The chief information security officer shall provide training for all personnel with contingency roles and responsibilities following each revision to the agency's information system contingency plan and as part of the new hire training program.
An organization is unable to resume it's activities following a disruption since it has not considered strategic options for its critical activities and the resources that each activity will require on its resumption.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization trains applicable personnel for contingency roles and responsibilities.
The state organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides periodic refresher training.
Obtain contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records and ascertain if: (I)the organization provides contingency training to personnel with contingency roles and responsibilities. (ii)the organization defines in the security plan, explicitly or by reference, the frequency of refresher contingency training and the frequency is at least annually. (iii)the organization provides initial training and refresher training in accordance with organization-defined frequency. (iv)the contingency training material addresses the procedures and activities necessary to fulfill identified organizational contingency roles and responsibilities.
