SAT-03.3: Sensitive / Regulated Data Storage, Handling & Processing
Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements.
Control Question: Does the organization ensure that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements?
General (31)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF9 |
| CIS CSC 8.1 | 14.5 |
| CIS CSC 8.1 IG1 | 14.5 |
| CIS CSC 8.1 IG2 | 14.5 |
| CIS CSC 8.1 IG3 | 14.5 |
| CSA CCM 4 | DSP-17 HRS-12 HRS-13 |
| CSA IoT SCF 2 | TRN-02 |
| Generally Accepted Privacy Principles (GAPP) | 1.1.1 1.2.10 |
| ISO 27017 2015 | 7.2.2 |
| ISO 29100 2024 | 6.10 |
| MPA Content Security Program 5.1 | OR-3.1 OR-3.2 |
| NIST 800-53 R4 | AR-5 |
| NIST 800-53 R5 (source) | AT-3(5) |
| NIST 800-53B R5 (privacy) (source) | AT-3(5) |
| NIST 800-171 R3 (source) | 03.01.22.a 03.02.01.a.01 03.02.02.a.01 |
| NIST 800-218 | PO.2.2 |
| PCI DSS 4.0.1 (source) | 9.5.1 9.5.1.3 12.6.3.1 12.6.3.2 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.6.3.1 |
| PCI DSS 4.0.1 SAQ B (source) | 9.5.1 9.5.1.3 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 9.5.1 9.5.1.3 |
| PCI DSS 4.0.1 SAQ C (source) | 9.5.1 9.5.1.3 12.6.3.1 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 12.6.3.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 9.5.1 9.5.1.3 12.6.3.1 12.6.3.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 9.5.1 9.5.1.3 12.6.3.1 12.6.3.2 |
| PCI DSS 4.0.1 SAQ P2PE (source) | 9.5.1 9.5.1.3 |
| SPARTA | CM0041 |
| SWIFT CSF 2023 | 7.2 |
| TISAX ISA 6 | 2.1.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | SAT-03.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | SAT-03.3 |
| SCF CORE ESP Level 3 Advanced Threats | SAT-03.3 |
US (13)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | WORKFORCE-2.C.MIL2 |
| US CERT RMM 1.2 | OTA:SG1.SP2 OTA:SG4.SP1 |
| US CJIS Security Policy 5.9.3 (source) | 5.1.1.1 AT-3(5) |
| US CMS MARS-E 2.0 | AR-5 |
| US FIPPS | 2 |
| US GLBA CFR 314 2023 (source) | 314.4(e)(1) |
| US IRS 1075 | 2.D.2.1 2.D.2.2 |
| US NNPI (unclass) | 2.1 2.2 |
| US SSA EIESR 8.0 | 5.10 |
| US - CA CCPA 2025 | 7100(a) 7123(c)(12) 7123(c)(13) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.10(a)(2) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(A)(4) |
| US - VT Act 171 of 2018 | 2447(c)(8) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA Israel CDMO 1.0 | 20.3 |
| EMEA Qatar PDPPL | 11.3 |
| EMEA Saudi Arabia ECC-1 2018 | 1-10-4-2 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.1.7 |
| EMEA UK DEFSTAN 05-138 | 2602 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0831 ISM-1059 |
| APAC Japan ISMAP | 4.5.3 4.5.3.1 7.2.2.19.PB |
| APAC Singapore MAS TRM 2021 | 3.6.2 3.6.3 6.1.5 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 1.7 |
| Americas Canada ITSP-10-171 | 03.01.22.A 03.02.01.A.01 03.02.02.A.01 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements.
Level 1 — Performed Informally
Security Awareness & Training (SAT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Training activities are decentralized.
- Security awareness and training methods are often generic, without organization-specific content.
- IT/cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.
Level 2 — Planned & Tracked
Security Awareness & Training (SAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security training and awareness activities. o Create/govern security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Self-manage their professional certification requirements to support their assigned duties.
- Training and awareness activities are decentralized (e.g., a localized/regionalized function) and use non-standardized methods to implement secure, resilient and compliant practices.
- The Human Resources (HR) department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.
- Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
- IT/cybersecurity personnel:
Level 3 — Well Defined
Security Awareness & Training (SAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to security awareness and training. o Defines minimum cybersecurity training (including certifications) for personnel, based on their specific roles. o Creates/governs security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Identifies and implements industry-recognized HR practices related to security workforce development and awareness to help ensure secure practices are implemented in personnel management operations. o Documents, retains and monitors individual training activities, including basic security awareness training, ongoing awareness training and specific-system training. o Ensures that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements. o Ensures all employees and contractors receive awareness education and training that is relevant for their job function, including social engineering-related threats.
- A Governance, Risk & Compliance (GRC) function, or similar function:
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including security awareness and training.
- Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
- The Human Resources (HR) department:
Level 4 — Quantitatively Controlled
Security Awareness & Training (SAT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements.
Assessment Objectives
- SAT-03.3_A01 personnel or roles to be provided with initial and refresher training in the employment and operation of sensitive / regulated data processing and transparency controls is/are defined.
- SAT-03.3_A02 the frequency at which to provide refresher training in the employment and operation of sensitive / regulated data processing and transparency controls is defined.
- SAT-03.3_A03 organization-defined personnel or roles are provided with initial and refresher training organization-defined frequency in the employment and operation of sensitive / regulated data processing and transparency controls.