Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Applicable Controls
| CIS Control | CIS Safeguard | Asset Type | Security Function | Title | Description |
|---|---|---|---|---|---|
14 | 14.1 | N/A | Protect | Establish and Maintain a Security Awareness Program | Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. |
Policy Templates for Security Controls
Enterprise Asset Management Policy Template for CIS Control 1
This template can assist an enterprise in developing an enterprise asset management policy.
Download the template
Software Asset Management Policy Template for CIS Control 2
This template can assist an enterprise in developing a software asset management policy.
Download the template
Data Management Policy Template for CIS Control 3
This template can assist an enterprise in developing a data management policy.
Download the template
Account and Credential Management Policy Template for CIS Controls 5 and 6
This template can assist an enterprise in developing an account and credential management policy.
Download the template
Service Provider Management Policy Template for CIS Control 15
This template can assist an enterprise in developing a service provider management policy.
Download the template
Public and Non-profit Tools
Massachusetts State Police | Commonwealth Fusion Center Massachusetts Cybersecurity Program (MCP)
The MCP works closely with federal, state, local, and private sector agencies to establish effective communications and relationships and provide cybersecurity threat reporting, training, education, and awareness to Massachusetts organizations.
Email: mcppol@pol.state.ma.us
CIS & MS-ISAC Malicious Doman Blocking and Reporting (MDBR) Service
Free service for MS-ISAC members: implements recursive Domain Name Service (DNS) technology that prevents IT systems from connecting to harmful web domains. This limits infections related to known malware, ransomware, phishing, and other threats.
NSA DIB Cybersecurity Services – Protective DNS - NSA offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information. Protective DNS (PDNS) is a DNS filter which blocks users from connecting to malicious or suspicious domains. To date, NSA’s PDNS program has blocked 1 billion malicious or suspicious domains, including nation-state spearphishing, malware, botnets, and ransomware activity.
National Security Agency - Threat Intelligence Collaboration
NSA offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information. Enter into a voluntary, mutually beneficial cyber threat information sharing relationship with the NSA. They will establish a secure collaboration channel with your cyber threat analysts and share non-public, DIB-specific threat intelligence to help you prevent, detect, and mitigate malicious cyber activity. This channel is also a way for your team to submit questions and feedback on findings related to the threat intelligence directly back to NSA.
LevelBLue - Gain FREE access to over 20 million threat indicators contributed daily. Collaborate with over 200,000 global participants to investigate emerging threats in the wild. Automatically extract IOCs from blogs, threat reports, emails, PCAPs, and more. Submit files and URLs for free malware analysis within LevelBlue Labs OTX sandbox.