14.7
IG1 IG2 IG3

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Control Group: 14. Security Awareness and Skills Training
Asset Type: N/A
Security Function: Protect

Description

Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Develop or procure training content
7
Define training audience and completion requirements
8
Deploy training and track completion rates
9
Measure training effectiveness through testing/simulation
10
Draft policy/procedure document
11
Obtain stakeholder review and approval
12
Communicate to affected personnel
13
Schedule periodic review and updates

Tool Recommendations

KnowBe4 Gartner MQ Leader, Security Awareness Training 2024; Forrester Wave Leader 2024

Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting

KnowBe4 · Per-user subscription
Proofpoint Security Awareness Training Gartner MQ Leader, Security Awareness Training 2024

Adaptive security awareness and behavior change platform with targeted training based on real threat data

Proofpoint · Per-user subscription
Cofense PhishMe Gartner MQ Challenger, Security Awareness Training 2024

Phishing simulation and security awareness platform with real-time threat intelligence and incident response

Cofense · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Exploitation of Known Vulnerability on Unpatched System

Integrity

An attacker exploits a publicly disclosed vulnerability on a system where automated patching failed, and the failure went unreported because the user was not trained to recognize or report missing security updates.

Extended Exposure Window from Unreported Patch Failure

Availability

An endpoint's automatic update mechanism breaks silently, leaving the system unpatched for months because the employee using the device was never trained to verify patch status or report anomalies.

Vulnerabilities (When Safeguard Absent)

Users Unable to Identify Missing Security Updates

Without training on how to verify software patch status, employees cannot recognize when their systems are out of date or when automated patching tools have failed.

No Process for Users to Report Automated Tool Failures

Employees who are not trained on reporting update failures do not escalate issues when they notice software is outdated, leaving IT unaware of patching gaps across the fleet.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Record Training completion records and compliance rates Tracked continuously, reported quarterly
Document Training content and curriculum documentation Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Security Awareness and Training Policy
Control 14

Related Safeguards in Control 14

14.1 Establish and Maintain a Security Awareness Program
14.2 Train Workforce Members to Recognize Social Engineering Attacks
14.3 Train Workforce Members on Authentication Best Practices
14.4 Train Workforce on Data Handling Best Practices
14.5 Train Workforce Members on Causes of Unintentional Data Exposure
14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
14.9 Conduct Role>Specific Security Awareness and Skills Training
14.6 14.8