Train Workforce on Data Handling Best Practices
Description
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Sensitive Data Left on Shared Drive Without Access Controls
ConfidentialityAn employee stores highly sensitive customer data on an open network share accessible to all staff because they were never trained on proper data handling and storage classification requirements.
Improper Disposal of Physical Documents Containing PII
ConfidentialityAn employee discards printed documents containing personally identifiable information in a regular trash bin instead of shredding them because data handling training was never provided.
Sensitive Data Visible on Unattended Screen
ConfidentialityAn employee leaves their workstation unlocked displaying sensitive financial data while away from their desk, exposing information to passersby because clear screen practices were never taught.
Vulnerabilities (When Safeguard Absent)
Workforce Unaware of Data Classification and Handling Procedures
Without data handling training, employees do not understand how to classify data by sensitivity or follow proper procedures for storing, transferring, archiving, and destroying sensitive information.
No Clear Desk and Clear Screen Practices
Absence of training on workspace security practices leads to sensitive data being left visible on screens, desks, and whiteboards where unauthorized individuals can view it.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |