myctrl.tools
Compare

PM-14Testing, Training, And Monitoring

PRIVACY

>Control Description

a

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:

1.

Are developed and maintained; and

2.

Continue to be executed; and

b

Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

>Cross-Framework Mappings

SOC 2 TSC

CC1.5
Compare
CC4.1
Compare

SCF

CPL-02
Compare
PRI-08
Compare

>Supplemental Guidance

A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements.

Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

>Related Controls

AT-2
AT-3
CA-7
CP-4
IR-3
PM-12
SI-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for testing, training, and monitoring of organizational personnel in security and privacy roles?
  • How does the organization ensure testing and training are appropriate for different role types?
  • Who oversees security and privacy workforce testing and training programs?
  • How frequently are personnel tested and trained, and how are deficiencies addressed?
  • What governance exists for measuring the effectiveness of testing and training programs?

Technical Implementation:

  • What platforms deliver security and privacy testing and training?
  • How are training completions tracked and reported?
  • What simulation or hands-on training capabilities exist?
  • How are training materials updated and distributed?
  • What analytics measure training effectiveness?

Evidence & Documentation:

  • Provide security and privacy workforce testing and training program documentation.
  • Provide testing and training completion records for the past year.
  • Provide evidence of role-based training appropriateness.
  • Provide training effectiveness assessment results.
  • Provide records of remediation for personnel who fail testing.

Ask AI

Configure your API key to use AI features.