PR.AT-02.219
Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
Explanation
Different roles within an organization face different security risks and responsibilities. Specialized roles such as finance personnel who handle sensitive financial data, IT administrators with elevated system privileges, or executives with access to strategic information require targeted training beyond basic security awareness. Identifying these roles is the first step in developing role-specific security training programs that address unique threats and responsibilities. Evidence of fulfillment could include a documented list or matrix of job roles/functions mapped to their required specialized cybersecurity training requirements. This document should identify which positions require additional security training, what specific training is needed, and the rationale for these requirements based on access to sensitive data or systems.
Implementation Example
Identify the specialized roles within the organization that require additional cybersecurity training, such as physical and cybersecurity personnel, finance personnel, senior leadership, and anyone with access to business-critical data
ID: PR.AT-02.219
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
