.2: Information security awareness, education and training
ISO27 Full
6.1: Tietojärjestelmien käyttäjiltä vaadittava koulutus ja kokemus
Self-monitoring
PR.AT-1: Awareness
NIST
HAL-13: Koulutukset
Julkri
1. Task description

A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.

For each training the documentation should include:

  • Time
  • Topics and duration of the training
  • Training method and trainer
  • Staff involved in the training
Arranging training and guidance during orientation (or before granting access rights)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
7.3: Termination and change of employment
ISO27 Full
7.3.1: Termination or change of employment responsibilities
ISO27 Full
9.2.2: User access provisioning
ISO27 Full
PR.IP-11: Cybersecurity in human resources
NIST
1. Task description

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
Regular unit-based cyber security communication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

7.2.2: Information security awareness, education and training
ISO27 Full
CC2.2: Internal communication of information
SOC 2
PR.AT-1: All users are informed and trained.
CyFun
1. Task description

By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.

Security informing may also be referred to as an "awareness program".

No items found.