GCP Security best practice: A training and awareness program focused on cloud product security shall be in place

This Google Cloud Platform security best practice is part of the Governance Risk and Compliance security domain.

The training program shall include:

  • Reviewing risks
  • Reviewing actions each group shall take to treat risks
  • Training and testing participants in their responsibilities
  • Requires passing before being allowed to participate in the development and support of cloud products

Remediate and track progress toward remediation for areas of noncompliance to include:

  • Developing a plan of action and milestones for the information system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls, and to reduce or eliminate known vulnerabilities in the system
  • Updating existing plan of action and milestones at each quarter, based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities