The actions of people play a critical part in the success or failure of an enterprise's security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly.
Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data such as sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords or using the same password they use on public sites.
No security program can effectively address cyber risk without a means to address this fundamental human vulnerability. Users at every level of the enterprise has different risks. For example, executives manage more sensitive data; system administrators have the ability to control access to systems and applications, and users in finance, human resources and contracts all have access to different types of sensitive data that can make them targets.
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Applicable Controls
| CIS Control | CIS Safeguard | Asset Type | Security Function | Title | Description |
|---|---|---|---|---|---|
14 | 14.1 | N/A | Protect | Establish and Maintain a Security Awareness Program | Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. |
14 | 14.2 | N/A | Protect | Train Workforce Members to Recognize Social Engineering Attacks | Train workforce members to recognize social engineering attacks, such as phishing, pre-texting and tailgating. |
14 | 14.3 | N/A | Protect | Train Workforce Members on Authentication Best Practices | Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. |
14 | 14.4 | N/A | Protect | Train Workforce on Data Handling Best Practices | Train workforce members on how to identify and properly store, transfer, archive and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. |
14 | 14.5 | N/A | Protect | Train Workforce Members on Causes of Unintentional Data Exposure | Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device or publishing data to unintended audiences. |
14 | 14.6 | N/A | Protect | Train Workforce Members on Recognizing and Reporting Security Incidents | Train workforce members to be able to recognize a potential incident and be able to report such an incident. |
14 | 14.7 | N/A | Protect | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates | Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. |
14 | 14.8 | N/A | Protect | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. |
Policy Templates for Security Controls
Acceptable Use Policy Template for the CIS Controls
This template can assist an enterprise in developing acceptable use for the CIS Controls.
Security Awareness Skills Training Policy Template for CIS Control 14
This template can assist an enterprise in developing a security awareness skills training policy.
Public and Non-profit Tools
Public and non-profit tools that may support small business and municipalities with inventory discovery:
Celereum CMMC Academy: Celerium has provided free resources to help defense contractors understand and prepare for the CMMC maturity levels and their respective practices, including an online reference guide, on-demand videos, and free self-assessment tools. Membership is free.
CISA Learn: CISA Learning, the Cybersecurity and Infrastructure Security Agency (CISA) learning management system, provides cybersecurity and infrastructure security training free of charge to our partners from federal, state, local, tribal, and territorial levels of government, the private sector, our veterans and the general public.