Train Workforce Members on Recognizing and Reporting Security Incidents
Description
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Prolonged Compromise Due to Unreported Suspicious Activity
ConfidentialityAn employee notices unusual system behavior indicating a compromise but does not report it because they were never trained on what constitutes a security incident or how to report one.
Phishing Attack Spreads Due to Non-Reporting
IntegrityAn employee receives and recognizes a suspicious email but deletes it without reporting, allowing the same phishing campaign to continue targeting other employees unwarned.
Physical Security Breach Goes Unreported
ConfidentialityAn employee observes an unauthorized individual in a restricted area but does not report the incident because they were never trained on physical security incident recognition and reporting procedures.
Vulnerabilities (When Safeguard Absent)
Workforce Cannot Recognize Security Incidents
Without training on incident indicators, employees fail to identify signs of compromise such as unexpected system behavior, unauthorized access attempts, or suspicious communications as reportable events.
No Known Reporting Channel for Security Incidents
Employees who have not been trained on reporting procedures do not know who to contact, what information to provide, or what urgency to assign when they encounter potential security incidents.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |