The CIS 20 Security Controls require organizations to implement a security awareness training program as part of Control 17. Curricula’s fun security awareness training platform helps your organization get compliant with CIS 20 and stay secure.
CIS Top 20 Security Controls are a framework designed to help protect organizations implement the most essential components of a basic cyber security program. Security awareness training has been recognized as one of the most basic controls to protect organizations of all sizes.
These CIS 20 controls change the discussion from “What should my organization do?” to “What should we ALL be doing?” to improve security across every organization.
Security leaders recognize that implementing a security awareness training program isn’t just about being compliant, it’s about keeping employees secure. Curricula’s turnkey security awareness training platform helps organization meet CIS Control 17 by staying compliant and automating employee engagement.
Implementing a security awareness training program is recognized as one of the most effective cyber security investments an organization can make.
CIS Control 17: Implement a Security Awareness Training Program
It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: system developers and programmers (who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle); IT operations professionals (who may not recognize the security implications of IT artifacts and logs); end users (who may be susceptible to social engineering schemes such as phishing); security analysts (who struggle to keep up with an explosion of new information); and executives and system owners (who struggle to quantify the role that cybersecurity plays in overall operational/mission risk, and have no reasonable way to make relevant investment decisions).
Attackers are very conscious of these issues and use them to plan their exploitations by, for example: carefully crafting phishing messages that look like routine and expected traffic to an unwary user; exploiting the gaps or seams between policy and technology (e.g., policies that have no technical enforcement); working within the time window of patching or log review; using nominally non-security-critical systems as jump points or bots.
No cyber defense approach can effectively address cyber risk without a means to address this fundamental vulnerability. Conversely, empowering people with good cyber defense habits can significantly increase readiness.
CIS Control 17: Security Awareness Training Requirements
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
17.1: Perform a Skills Gap Analysis
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
17.2: Deliver Training to Fill the Skills Gap
Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
17.3: Implement a Security Awareness Program
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.
17.4: Update Awareness Content Frequently
Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements
17.5: Train Workforce on Secure Authentication
Train workforce members on the importance of enabling and utilizing secure authentication.
17.6: Train Workforce on Identifying Social Engineering Attacks
Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
17.7: Train Workforce on Sensitive Data Handling
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
17.8: Train Workforce on Causes of Unintentional Data Exposure
Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
17.9: Train Workforce Members on Identifying and Reporting Incidents
Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.
Ready to implement a security awareness training program with Curricula to help you meet the CIS 20 Controls? Get started with your free account.