For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security behavior.
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.