Establish and Maintain a Security Awareness Program
Description
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Enterprise-Wide Phishing Campaign Targeting Untrained Workforce
ConfidentialityA sophisticated phishing campaign targets employees who have received no security awareness training, resulting in widespread credential compromise because staff cannot recognize social engineering tactics.
Accidental Insider Threat from Security-Unaware Employee
IntegrityAn employee unknowingly installs malware by clicking a malicious link or opens a weaponized attachment because they have never been educated on safe computing practices through a formal awareness program.
Social Engineering Attack Exploiting Lack of Security Culture
ConfidentialityAn attacker impersonates a vendor over the phone and convinces an employee to share system credentials, succeeding because no security awareness program has established a culture of verification and skepticism.
Vulnerabilities (When Safeguard Absent)
No Formal Security Awareness Training Program
Without an established security awareness program, employees receive no structured education on security threats, safe practices, or organizational policies, leaving human behavior as the weakest link.
Untrained New Hires Immediately Exposed to Threats
Absence of onboarding security training means new employees begin handling enterprise assets and data without understanding the threat landscape or their role in maintaining security.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |