=====3.2 Awareness & Training Policies===== ====Control Satisfaction Matrix==== ^ Standard ^ Category ^ Controls Satisfied ^ 800-53r4 Controls ^ ISO/SEC 27001 ^ Audit Controls ^ | NIST 800-171 | Awareness & Training | 3.2.1 - 3.2.3 | AT-2, AT-3 | A.7.2.2, A.12.2.1 | 2.01 - 2.03 | ===Major Document History=== ^ Date ^ Comment ^ Who ^ | 5/13/2019 | Initial Doc | Tharp | | 5/30/2019 | Control Objectives | Tharp | | 6/21/2019 | CO's & Assertions updated with feedback from B&V CPA's | Tharp | | 7/30/2019 | Strike thru control Objectives | Tharp | | 8/12/2019 | Normalized this control area and edited DLZP Plan, Format Updates | Tharp | | 8/29/2019 | Copied Content For IS-1 SOC submission | Tharp | | 10/6/2021 | Policy's Reviewed for Audit | Tharp | ---- ==== Purpose and Scope ==== The purpose of this policy is to establish a repeatable training regimen aligned to staff roles and to ensure training practices are reviewed and updated annually. ==== Background ==== Infrastructure Security and Cyber Security are crucial elements of any application or infrastructure hosting services. DLZP has made a commitment to design and build highly secure environments for our customers. But, attack strategies and vulnerabilities are consistently evolving so regular training is necessary to keep the team sharp with contemporary information. ==== Policy Requirements==== === 3.2.1=== Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. ===3.2.2=== Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ===3.2.3=== Provide security awareness training on recognizing and reporting potential indicators of insider threat. ---- =====Response Plan===== ===Awareness and Training Plan=== DLZP Group shall provide an annual review and training materials or on an as needed basis to ensure the organization maintains the necessary security posture to conduct its business and to align with the security policies required by each hosted client. Training reviews and materials will be based on an associates role e.g. functional, technical, management roles. Each new employee will be provided a syllabus to review all internal security and operations practices and then undergo a thorough examination of their understanding of DLZP Group security practices and methodologies. Cyber-Security attack vectors and methods will be review including the pervasive use of Phishing Attacks and how they can overcome multi-factor security methods. Phishing attack training and awareness will be performed at least annually. ----