14: Security Awareness and Skills Training
Control Statement
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
14.1: Establish and Maintain a Security Awareness Program
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
14.2: Train Workforce Members to Recognize Social Engineering Attacks
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
14.3: Train Workforce Members on Authentication Best Practices
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.
14.4: Train Workforce on Data Handling Best Practices
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
14.5: Train Workforce Members on Causes of Unintentional Data Exposure
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
14.6: Train Workforce Members on Recognizing and Reporting Security Incidents
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.
14.9: Conduct Role-Specific Security Awareness and Skills Training
Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles.