December 2nd, 2021

Where to find training expectations in guidance - WST

This week’s WST was inspired by a client asking, “What information IT/Information Security training should we do?” The easy answer is that all institutions must perform annual information security awareness training. However, we went spelunking through the FFIEC IT handbooks (and other relevant sources) to brush up on guidance that might be helpful.

The FFIEC guidance addressing IT/Information Security training is in the following:

Some training examples for employees:

  • IS I.B Responsibility and Accountability: Provide information security and awareness training and ongoing security-related communications to employees, and ensure employees complete such training annually.
  • IS II.C.7(e) Training: Training ensures personnel have the necessary knowledge and skills to perform their job functions. Training should support security awareness and strengthen compliance with security and acceptable use policies. Ultimately, management’s behavior and priorities heavily influence employee awareness and policy compliance, so training and the commitment to security should start with management. Management should educate users about their security roles and responsibilities and communicate them through acceptable use policies. Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration guidelines. Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media.
  • II.C.13(c) Disposal of Information: Policies, procedures, and training should inform employees about what actions should be taken to securely dispose of computer-based media and protect the data from the risks of reconstruction.
  • AIO III.B.3 Shadow IT: “Security awareness training should include the risks of shadow IT and the rationale for preventing its use.”
  • AIO III.I - File Exchange: If you share files through email attachments or file sharing services, you should “Provide training to employees on approved solutions.”
  • AIO V.D.2 Smoke and Fire: “Training personnel on their roles and responsibilities.”
  • Audit: IT Audit Roles and Responsibilities > Board of Directors and Senior Management: The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls.

Training / continuing education for IT staff depends on your environment and the skill level of your IT staff, though there are some specific examples below:

  • IS III.D Incident Response: Such preparation involves defining the policies and procedures that guide the response; assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort.
  • AIO V.C.3 Software Hosting: Internally hosted software: “Management should identify personnel (e.g., internal or third party) with relevant skills and expertise and allocate resources to provide necessary training to maintain their knowledge.”
  • AIO VI.A.1 Operating Centers: Whether centralized or decentralized, operating center responsibilities also should include training staff to operate and maintain the entity’s equipment and systems (e.g., monitoring of environmental systems and procedures for manual intervention and overrides), deploying appropriate connectivity, and managing incidents and events.
  • AIO VI.C.3 IT Support: Management should maintain well-trained and knowledgeable IT support personnel to effectively support clients and users. If IT support software is used, IT support personnel should have appropriate training to perform their duties.

Outside of FFIEC guidance, but still relevant to financial institutions:

Shameless Plug:

Don’t forget 10-D Academy has training resources that can help. www.10-D

Authored by: David Matt, CEH

You May Want to Read More:

The Scope of SARs - Something Old and Something New - WST

January 28th, 2021

Did you know that filing Suspicious Activity Reports...

In with the new year, out with the Flash - WST

January 21st, 2021

The writing has been on the wall for a while now ...

Back to Basics: Understanding Risk Concepts - WST

January 15th, 2021

People often make judgements and decisions about risk...

Keep your institution off the evening news.

Contact Us