DS07 User Education and Training

DS07: User Education & Training

Description

Controls

KGI

KPI

CSF

Maturity Levels

1. Description

Management of comprehensive user training and development plan.

2. Control Objectives

Identification of Training Needs: establish and maintain procedures for identifying and documenting the training needs of all personnel making use of information services. A training curriculum for each group of employees should be established ,
Training Organisation: identify and appoint trainers and organize timely training sessions. Training alternatives should also be investigated (internal or external location, in-house trainers or third-party trainers, etc.),
Security Principles and Awareness Training: provide an education and training program that includes: ethical conduct of the information services function, security practices to protect against harm from failures affecting availability, confidentiality, integrity and performance of duties in a secure manner.

3. Key Goal Indicators

Measured improvement in employee optimisation of IT resources to maximise business value
Measured improvement in employee awareness of ethical conduct requirements, system security principles and performance of duties in an ethical and secure manner
Measured improvement in security practices to protect against harm from failures affecting availability, confidentiality and integrity
Number of help desk calls for training or to answer questions
Increased user satisfaction with roll out of new technologies

4. Key Performance Indicators

Percentage of employees trained
Age of employee training curricula
Time lag between identification of training need and the delivery of the training
Number of training alternatives available to employees from in-house and third-party sources
Percentage of employees trained in ethical conduct requirements
Number of identified employee ethical violations
Percentage of employees trained in security practices
Number of identified security incidents related to employees
Increased identification and documentation of training needs and delivery of timely training

5. Critical Success Factors

A comprehensive education and training program, focused on individual and corporate needs, is in place
The education and training programs are supported by budgets, resources, facilities and trainers
Training and education are critical components of the employee career paths
Employees and managers identify and document training needs
Needed training is provided in a timely manner
There is senior management support to ensure that employees perform their duties in an ethical and secure manner
Employees receive system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity
Corporate policy requires that all employees receive a basic training program covering ethical conducts, system security practices and permitted use of IT resources
There is management acceptance that training costs are investments in lowering the total costs of technology ownership

6. Service Maturity Variations

0 Non-existent	There is a complete lack of any training and education program. The organisation has not even recognised there is an issue to be addressed with respect to training and there is no communication on the issue.
1 (Initial/Ad Hoc)	There is evidence that the organisation has recognised the need for a training and education program, but there are no standardised processes. In the absence of an organised program, employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices. The overall management approach lacks any cohesion and there is only sporadic and inconsistent communication on issues and approaches to address training and education.
2 (Repeatable but Intuitive)	There is awareness of the need for a training and education program and for associated processes throughout the organisation. Training is beginning to be identified in the individual performance plans of employees. Processes have developed to the stage where informal training and education classes are taught by different instructors, while covering the same subject matter with different approaches. Some of the classes address the issues of ethical conduct and system security awareness and practices. There is high reliance on the knowledge of individuals. However, there is consistent communication on the overall issues and the need to address them.
3 (Defined Process)	The training and education program has been institutionalised and communicated, and employees and managers identify and document training needs. Training and education processes have been standardised and documented. Budgets, resources, facilities and trainers are being established to support the training and education program. Formal classes are given to employees in ethical conduct and in system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied.
4 (Managed and Measurable)	There is a comprehensive training and education program that is focused on individual and corporate needs and yields measurable results. Responsibilities are clear and process ownership is established. Training and education is a component of employee career paths. Management supports and attends training and educational sessions. All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance by constantly reviewing and updating the training and education program and processes. Processes are under improvement and enforce best internal practices.
5 Optimized	Training and education result in an improvement of individual performance. Training and education are critical components of the employee career paths. Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. Processes have been refined and are under continuous improvement, taking advantage of best external practices and maturity modelling with other organisations. All problems and deviations are analysed for root causes and efficient action is expediently identified and taken. There is a positive attitude with respect to ethical conduct and system security principles. IT is used in an extensive, integrated and optimised manner to automate and provide tools for the training and education program. External training experts are leveraged and benchmarks are used for guidance.