Awareness & Training Requirements

Introduction

This document establishes the minimum security requirements needed to ensure that Facebook's personnel are provided with cybersecurity awareness and training so they can perform their cybersecurity-related tasks.

Scope

This policy applies to all individuals who access company-provided systems. Whether you’re an employee, contractor, or visitor, these guidelines govern your use of networks, devices, and software.

Requirements

General Training

Users are provided awareness and training so they possess the knowledge and skills to perform general tasks with security risks in mind.

Users must complete privacy and security training during onboarding and annually after that.
Privacy and security training owners must update training annually to ensure relevancy and incorporate lessons learned from incidents.
Users with email addresses must receive monthly phish testing.
Users who fail a phishing test must complete additional training.

Role-Based Training

Individuals in specialized roles are provided awareness and training so they possess the knowledge and skills to perform relevant tasks with security risks in mind.

AT-1 Developer Training. Developers must complete secure code training annually.
AT-2 Datacenter Training. Datacenter employees must complete environmental systems training annually.
Employees must complete physical security training on an annual basis.
Disaster recovery plan owners must be trained on their responsibilities annually.

Appendix. External Requirements

Standard

Requirements

AT-1

ISO 27002 8.2.2

PCI DSS 4.0 Requirement 12.6

Texas’s Health Privacy Law, H.B. No. 300 §181.101

AT-2

OSHA hazardous materials law

PreviousCybersecurity Policy NextAuthentication Requirements

Last updated 9 months ago

Awareness & Training Requirements

Introduction

Scope

Requirements

General Training

Users are provided awareness and training so they possess the knowledge and skills to perform general tasks with security risks in mind.

Users must complete privacy and security training during onboarding and annually after that.
Privacy and security training owners must update training annually to ensure relevancy and incorporate lessons learned from incidents.
Users with email addresses must receive monthly phish testing.
Users who fail a phishing test must complete additional training.

Role-Based Training

Individuals in specialized roles are provided awareness and training so they possess the knowledge and skills to perform relevant tasks with security risks in mind.

AT-1 Developer Training. Developers must complete secure code training annually.
AT-2 Datacenter Training. Datacenter employees must complete environmental systems training annually.
Employees must complete physical security training on an annual basis.
Disaster recovery plan owners must be trained on their responsibilities annually.

Appendix. External Requirements

Standard

Requirements

AT-1

ISO 27002 8.2.2

PCI DSS 4.0 Requirement 12.6

Texas’s Health Privacy Law, H.B. No. 300 §181.101

AT-2

OSHA hazardous materials law

PreviousCybersecurity Policy NextAuthentication Requirements

Last updated 9 months ago