Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
Explanation
Different roles within an organization face different security risks and responsibilities.
Specialized roles such as finance personnel who handle sensitive financial data, IT administrators with elevated system privileges, or executives with access to strategic information require targeted training beyond basic security awareness.
Identifying these roles is the first step in developing role-specific security training programs that address unique threats and responsibilities.
Evidence of fulfillment could include a documented list or matrix of job roles/functions mapped to their required specialized cybersecurity training requirements. This document should identify which positions require additional security training, what specific training is needed, and the rationale for these requirements based on access to sensitive data or systems.
Implementation Example
Identify the specialized roles within the organization that require additional cybersecurity training, such as physical and cybersecurity personnel, finance personnel, senior leadership, and anyone with access to business-critical data
ID: PR.AT-02.219
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

