Conduct Role>Specific Security Awareness and Skills Training
Description
Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
System Administrator Misconfigures Critical Security Control
ConfidentialityAn IT administrator inadvertently opens a firewall rule too broadly or misconfigures a security group because they never received role-specific training on secure system administration practices.
Developer Introduces OWASP Top 10 Vulnerability into Production
IntegrityA web developer deploys code containing an injection vulnerability because they were never provided role-specific training on secure coding practices and common web application flaws.
Executive Targeted by Advanced Whaling Attack
ConfidentialityA C-level executive falls victim to a highly targeted whaling attack because they never received the advanced social engineering awareness training appropriate for their high-profile role.
Vulnerabilities (When Safeguard Absent)
No Role-Specific Security Skills Training
Without role-specific training, personnel in specialized positions such as developers, system administrators, and executives lack the targeted security knowledge required to protect against threats specific to their functions.
Generic Training Insufficient for Technical Roles
General awareness training alone does not equip developers with secure coding knowledge or administrators with hardening expertise, leaving critical technical security gaps in high-impact roles.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |