HRS-005 Role-Based Security Training
Description
Personnel in roles with elevated security responsibilities — including system administrators, developers, data handlers, and incident responders — receive role-specific security training before gaining access to production systems and at defined intervals thereafter. Training records are maintained for each individual.
Rationale
General awareness training is insufficient for personnel who make security-critical decisions or hold elevated privileges. Role-based training ensures that those with the greatest access have the domain-specific knowledge to exercise it safely.
Framework Mappings (5)
| HRS-12 | Personal and Sensitive Data Awareness and Training | full |
| 6.3 | Information security awareness, education and training | partial |
| AT-3 | Role-based Training | full |
| AT-4 | Training Records | partial |
| PM-13 | Security and Privacy Workforce | partial |
Evidence (2)
Role-based security training completion records for personnel in elevated-privilege or security-critical roles.
Example: Training completion records from the LMS (KnowBe4 / internal training platform) filtered to role-based tracks — e.g. 'Cloud Security for Admins', 'Secure Coding', 'Incident Response' — showing: employee name, role, training completed, completion date, and next due date.
Test: Export role-based training completion records for system administrators, developers, and incident responders. Verify: (1) every individual in a defined elevated-privilege role has a training completion record for the relevant role track, (2) completion occurred before or within 30 days of gaining production access, (3) annual renewal completions are on file, (4) no individual in a high-privilege role is overdue.
Role-based training procedure defining which roles require additional training, the required curriculum per role, and the completion deadline before production access is granted.
Example: Role-Based Security Training Procedure (Confluence), listing: designated high-sensitivity roles (e.g. sysadmin, DevOps, data engineer, security analyst), required training modules per role, maximum time-to-complete after role assignment, and records retention requirement.
Test: Request the role-based training procedure. Verify: (1) at least three distinct elevated-privilege role categories are listed, (2) specific training modules are assigned to each role, (3) a maximum time-to-complete deadline is stated, (4) the procedure is approved and dated within the last 12 months.
Questions (2)
Do personnel in elevated-privilege or security-critical roles (e.g. sysadmins, developers, incident responders) receive role-specific security training before gaining production access and at defined intervals thereafter?
Role-based training records should show completion before or within 30 days of production access being granted, with annual renewal records on file.
Which of the following role-specific security training tracks does your organization deliver?
At least three distinct role tracks covering different privilege tiers are expected. Training should be matched to the specific systems and data each role can access.