3.1.8 Staff Competence and Training
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
Staff of the Member Organizations should be equipped with the skills and required knowledge to operate the Member Organization's information assets in a controlled manner and provided with training regarding how to operate, address and apply IT relevant controls on Member Organization's information assets.
Control Requirements
| 1. | Member Organizations should identify and define critical roles within IT department (e.g. DBA, sysadmin, etc.) | |
| 2. | Member Organizations should ensure adequate staffing for critical IT roles, such that critical IT roles are not handled by only one staff. | |
| 3. | Member Organizations should identify the professional certifications required for staff responsible for critical IT roles. | |
| 4. | Member Organizations should evaluate staffing requirements on periodic basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources. | |
| 5. | Annual IT training plan should be developed by the Member Organizations. | |
| 6. | Formal training should be conducted, as a minimum for: | |
| a. | IT staff (existing and new); and | |
| b. | Contractors (where applicable). | |
| 7. | IT training plan should be reviewed periodically. | |
| 8. | Specialist training should be provided to staff in the Member Organization's relevant functional area categories in line with their job descriptions, including: | |
| a. | staff involved in performing critical IT roles; | |
| b. | staff involved in developing and (technically) maintaining information assets; and | |
| c. | staff involved in risk assessments. | |