pr-at-2 high Protect / Awareness and Training

Individuals in specialized roles receive role-specific cybersecurity training

General security awareness training is not enough for people with elevated access or technical responsibilities. Developers who write insecure code, administrators who misconfigure cloud infrastructure, and incident responders who are unprepared for a real attack all represent outsized risk. Role-specific training addresses the security decisions these individuals make every day.

Estimated effort: 4h

security-trainingdevelopersadministratorsincident-responders

Complete first: pr-at-1

Implementation steps

1

Identify roles requiring specialized training

Map out the roles with elevated security responsibility or risk: software developers, cloud administrators, network engineers, incident responders, and executives with access to sensitive data. Document what security training each role needs.
2

Assign developer-focused secure coding training

Require developers to complete training on the OWASP Top 10, secure coding practices, and security testing. Offer language-specific content where possible. Integrate security topics into developer onboarding.

secure-code-warriorsnyk-learnsans-secure-codingcheckmarx-codebashing
3

Train administrators on hardening and configuration security

Cloud and system administrators should be trained on their platforms' security configuration, principle of least privilege, and common misconfiguration risks. Use vendor-specific security courses and certifications where appropriate.

aws-traininggoogle-cloud-skills-boostmicrosoft-learn
4

Train incident responders through tabletop exercises

At least annually, run a tabletop exercise with your incident response team. Walk through a realistic attack scenario and verify that people know their roles. Document gaps identified and address them.

Evidence required

Role-specific training assignments

Documentation showing which specialized training is assigned to which roles.

· Training matrix mapping roles to required courses
· LMS configuration showing role-based curriculum assignments
· Onboarding checklist for developers or admins including security training

Specialized training completion records

Evidence that individuals in specialized roles have completed their required training.

· Secure Code Warrior or Checkmarx completion certificates
· Cloud vendor security certification records
· SANS course completion records for security staff

Tabletop exercise record

Documentation of a completed incident response tabletop exercise in the last 12 months.

· Tabletop exercise summary document with participants, scenario, and findings
· After-action report from a simulated incident
· Calendar invite and attendance record for tabletop session

Related controls

pr-at-1 high

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Awareness and Training

pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control

pr-aa-2 critical

Identities are proofed and bound to credentials based on the context of interactions

Identity Management, Authentication, and Access Control

pr-aa-3 critical

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control