+HR-03 Security Training and Awareness Programme
---+HR-03.01B
---+HR-03.02B
---+HR-03.03B
---+HR-03.04B
---+HR-03.01AC
---+HR-03.02AC
---+HR-03.03AC
---+HR-03.04AC
---+HR-03.05AC
---+HR-03.02AS
|
1. Übersicht
HR-03 Security Training and Awareness Programme
-
| Bezeichnung |
Standard |
|
HR-03.01B
|
The cloud service provider operates a target group-oriented security awareness and training programme.
The target groups may be defined considering job function, job position and the associated risk classification. Target groups serve to simplify and systematise the security training and awareness programme.
|
|
HR-03.02B
|
All internal and external personnel of the cloud service provider undergoes a role-based training programme regularly and when changing job function, taking into consideration at least the risk classification and technical responsibilities of their position.
|
|
HR-03.03B
|
The programme is regularly updated based on changes to policies and procedures and the current threat situation and includes the following aspects insofar as they are applicable to each personnel's role:
1. Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
2. Handling cloud service customer data, cloud service derived data, cloud service provider data and account data in accordance with applicable policies and procedures and applicable legal and regulatory requirements;
3. Information about the current threat situation;
4. Correct behaviour in the event of security incidents;
5. Security best practices; and
6. Secure development.
|
|
HR-03.04B
|
The learning outcomes achieved through the awareness and training programme are measured and evaluated.
|
|
HR-03.01AC
|
The cloud service provider monitors the completion of the security awareness and training programme.
|
|
HR-03.02AC
|
Timely and appropriate remediation measures address any deviations identified during monitoring.
|
|
HR-03.03AC
|
The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner.
The measurement and evaluation of learning outcomes in a target group-oriented manner, as specified by the additional criterion, do not require assessing each member of the personnel individually. Instead, evaluations can be performed at an aggregated level, focusing on the overall effectiveness of the training program for specific target groups. This approach allows for the identification of trends and areas for improvement within the program while respecting the personnel's privacy requirements.
|
|
HR-03.04AC
|
The measurements cover quantitative and qualitative aspects.
|
|
HR-03.05AC
|
The results are used to improve the awareness and training programme.
|
|
HR-03.02AS
|
All internal and external personnel of the cloud service provider undergoes a role-based training programme at least annually and when changing job function, taking into consideration at least the risk classification and technical responsibilities of their position.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|