Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Why Is This Control Critical?
The actions of people play a critical part in the success or failure of an enterprise's security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly. Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites. No security program can effectively address cyber risk without a means to address this fundamental human vulnerability.
Related Policy Templates
Safeguards (9)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 14.1 | Establish and Maintain a Security Awareness Program | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.2 | Train Workforce Members to Recognize Social Engineering Attacks | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.3 | Train Workforce Members on Authentication Best Practices | Protect |
IG1
IG2
IG3
|
10 | 6 |
| 14.4 | Train Workforce on Data Handling Best Practices | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.5 | Train Workforce Members on Causes of Unintentional Data Exposure | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents | Protect |
IG1
IG2
IG3
|
9 | 7 |
| 14.7 | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.8 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 14.9 | Conduct Role>Specific Security Awareness and Skills Training | Protect |
IG2
IG3
|
10 | 7 |
Audit Verification Details
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Password policies meet or exceed defined complexity and length requirements.
Identity provider password policy configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Changes to protection controls follow the change management process.
Change tickets, approval records
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
Security awareness training is completed by all required personnel within the defined timeframe.
Training completion reports and compliance rates
Training effectiveness is measured (e.g., phishing simulation results).
Phishing simulation reports, quiz scores, trend data
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |