The purpose of Organizational Training and Awareness is to promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational resilience.
Organizational Training and Awareness is an enterprise process area that seeks to ensure that the organization’s staff are aware of resilience needs and concerns and that they behave in a manner consistent with the organization’s operational resilience requirements and goals. This requires that they be made aware of the organization’s resilience plans and programs and that they understand their role in these plans and programs. Staff must also be provided specialized training on a regular basis that establishes resilience as an organizational competency and encourages improvement in skill sets relative to their specific or general roles in managing operational resilience.
Organizational Training and Awareness focuses exclusively on skills, knowledge, and cognizance for resilience activities, not generalized training across the organization. However, these resilience training and awareness activities should integrate with and be supported by the organization’s overall training and awareness program and plan. Specifically, training refers to imparting the necessary skills and knowledge to people for performing their roles and responsibilities in support of the organization’s operational resilience management system. Awareness is aimed at focusing the attention of staff throughout the organization on resilience issues, concerns, policies, plans, and practices and increasing their cognizance of and acculturation to resilience. Training imparts skills and knowledge to enable staff to perform a specific resilience function; awareness activities create cognizance to bring about desired behaviors in support of the resilience process and to support a risk-aware culture in the organization.
An organizational training and awareness program is a comprehensive capability that typically includes the following activities:
• identifying the training and awareness needs of the organization
• sourcing training and awareness materials
• providing training and implementing awareness activities, using a variety of methods
• establishing and maintaining records of training and awareness activities
• evaluating the effectiveness of the training and awareness program
• revising the program to improve effectiveness and in response to changes in training and awareness needs
The Organizational Training and Awareness process area has four specific goals. The Establish Awareness Program goal addresses the creation, planning, and organization of an awareness program. Conduct Awareness Activities puts awareness plans into action throughout the enterprise and evaluates their effectiveness. The Establish Training Capability goal addresses the creation, planning, and organization of a training capability. Conduct Training addresses the delivery and evaluation of training activities.
Organizational Training and Awareness is a complementary process area to the Human Resource Management and People Management process areas. Organizational Training and Awareness focuses on general awareness, skill building, and ongoing training. Human Resource Management is focused on managing the employment life cycle and performance of an employee in support of operational resilience. People Management identifies key staff and manages their availability to the services they support, ensuring the resilience of the “people” asset.
Managing the resilience of the people in the organization is performed in the People Management process area.
Managing the employment life cycle and performance of an employee in support of operational resilience is addressed in the Human Resource Management process area.
Awareness activities for external entities such as business partners and vendors are addressed in the External Dependencies Management process area.
Awareness communications are addressed in the Communications process area.
Tracking awareness activities for compliance purposes is addressed in the Compliance process area.
Guidance about tracking awareness activities for governance functions is addressed in the Enterprise Focus process area.
An awareness program that supports the organization’s resilience program is established.
An awareness program is a means by which the organization can highlight important behaviors and begin the process of acculturating staff and external entities to important organizational goals, objectives, and critical success factors. Awareness differs significantly from skill-based training. Awareness focuses on communicating a message to gather support for an organizational imperative; skill-based training is aimed at imparting knowledge to staff that is necessary to perform a role or fulfill a responsibility. Awareness of resilience makes staff more cognizant of their role in supporting the organization’s operational resilience management system and in ensuring adequate operational resilience for high-value services and assets.
To establish an effective awareness program, an organization must identify awareness needs and establish a plan and capability to meet those needs. Adjustments to the plan and the program are made over the course of time to address changes in needs and to make overall improvements.
The awareness needs of the organization are established and maintained.
Awareness needs reflect the message that is to be communicated regarding resilience to all entities, internal and external, that have a vested interest in the resilience activities of the organization (referred to as “staff”). These may be derived from the organization’s resilience strategic plans, policies, or other goal and objectives. Awareness needs are derived by determining the set of resilience topics, plans, issues, or policies of which various sets of the organization’s population have to be kept aware. For many organizations, the awareness needs may be consistent across the organization’s entire population; for others, different parts of the organization may have different awareness needs. If high-value business processes are outsourced, there may be awareness needs that span one or more external entities. All of these populations should be identified and their awareness needs documented.
Awareness needs are temporal and may change as a result of changes in technology, policy, strategy, and risks being managed. A routine process to maintain and update awareness needs should be put in place.
Typical work products
Subpractices
Because managing operational resilience requires acculturation of both internal and external entities (staff), the types and extent of awareness efforts may have to be extensive and rigorous. The objectives of awareness efforts must be clearly stated and must help the organization achieve staff acculturation to the organization’s philosophy of managing operational resilience.
Because managing operational resilience is a broad, enterprise-wide activity, awareness presentations may need to cover a broad range of topics and may require focused messages for particular staff groups. Awareness presentations must be purposefully aimed at communicating the appropriate message to each group.
A plan for developing, implementing, and maintaining an awareness program is established and maintained.
The awareness plan details how the organization intends to carry out consistent and repeatable awareness efforts for each staff group. The plan must address the development, delivery, and maintenance of awareness presentations and materials to meet the awareness needs identified for each staff group. The plan should address near-term development and delivery and should be periodically adjusted based on new or changing needs and feedback from assessing the effectiveness of awareness activities.
Typical work products
Subpractices
Awareness plans typically include the following:
• awareness needs and objectives
• topics for awareness presentations and materials
• identification of various staff groups and descriptions of how needs and topics vary by audience
• schedules based on calendar-based and event-based awareness needs (An example of a calendar-based awareness need is “provide annual refresh training on login procedures and guidelines for choosing and managing secure passwords.” An example of an event-based awareness need is “provide security and business continuity initiation briefing to new employees within ten days of starting work.”)
• methods to distribute awareness presentations and materials
• requirements and quality standards for awareness presentations and materials, which may include identity guidelines for use of organizational trademarks
• identification of awareness program roles and responsibilities
• resource requirements
Documented commitments by those responsible for implementing and supporting the plan are essential for the plan to be effective.
A capability for consistent and repeatable delivery of awareness artifacts is established and maintained.
The organization must be able to deliver awareness artifacts on a repeatable basis and ensure that the message communicated about operational resilience is consistent.
Establishing a capability for implementing the awareness plan requires the selection of appropriate awareness approaches, sourcing or developing awareness materials, obtaining appropriate awareness facilitators or instructors (if needed), delivering internal communications about awareness activities, and revising the awareness capability as needed.
Awareness activities for external entities such as business partners and vendors are addressed in the External Dependencies Management process area.
Typical work products
Subpractices
Many factors influence the selection of appropriate awareness approaches for the various segments of the organization’s population. Typically, these include audience-specific roles, knowledge and daily behaviors, differences in work environment, budget, and consideration of organizational and work group culture. The selection of an approach should be based primarily on the best and most efficient means to create and support awareness for a given population, in light of any constraints.
These materials may contain sensitive information about incidents and other security events that can be used to raise general awareness about managing operational resilience. The organization should make provisions for adequately protecting this information from external entities that may be involved in awareness activities, either as providers or as participants.
Guidelines for establishing and maintaining relationships with external entities that serve as sources of awareness materials are addressed in the External Dependencies Management process area.
If instructor- or facilitator-led sessions are among the awareness activities that have been selected, qualified instructors or facilitators are required. To ensure that the instructors or facilitators have the necessary skills and knowledge to deliver the awareness materials, criteria can be established for evaluating candidates. For internal candidates, it may be necessary to provide specific training. For external resources, it is important to work with the provider to understand which of their staff will perform the work. This can be a factor in selecting or continuing to work with a specific provider.
It may be appropriate to deliver communications about planned awareness activities. For example, if people are expected to attend events, communications about the schedule of the events are necessary. For some activities, it may be appropriate to inform higher-level and other managers about the awareness plans and ask them to support and reinforce the plans by calling attention to the awareness activities in their regular communications or meetings with staff.
Awareness communications are addressed in the Communications process area.
Awareness activities that support the organization’s resilience program are performed.
The organization must perform awareness activities in order to carry out awareness plans and to fulfill the objectives of the awareness program. To ensure that awareness activities are being performed as prescribed, awareness activity records are established to track participation in awareness activities, and the effectiveness of the awareness activities is assessed.
Awareness activities are performed according to the awareness plan.
Awareness activities implement the awareness approaches that the organization has considered and developed to meet the specific staff needs. These activities can take many forms, as noted in the subpractices in OTA:SG1.SP3. Primarily, awareness activities will take the form of formal awareness presentations, but they could be supplemented by more continuous activities such as newsletters, email messages, or posters and other signage.
Awareness activities must meet the broad needs of staff members, and the logistics of performing these activities must be planned. The activities must be scheduled, advertised (if necessary), and resourced.
Typical work products
Subpractices
Awareness materials are distributed to the target populations according to the schedule and the approaches established in the plan.
Records of awareness activities performed are established and maintained.
