SAT-01.1: Maintaining Workforce Development Relevancy

There is no evidence of a capability to periodically review security workforce development and awareness training to account for changes to: (1) Organizational policies, standards and procedures; (2) Assigned roles and responsibilities; (3) Relevant threats and risks; and (4) Technological developments.

C|P-CMM1 is N/A, since a structured process is required to periodically review security workforce development and awareness training to account for changes to: (1) Organizational policies, standards and procedures; (2) Assigned roles and responsibilities; (3) Relevant threats and risks; and (4) Technological developments.

Security Awareness & Training (SAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security training and awareness activities. o Create/govern security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Self-manage their professional certification requirements to support their assigned duties.

• Training and awareness activities are decentralized (e.g., a localized/regionalized function) and use non-standardized methods to implement secure, resilient and compliant practices.
• The Human Resources (HR) department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.
• Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
• IT/cybersecurity personnel:

Security Awareness & Training (SAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to security awareness and training. o Defines minimum cybersecurity training (including certifications) for personnel, based on their specific roles. o Creates/governs security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Identifies and implements industry-recognized HR practices related to security workforce development and awareness to help ensure secure practices are implemented in personnel management operations. o Documents, retains and monitors individual training activities, including basic security awareness training, ongoing awareness training and specific-system training. o Ensures that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements. o Ensures all employees and contractors receive awareness education and training that is relevant for their job function, including social engineering-related threats.

• The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for security awareness and training practices.
• The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for security awareness and training.
• A Governance, Risk & Compliance (GRC) function, or similar function:
• A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including security awareness and training.
• Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
• The Human Resources (HR) department:

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to periodically review security workforce development and awareness training to account for changes to: (1) Organizational policies, standards and procedures; (2) Assigned roles and responsibilities; (3) Relevant threats and risks; and (4) Technological developments.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to periodically review security workforce development and awareness training to account for changes to: (1) Organizational policies, standards and procedures; (2) Assigned roles and responsibilities; (3) Relevant threats and risks; and (4) Technological developments.