11 - Knowledge and training
Overview
The purpose of this category is to ensure that the PKI personnel have the required knowledge and skills to perform their duties and responsibilities. Education and continuous gathering of required knowledge and skills to manage the PKI is important to be aware and properly react to current trends and threats that may impact the PKI.
Each of the personnel should be aware of the PKI policies and procedures, and should be able to perform their duties and responsibilities in accordance with the PKI policies and procedures.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | There is no training plan or education plan for the PKI personnel. |
| 2 - Basic | Training plan is defined, however, there is no responsibility for the execution of the plan. |
| 3 - Advanced | Training plan is defined and integrated in the organization. PKI personnel are aware of the training plan and their responsibilities. |
| 4 - Managed | Training plan is defined, maintained and integrated in the organization. It is executed and requirements on the knowledge and proficiency are monitored. |
| 5 - Optimized | Training plan is periodically reviewed and updated. Education plan is defined and maintained. PKI personnel are aware of the training plan and their responsibilities that are fully aligned with the PKI policies and procedures. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Establish training plan | 2 |
| 2 | Responsible personnel receive training | 2 |
| 3 | Perform security awareness training | 2 |
| 4 | Establish education plan | 1 |
| 5 | Periodically review knowledge | 2 |
Details
Establish training plan
Guidance
The training plan should be established and maintained to ensure that personnel have the required knowledge and skills to perform their duties and responsibilities. It should reflect the current state of the PKI implementation and be updated when the PKI implementation changes, and provide necessary information for all personnel that are involved in the PKI implementation.
Training plan is built with PKI needs and requirements in mind and should cover:
- Training prerequisites
- Training matrix (who needs to be trained and what training should be received)
- Training schedule
- Training format and methods
- Requirements on training reports and records
- Training plan review and update
There can be different methods of training, depending on the needs and requirements:
- Instructor-led training
- Internal or external webinars
- Coaching
- Self-paced training
- Online resources
- Shadowing or reverse-shadowing
Assessment
- Documented training plan
- Training plan is up-to-date
- Training plan is approved and communicated to all personnel
- Training plan is integrated in organization
References
- NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model
- NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
- European Cybersecurity Skills Framework (ECSF)
Responsible personnel receive training
Guidance
The responsible personnel should be aware of the current policies and procedures that are related to the context of the PKI implementation. Training should be provided to personnel that are responsible for the management, operation, and administration of the PKI.
Training is provided in accordance with the current and approved training plan.
Methods and training content can vary, depending on personnel roles and covers:
- New hires as part of the onboarding process
- Periodic training for all personnel (the frequency of the training depends on the role and responsibilities)
For each training, attendance should be recorded and documented, and in case the training is not completed, the reason should be documented. In case there are requirements for score or threshold to be achieved, the results should be documented.
Assessment
- Review training matrix
- Review documented training results
- Review training records
- Relevancy of the training content
- Training is provided in accordance with the training plan
- Training completeness
References
- NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model
- NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
- European Cybersecurity Skills Framework (ECSF)
Perform security awareness training
Guidance
Security awareness education is an ongoing activity. The security awareness program is implemented to make all personnel aware of their role in protecting the security and establishing trust by the PKI implementation. It should stay up to date to reflect latest security trends, threats, and challenges.
Security awareness should ensure that personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.
Different methods can be applied to provide security awareness, for example:
- Posters and letters with the specific topic
- Team meetings and webinars
- Security incentives and rewards
- Training and education
Assessment
- Examine security awareness program
- Interview personnel to verify that they are aware of their responsibilities
- Review security awareness training records
- Security awareness training is provided in accordance with the training plan
- Review content of the security awareness training
References
- NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
- PCI SSC - Best Practices for Implementing a Security Awareness Program
- Raising Awareness of Cybersecurity
Establish education plan
Guidance
Proper education plan is required to stay up to date with the development of the latest technologies, security practices, and controls that have impact on the PKI and its future development.
The education plan should establish a robust base for the personnel to gain relevant knowledge that are out of scope of the internal training plan, but should be aligned with it to ensure that the personnel are able to perform their duties and responsibilities. The education plan should cover:
- Education requirements and prerequisites
- Recommended education approach and methods
- Approach to monitor and assess the education results
Methods to provide education can vary:
- Internal or external courses
- Incentives and rewards
- Mentoring, coaching, and shadowing
- Competitions and challenges
Assessment
- Review education plan and its alignment with the training plan
- Interview personnel to verify their educational goals
- Validate education records
References
- NIST SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model
- NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
- European Cybersecurity Skills Framework (ECSF)
Periodically review knowledge
Guidance
The training plan should be reviewed and updated periodically to ensure that it is up-to-date and covers all aspects of the specific PKI implementation.
Periodical review of the training plans helps to maintain required skills and knowledge for the responsible personnel. It provides assurance that the expected controls are active and working as intended.
Assessment
- Training plan review process
- Implementation of review process
- Validation of documentation and reviews