Awareness activity records enable the organization to verify that awareness activities have been conducted according to plan. They provide evidence that staff and external entities have attended required activities appropriate for their job responsibility and role in the organization.
Records may also be necessary for compliance purposes to prove that the organization provides awareness presentations and requires staff and external entities to attend.
Recording awareness activities also facilitates evaluating activity effectiveness, particularly awareness presentations, through instruments such as evaluations and suggestion boxes.
The tracking of awareness activities for compliance purposes is addressed in the Compliance process area.
Guidance about tracking awareness activities for governance functions is addressed in the Enterprise Focus process area.
Typical work products
If the awareness activity is required for certain staff groups or individual staff members, the organization should keep records for each attendee indicating whether or not the attendee completed the activity successfully.
For staff who have been exempted from awareness activities for any reason, the organization should keep records documenting the rationale for the waiver, and the staff member’s manager (or similarly appropriate person) should approve the waiver.
Awareness activity records may be important in considering promotions or job assignments and thus should be made available to those who must make these types of decisions on a regular basis.
The effectiveness of the awareness program is assessed and corrective actions are identified.
A process should be implemented to evaluate the effectiveness of the awareness program by assessing how well program activities meet the awareness needs of the organization and staff.
Typically, assessing awareness program effectiveness occurs in the form of evaluations of awareness activities, but it may be a more challenging task for informal methods of awareness such as posters or regular communications.
Typical work products
Subpractices
The purpose of this assessment is to determine whether awareness is sufficient to support the organization’s resilience posture and program.
For external entities that are being assessed, this should be included as part of the regular review of their contracts and performance.
For awareness presentations, this mechanism should include evaluations of the material and the presenters.
Training capabilities that support the operational resilience management system are established and maintained.
Training capability is established to provide focused and specific training to people who have roles and responsibilities that are focused on the operational resilience management system. The organization identifies the training needed to impart to people the necessary skills and knowledge to perform their roles and meet their responsibilities. A training plan is developed to guide the delivery of the training. Training materials and other resources are lined up to support the training plan.
Identifying staff with resilience roles and responsibilities, managing their performance, and conducting skills and knowledge gap analyses are addressed in the Human Resource Management process area.
The training needs of the organization are established and maintained.
Resilience training needs reflect the skills and competencies required at a tactical level to carry out the activities required for managing operational resilience. These activities cover a broad range of disciplines, including security activities, business continuity, IT operations, and service delivery. As a result, the training needs for resilience staff tend to be vast and must seek not only to include these disciplines but to address the convergence of these disciplines toward the goal of actively managing resilience.
Training needs are established by identifying people in the organization with resilience roles and responsibilities and analyzing gaps in their knowledge and skills that have to be addressed in order for them to succeed in their resilience roles. Training needs should also be informed by the organization’s resilience plan and strategy. (Refer to the Enterprise Focus process area.)
Some staff may have resilience roles only during times of stress or when the organization is responding to a disruption. It is important in the needs analysis process to account for these or any other secondary roles that people may have that are key to the resilience process but occur on a more discrete rather than continuous basis.
Skill inventories and gap analyses are explicitly addressed in the Human Resource Management process area.
Cross-training and training for succession planning are also addressed in the People Management process area and are key inputs for the training needs established in Organizational Training and Awareness.
Typical work products
Subpractices
Input to this process may be derived from the processes in the Human Resource Management and People Management process areas.
The training needs should focus not only on the skills and knowledge needed to perform particular roles in the supporting disciplines of security, business continuity, and IT operations and service delivery, but also on the convergence aspects of these disciplines toward operational resilience management. The training needs should also adequately cover the capabilities represented by the operational resilience management system.
A plan for developing, implementing, and maintaining a resilience training program is established and maintained.
A tactical training plan is created to plan the development, delivery, and maintenance of training materials to meet the organization’s resilience training needs. The plan should address near-term development and delivery and should be periodically adjusted in response to new or changing needs and to the assessment of effectiveness of training activities.
Typical work products
Training plans typically include the following:
• training needs
• training topics
• schedules based on training activities and their dependencies
• methods used for training
• requirements and quality standards for training materials
• training tasks, roles, and responsibilities
• required resources, including tools, facilities, environments, staffing, and skills and knowledge
Because resilience training can cover a broad range of topics, documented commitments by those responsible for implementing and supporting the plan are essential for the plan to be effective.
A capability for delivering training to resilience staff is established and maintained.
The organization must be capable of providing resilience training across a broad range of topics and to a vast audience of resilience staff. The training must cover the topic areas of security, business continuity, and IT operations and service delivery, as well as the supporting process areas established by the operational resilience management system, including compliance management, financial resource management, and relationships with external entities, to name a few.
Capabilities for implementing the training plan must be established and maintained, including the selection of appropriate training approaches, sourcing or developing training materials, obtaining appropriate instructors, announcing the training schedule, and revising the awareness capability as needed.
If training needs have been identified for people who are not part of the organization—for example, external entities such as outsourcer, vendor, or supplier staff—then this practice should also be extensible to establish and maintain the capability to train those people as well.
Guidelines on incorporating training requirements into external entity agreements or for making organizational training assets available for use by external entities are included in the External Dependencies Management process area.
Typical work products
Many factors may affect the selection of training approaches, such as audience-specific knowledge, costs and schedule, and work environment. Selection of an approach requires consideration of the means to provide skills and knowledge in the most effective way possible given the constraints.
(Refer to the External Dependencies Management process area for guidelines on establishing and maintaining relationships with external sources of training materials.) Depending on the specific content, some customized materials may contain sensitive or proprietary information, in which case suitable provisions should be included in the external entity agreement.
To ensure that internally provided training instructors have the necessary knowledge and training skills, criteria can be defined to identify, develop, and qualify them. In the case of externally provided training, the organization’s training staff can investigate how the training provider determines which instructors will deliver the training. This can also be a factor in selecting or continuing to use a specific training provider.
Training necessary for staff to perform their roles effectively is provided.
The organization must perform resilience training to ensure that staff are appropriately skilled in their roles to support the operational resilience management system. Training must be delivered according to the training plans developed and must address the vast range of needs represented in the operational resilience management system. Training records are established for the purpose of tracking training activities, and the effectiveness of the training activities is evaluated.
Training is delivered according to the training plan.
Resilience training is provided by the organization (or its training provider as appropriate) to fulfill the resilience training needs and training plan. The appropriate mix of training is determined based on the needs, and the staff selected to participate in the training are determined based on their current skill level.
Training delivery for the operational resilience management system is not a trivial task. The broad range of skills necessary to address and adequately perform the competencies required to manage operational resilience requires extensive training. In addition, the intensity of the training may range from informal activities to hands-on, skill-based training.
Typical work products
Subpractices
Training is intended to impart knowledge and skills to people performing various roles within the organization. Some people already possess the knowledge and skills required to perform well in their designated roles. Training can be waived for these people, but care should be taken that training waivers are not abused.
Training should be planned and scheduled. Training is provided that has a direct bearing on the expectations of work performance. Therefore, optimal training occurs in a timely manner with regard to imminent job performance expectations. These expectations often include the following:
• training in the use of specialized tools
• training in procedures that are new to the individual who will perform them
Experienced instructors should perform training. When possible, training is conducted in settings that closely resemble actual performance conditions and includes activities to simulate actual work situations. This approach includes integration of tools, methods, and procedures for competency development. Training is tied to work responsibilities so that on-the-job activities or other outside experiences will reinforce the training within a reasonable time after the training.
Records of delivered training are established and maintained.
Training records enable the organization to verify that training activities have been conducted according to plan. Training records may also be required to prove that a compliance obligation has been met or to support the retention of credentials or certification. Such records also facilitate the evaluation of training effectiveness.
Since this practice is related to the organization’s resilience training, the training records may be a subset of the full organizational training records.
Refer to the Compliance process area for information about tracking training activities for compliance purposes.
Typical work products
Subpractices
The rationale for granting a waiver should be documented, and both the manager responsible and the manager of the excepted individual should approve the waiver for organizational training.
Training records may be important in considering promotions or job assignments and thus should be made available to those who must make these types of decisions on a regular basis.
The effectiveness of the training program is assessed and corrective actions are identified.
A process should exist to determine the effectiveness of training for meeting the training needs of staff involved in the operational resilience management system.
Typical work products
Data can be gathered through surveys or other mechanisms from course participants or from their managers to determine the impact of the training on course participants’ ability to perform their resilience roles and responsibilities.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Organizational Training and Awareness process area.
The operational resilience management system supports and enables achievement of the specific goals of the Organizational Training and Awareness process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Organizational Training and Awareness process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices OTA:SG1.SP1 through OTA:SG4.SP3 are performed to achieve the goals of the organizational training and awareness process.
Organizational training and awareness is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the organizational training and awareness process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the organizational training and awareness process.
Elaboration:
Elaboration:
Establish and maintain the plan for performing the organizational training and awareness process.
