Where to find training expectations in guidance - WST

This week’s WST was inspired by a client asking, “What information IT/Information Security training should we do?” The easy answer is that all institutions must perform annual information security awareness training. However, we went spelunking through the FFIEC IT handbooks (and other relevant sources) to brush up on guidance that might be helpful.

The FFIEC guidance addressing IT/Information Security training is in the following:

• Information Security IT Booklet (IS): https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf
• Architecture, Infrastructure, and Operations (AIO) IT Booklet:https://ithandbook.ffiec.gov/media/402799/ffiec_itbooklet_aio.pdf
• Audit (Audit) IT Booklet: https://ithandbook.ffiec.gov/media/274709/ffiec_itbooklet_audit.pdf

Some training examples for employees:

• IS I.B Responsibility and Accountability: Provide information security and awareness training and ongoing security-related communications to employees, and ensure employees complete such training annually.
• IS II.C.7(e) Training: Training ensures personnel have the necessary knowledge and skills to perform their job functions. Training should support security awareness and strengthen compliance with security and acceptable use policies. Ultimately, management’s behavior and priorities heavily influence employee awareness and policy compliance, so training and the commitment to security should start with management. Management should educate users about their security roles and responsibilities and communicate them through acceptable use policies. Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration guidelines. Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media.
• II.C.13(c) Disposal of Information: Policies, procedures, and training should inform employees about what actions should be taken to securely dispose of computer-based media and protect the data from the risks of reconstruction.
• AIO III.B.3 Shadow IT: “Security awareness training should include the risks of shadow IT and the rationale for preventing its use.”
• AIO III.I - File Exchange: If you share files through email attachments or file sharing services, you should “Provide training to employees on approved solutions.”
• AIO V.D.2 Smoke and Fire: “Training personnel on their roles and responsibilities.”
• Audit: IT Audit Roles and Responsibilities > Board of Directors and Senior Management: The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls.

Training / continuing education for IT staff depends on your environment and the skill level of your IT staff, though there are some specific examples below:

• IS III.D Incident Response: Such preparation involves defining the policies and procedures that guide the response; assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort.
• AIO V.C.3 Software Hosting: Internally hosted software: “Management should identify personnel (e.g., internal or third party) with relevant skills and expertise and allocate resources to provide necessary training to maintain their knowledge.”
• AIO VI.A.1 Operating Centers: Whether centralized or decentralized, operating center responsibilities also should include training staff to operate and maintain the entity’s equipment and systems (e.g., monitoring of environmental systems and procedures for manual intervention and overrides), deploying appropriate connectivity, and managing incidents and events.
• AIO VI.C.3 IT Support: Management should maintain well-trained and knowledgeable IT support personnel to effectively support clients and users. If IT support software is used, IT support personnel should have appropriate training to perform their duties.

Outside of FFIEC guidance, but still relevant to financial institutions:

• Identity Theft / Red Flags
• Regulatory guidance (https://www.fdic.gov/regulations/laws/rules/2000-50.html ) calls for the institution to “(3) Train staff, as necessary, to effectively implement the Program.”
• https://www.ftc.gov/business-guidance/resources/fighting-identity-theft-red-flags-rule-how-guide-business
• “The Rule requires that you train relevant staff only as “necessary.” Staff who have taken fraud prevention training may not need to be re-trained. Remember that employees at many levels of your organization can play a key role in identity theft deterrence and detection.” Many institutions do this annually for all (relevant) employees.

Shameless Plug:

Don’t forget 10-D Academy has training resources that can help. www.10-D Academy.com

Authored by: David Matt, CEH