Have senior executives been formally trained on and demonstrated understanding of their specific cybersecurity roles and responsibilities?
Explanation
Executive accountability is the focus: reviewers want senior leaders formally trained on their specific cybersecurity roles and able to demonstrate they understand them. Senior executives must comprehend their decision-making authority, oversight responsibilities, and accountability for security incidents that may impact the organization.
Evidence of fulfillment could include: documented role descriptions for executives that outline security responsibilities; signed acknowledgments from executives confirming their understanding; meeting minutes showing executive participation in security governance discussions; completion certificates from executive-level security awareness training; or performance objectives that include security governance metrics.
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Senior executives understand their roles and responsibilities
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?

