.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A10%3A08Z&se=2026-04-30T10%3A22%3A08Z&sr=c&sp=r&sig=Gef%2FYNlKYNHLBdVzFajSiVD22CMHVPfQIPovvXWnfEY%3D)
WHAT IS SECURITY TRAINING AND WHY IS IT IMPORTANT?
About This Control
Summary: The organization has security training requirements that apply to both new and existing employees. New hire training is required shortly after the employee begins work. Training for existing staff is typically required on an annual basis.
Purpose: Security Training keeps employees and other staff informed about recognizing common forms of cyberattack directed at individuals such as phishing or business email compromise. Additionally, it educates staff on policy and practices such as acceptable use of the organization’s assets and resources.
Implementation Guidance: The dashboard can be configured to report on specific training modules that are in scope for staff and new hires. Training can be further configured to group sets of training modules, such as the set of classes required for annual security training. This feature can be used to organize how the training is displayed on the dashboard.
Why It Matters
Security Training is used to:
Educate staff on how to recognize attacks that they might be subject to, such as phishing or business email compromise, and how to better avoid falling victim to such attacks.
Inform staff about requirements for handling sensitive data.
Ensure staff are aware of acceptable use policies and what they can and cannot do with company issued equipment such as laptop computers or smart phones.
Provide role-based training for example for security software development to application developers, or proper handling of protected health information (PHI) for staff who will work with that kind of data.
Risks Addressed: Security Training helps to reduce risk by
Making users aware of common phishing and social engineering tactics.
Describing strong password practices and expected use of multi-factor authentication (MFA).
Educating users about proper data handling to avoid the inadvertent exposure of sensitive information.
Promoting the secure use of company resources and networks, especially in remote work environments.
Training staff on how to report suspicious activity quickly and correctly, improving response times and containment for security incidents.
CONTROLS THIS DASHBOARD REPORTS ON
Framework:
NIST CSF v2.0: Category PR.AT Awareness and Training, Subcategories PR.AT-01, PR.AT-02
PCI-DSS v4.0: Requirements 12.6.3.1 Security awareness training, and 12.10.4 Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.
CIS CSC v8.1: Control 14 Security Awareness and Skills Training, and the Safeguards for that control, depending on the content of the organization’s training program
DORA: Regulatory Technical Standard (RTS) Simplified ICT Risk Management Framework, Article 19 Human resources policy
PRIMARY KEY PERFORMANCE INDICATOR (KPI)
The dashboard reports on this Primary KPI:
Numerator: Users who completed all required security training by the due dates, or users whose training is assigned, but is not yet due.
Denominator: All users who are required by the organization to take security training.
COLUMNS DISPLAYED ON THE DETAIL DASHBOARD
Training Info: COMPLIANCE_STATUS, COMPLIANCE_STATUS_USER, TRAINING_NAME, TRAINING_ID, TRAINING_TAG, TRAINING_TYPE, DATA_SOURCE_NAME, TRAINING_ASSIGNMENT_DATE, TRAINING_COMPLETED_DATE, TRAINING_DUE_DATE, TRAINING_DUE_DATE_USER, NEW_HIRE
Org Hierarchy: EMPLOYEE_DATABEE_ID, EMPLOYEE_ID, EMPLOYEE_EMAIL_ADDRESS, EMPLOYEE_FULL_NAME, EMPLOYEE_JOB_TITLE, EMPLOYEE_HIRE_DATE, EMPLOYEE_USER_NAME, MANAGER_EMAIL_ADDRESS, MANAGER_DATABEE_ID, MANAGER_FULL_NAME, LEVEL_2, LEVEL_3, LEVEL_4, LEVEL_5, LEVEL_6
DATA SOURCES BY THIS DASHBOARD
OCSF.TRAINING_INVENTORY
CDP.USER
CDP.ORGANIZATION_HIERARCHY