Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Why Is This Control Critical?

The actions of people play a critical part in the success or failure of an enterprise's security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly. Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites. No security program can effectively address cyber risk without a means to address this fundamental human vulnerability.

Related Policy Templates

Security Awareness and Training Policy

Safeguards (9)

ID	Title	Asset Type	Function	Implementation Groups
14.1	Establish and Maintain a Security Awareness Program	N/A	Protect	IG1 IG2 IG3
14.2	Train Workforce Members to Recognize Social Engineering Attacks	N/A	Protect	IG1 IG2 IG3
14.3	Train Workforce Members on Authentication Best Practices	N/A	Protect	IG1 IG2 IG3
14.4	Train Workforce on Data Handling Best Practices	N/A	Protect	IG1 IG2 IG3
14.5	Train Workforce Members on Causes of Unintentional Data Exposure	N/A	Protect	IG1 IG2 IG3
14.6	Train Workforce Members on Recognizing and Reporting Security Incidents	N/A	Protect	IG1 IG2 IG3
14.7	Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates	N/A	Protect	IG1 IG2 IG3
14.8	Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks	N/A	Protect	IG1 IG2 IG3
14.9	Conduct Role>Specific Security Awareness and Skills Training	N/A	Protect	IG2 IG3

Control 13 Control 15