The actions of people play a critical part in the success or failure of an enterprise's security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly.
Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites.
No security program can effectively address cyber risk without a means to address this fundamental human vulnerability. Users at every level of the enterprise has different risks. For example, executives manage more sensitive data; system administrators have the ability to control access to systems and applications, and users in finance, human resources, and contracts all have access to different types of sensitive data that can make them targets.
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Applicable Controls
| CIS Control | CIS Safeguard | Asset Type | Security Function | Title | Description |
|---|---|---|---|---|---|
14 | 14.1 | N/A | Protect | Establish and Maintain a Security Awareness Program | Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. |
Policy Templates for Security Controls
Acceptable Use Policy Template for the CIS Controls
This template can assist an enterprise in developing acceptable use for the CIS Controls.
Security Awareness Skills Training Policy Template for CIS Control 14
This template can assist an enterprise in developing a security awareness skills training policy.
Public and Non-Profit Tools
Public and non-profit tools that may support small business and municipalities with inventory discovery.
Celereum CMMC Academy: Celerium has provided free resources to help defense contractors understand and prepare for the CMMC maturity levels and their respective practices, including an online reference guide, on-demand videos, and free self-assessment tools. Membership is free.
Cybersecurity Infrastructure and Security Agency Learning: CISA Learning offers content from FedVTE for users of all proficiency levels from beginner to advanced; 850 hours of training mapped to the NICE Framework; Certification prep courses on topics such as Ethical Hacking, Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP); and the ability to work at one’s own pace from any computer or mobile device.
Mass Bay Community College Cybersecurity Range: The Cyber Range laboratory created through this grant offers both virtual lab access and in-person learning environments, equipping students and organizations with the knowledge and skills essential for navigating the evolving landscape of cybersecurity. This cutting-edge facility provides a simulated, real-world environment where participants engage in complex cybersecurity scenarios, including network intrusions, malware analysis, digital forensics and incident response. Through hands-on experience, participants gain critical technical competencies, while also honing teamwork, communication and analytical problem-solving skills. For employers, the Cyber Range serves as a strategic training partner, offering tabletop exercises, educational workshops and upskilling programs tailored to enhance the cybersecurity preparedness of their workforce.
Bridgewater State University Cyber Range: Bridgewater State University utilizes a state-of-the-art cybersecurity training facility designed to simulate real-world cyber threats and attacks with unparalleled realism. Our 1,900 square foot facility is equipped with 24 workstations, a commanding video wall, and a fully operational command center, making it the most advanced of its kind in Massachusetts. BSU programs are designed to elevate a team’s preparedness for real-world cyber threats through the innovative Immersive Labs platform.
Key Training Offerings:
- Cyber Team Simulations: Engage in realistic scenarios inspired by actual cyber incidents. These simulations allow teams to practice their response strategies in a safe, controlled environment, enhancing readiness against potential threats.
- Tabletop/Crisis Simulations: Prepare for critical situations with our comprehensive tabletop exercises. These simulations facilitate strategic discussions and decision-making, replicating the high-pressure environment of a real cyber crisis.
- Incident Response Plan Testing and Development: Evaluate and refine your incident response plans. Our tailored sessions help identify vulnerabilities in your existing plans and develop robust strategies to enhance your defensive posture.
Springfield Technical Community College Cybersecurity Center of Excellence: The CCE’s flagship training facility, The Range, offers an immersive learning experience powered by their partner, Immersive. Here, learners can engage with realistic scenarios, hone their skills using advanced security tools and debrief their experiences to continually improve their performance.
Salem State University Cyber Range: The Salem State University Cyber Range is a cutting-edge cybersecurity training lab, offering a wide range of real-world simulations and practical lab environments to prepare users with the knowledge and skills they need to prevent and respond to a variety of cyberattacks. The range subjects users to a variety of realistic training programs and cyberattack-like exercises - for example, simulations of system-wide ransomware attacks.