Description
Require the developer of the system, system component, or system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.
Supplemental Guidance
Developer-provided training applies to external and internal (in-house) developers. Training of personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems.
Changes from Rev 4
No significant changes from Rev 4.
MITRE ATT&CK Techniques (3)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Initial Access 2 Persistence 3 Privilege Escalation 3 Defense Evasion 3
Initial Access
Privilege Escalation
Compliance Mappings
ISO 27001:2022
A.8.28
ISO 27002:2022
8.28
CIS Controls v8
CIS 16.9
PCI DSS v4.0.1
6.2.1
MAS TRM
6
BIO2
8.28
RBI CSF
Annex1.6
FISC Security Guidelines
FISC.O10FISC.T6
HKMA TM-E-1
TME1.3.2
SAMA CSF
3.2
UAE IA
T10
CBB TM
TM-7
Qatar NIA
SD
CBUAE
CR-6
CBE CSF
CTO-4
BoG CISD
CISD-SDLC
BoM CTRM
3.11
EBA ICT Guidelines
3.6.2
BOT Cyber Resilience
Ch2.5
PCI PTS v6
H
PRA SS1/23
P3.3
HITRUST CSF v11
10.d