I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
This control includes nine (9) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are six (6) IG1 controls and nine (9) IG2 controls. This means that, at a minimum, we want to:
- Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.
- Train workforce members on the importance of enabling and utilizing secure authentication.
- Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
- Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
- Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
- Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.
This control aims to ensure the employee base is adequately informed and empowered to support the technical security controls you’ve been implementing through the last 16 CSCs. This is best accomplished with a formal consistently implemented training program. The training should cover highlights of the relevant security controls, as well as how the employee is expected to act in relation to those controls. Security controls should be designed in such a way to provide as little friction for the end users as possible, and this training provides another chance to educate on the proper use of the technologies.
If nothing else, the training program should focus on teaching employees when and how to report a suspected event, incident, phishing email, etc. to the appropriate team. Through this whole process we’re working to build out multiple layers of technical controls, and eliminate any single points of failure. This means that there should be several points in an attack chain for someone to notice, and raise their hand in question.
In the end – the security department still owns the responsibility for security. Developing a training program does not mean the ownership of security is now pushed out to every other employee. Yes, the accounts payable team should understand how to identify and handle a phishing email, but the ultimate responsibility lies with security.
Relevant News Stories
|Commercial||Open-Source & “Freemium“|
The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #17 page here.