Elaboration:
Specific practices OTA:SG1.SP2 and OTA:SG3.SP2 require the development of plans for how the organization will carry out organizational resilience awareness and training, respectively. In generic practice OTA:GG2.GP2, the planning elements required in specific practices OTA:SG1.SP2 and OTA:SG3.SP2 are formalized and structured and performed in a managed way. These are separate and distinct from the organizational training and awareness process plan.
Subpractices
Elaboration:
Special consideration in the plan may have to be given to training and awareness for skill development, sustaining skill competencies, and reassignment planning for various roles. These activities aid in protecting and sustaining people to support operational resilience.
Special consideration in the plan may also have to be given to how the organization incorporates training and awareness activities for resources that are not under its direct control, including external entities such as contractors, outsourcing partners, training suppliers, and other business partners.
Provide adequate resources for performing the organizational training and awareness process, developing the work products, and providing the services of the process.
Elaboration:
Specific practices OTA:SG1.SP2 and OTA:SG3.SP2 require the assignment of resources to the organizational resilience awareness and training plans, respectively. In generic practice OTA:GG2.GP3, resources are formally identified and assigned to plan elements. These are separate and distinct from the resources required to execute the organizational training and awareness process plan.
The diversity of activities required to ensure adequate, up-to-date training and awareness of resilience staff requires an extensive level of organizational resources and skills and may require a significant number of external resources. In addition, these activities may require a major commitment of financial resources (both expense and capital) from the organization.
Subpractices
Elaboration:
This generic goal related to organizational training and awareness refers to staffing the organizational training and awareness process plan, not the individual organizational training and awareness plans. Assigning resources to organizational training and awareness plans is included in specific practices OTA:SG1.SP2 and OTA:SG3.SP2.
Refer to the Human Resource Management process area for information about acquiring staff for resilience roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for organizational training and awareness.
Elaboration:
Assign responsibility and authority for performing the organizational training and awareness process, developing the work products, and providing the services of the process.
Elaboration:
Specific practices OTA:SG1.SP2 and OTA:SG3.SP2 require the assignment of responsibility to the organizational awareness and training plans. In generic practice OTA:GG2.GP4, commitments are formally identified to support resource allocations to plan elements. These are separate and distinct from the assignment of responsibilities for the organizational training and awareness process plan.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Responsibility and authority may extend not only to staff inside the organization but to those external entities with which the organization has a contractual agreement for creating, delivering, and maintaining awareness and training materials.
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the organizational training and awareness process as needed.
Elaboration:
Specific practices OTA:SG1.SP1 and OTA:SG3.SP1 call for establishing awareness needs and training needs for resilience awareness and training plans and programs, respectively.
Refer to the External Dependencies Management process area for more information about awareness training for external entities such as business partners, suppliers, and vendors.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
These skill needs are related to delivering the organizational training and awareness process, not the development and delivery of subject matter information related to security, business continuity, IT operations management, or the management of operational resilience. The identification of skill needs for subject matter areas is included in the subpractices for generic practice GG2.GP5 in each of the individual process areas.
Elaboration:
Place designated work products of the organizational training and awareness process under appropriate levels of control.
Refer to the Compliance process area for information about tracking of awareness activities for compliance purposes.
Elaboration:
Specific practices OTA:SG2.SP2 and OTA:SG4.SP2 address the record keeping and documentation process over organizational training and awareness activities.
Identify and involve the relevant stakeholders of the organizational training and awareness process as planned.
Elaboration:
Many OTA-specific practices address the involvement of stakeholders in the organizational training and awareness process. For example, specific practice OTA:SG1.SP1 calls for identifying staff groups and their particular awareness needs. Specific practice OTA:SG1.SP2 ensures these needs are carried out in the awareness training plan.
Subpractices
Elaboration:
Monitor and control the organizational training and awareness process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
Elaboration:
Deviations from the organizational training and awareness plan may occur when organizational units fail to follow the enterprise-sponsored process. These deviations may affect the operational resilience of the organizational unit’s services but may also have a cascading effect on enterprise operational resilience objectives.
Objectively evaluate adherence of the organizational training and awareness process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the organizational training and awareness process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Organizational training and awareness is institutionalized as a defined process.
Establish and maintain the description of a defined organizational training and awareness process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Elaboration:
Each organizational unit will perform organizational training and awareness in a slightly different manner depending on operational concerns, identified needs and skill gaps, availability of supporting infrastructure, and requirements.
Collect organizational training and awareness work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices