CIS Control 14 and Security Awareness Training
Lots of eyes are on CIS Controls, so let's jump in.
CIS Control 14 (version 8) emphasizes the importance of providing regular and relevant Security Awareness Training to all employees, including new hires and third-party contractors.
Below, we go through this Control step-by-step, so you can determine how well your Security Awareness Training program satisfies the requirements and if there are any gaps to fill.
14.1: Establish and Maintain a Security Awareness Program
This section establishes the need for maintaining a Security Awareness Training program that educates the organization's staff on the proper and secure usage of enterprise assets and data. The program should include relevant training upon hire and should be conducted at least annually, if not more frequently. The program's content should be reviewed and updated annually, or as needed when security risks to the organization change.
14.2: Train Workforce Members to Recognize Social Engineering Attacks
Provide training to employees to identify and respond to social engineering attacks. The breadth of social engineering attacks can be very broad, but the safeguard uses a subset of examples, including phishing, pretexting, and tailgating.
14.3: Train Workforce Members on Authentication Best Practices
Provide instruction to the organization's personnel regarding authentication best practices, including topics such as multi-factor authentication (MFA), password creation standards, and effective credential management.
14.4: Train Workforce on Data Handling Best Practices
Educate employees on the proper identification, handling, storage, transfer, archiving and disposal of sensitive data. This training should also encompass best practices for maintaining clear screens and desks, including locking screens when not in front of your machine, clearing whiteboards (both physical and digital) after meetings, and securely storing any sensitive data and assets.
14.5: Train Workforce Members on Causes of Unintentional Data Exposure
Educate employees on the potential causes of unintentional data exposure, such as the accidental delivery of sensitive information to the wrong recipient, the loss of any portable devices, or the inadvertent publication of data to unintended recipients.
14.6: Train Workforce Members on Recognizing and Reporting Security Incidents
Educate employees to enable them to identify potential security incidents and effectively report such incidents. This includes educating employees on insider threats and its hallmark signs.
14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Educate employees on the procedures for recognizing and reporting outdated software patches or any concerns related to automated processes and organizational tools. This training should also include instructions for notifying IT personnel in the event of any concerns related to patches, processes or tools.
14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Educate employees regarding the risks associated with utilizing insecure networks for organizational activities. Additionally, for remote workers, training must include guidance on configuring their home network infrastructure to ensure secure connectivity.
14.9: Conduct Role-Specific Security Awareness and Skills Training
Provide security awareness and skills training customized to the specific roles and responsibilities of employees. The safeguard provides several examples of such training: "secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles."
All in all, this hits on a broad range of topics. And they've done an excellent job of it!
Ultimately, it ends up being a lot of work to run a Security Awareness Training program for any organization.
This is exactly why INFIMA created a fully automated Awareness Training platform that enables Managed Services Providers to satisfy CIS Control 14 with ease.
In fact, our MSP Partners can get clients up and running in just 3 clicks!
If you're an MSP and want to learn more about our Partner Program, go check out how we work with Partners here. If you like what you see, book a time to chat!
Thank you to the great minds at the Center for Internet Security for their continued work in securing our workplaces and staff. Note that we've used their section titles verbatim and shared our understanding of the requirements.
Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!