Control over the IT process of Educate and Train Users that satisfies the business requirement for IT of
- effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures
- a clear understanding of IT user training needs, execution of an effective training strategy and measurement of the results
- Establishing training curricula
- Organizing training
- Delivering training
- Monitoring and reporting on training effectiveness
- Number of service desk calls due to lack of user training
- Percent of stakeholder satisfaction with training provided
- Time lag between identification of a training need and the delivery of the training
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
There is a complete lack of a training and education programme. The organization does not even recognize that there is an issue to be addressed with respect to training, and there is no communication on the issue.
2 Initial/Ad Hoc when
There is evidence that the organization has recognized the need for a training and education program, but there are no standardized processes. In the absence of an organized program, employees identify and attend training courses on their own. Some of these training courses address the issues of ethical conduct, system security awareness and security practices. The overall management approach lacks any cohesion, and there is only sporadic and inconsistent communication on issues and approaches to address training and education.
3 Repeatable but Intuitive when
There is awareness of the need for a training and education program and for associated processes throughout the organization. Training is beginning to be identified in the individual performance plans of employees. Processes are developed to the stage where informal training and education classes are taught by different instructors, whilst covering the same subject matter with different approaches. Some of the classes address the issues of ethical conduct and system security awareness and practices. There is high reliance on the knowledge of individuals. However, there is consistent communication on the overall issues and the need to address them.
4 Defined when
A training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities and trainers are being established to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied.
5 Managed and Measurable when
There is a comprehensive training and education program that yields measurable results. Responsibilities are clear, and process ownership is established. Training and education are components of employee career paths. Management supports and attends training and educational sessions. All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance by constantly reviewing and updating the training and education program and processes. Processes are under improvement and enforce best internal practices.
6 Optimized when
Training and education result in an improvement of individual performance. Training and education are critical components of the employee career paths. Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. Processes are refined and are under continuous improvement, taking advantage of best external practices and maturity modeling with benchmarking against other organizations. All problems and deviations are analyzed for root causes, and efficient action is expediently identified and taken. There is a positive attitude with respect to ethical conduct and system security principles. IT is used in an extensive, integrated and optimized manner to automate and provide tools for the training and education program. External training experts are leveraged, and benchmarks are used for guidance.