Today, I will be going over Control 17 from version 7 of the top 20 CIS Controls – Implement a Security Awareness and Training Program. I will go through the nine requirements and offer my thoughts on what I’ve found.
Key Takeaways in Control 17
- Less focus on metrics. The previous security awareness control had multiple sections on metrics and improving the overall compliance score. This round of controls is focused more on just establishing a method to deliver continuous training while only highlighting a handful of the most common attack vectors.
- Outsourcing continues to be ideal. Security teams are already under-staffed, underfunded, and overworked. Establishing an awareness training program from scratch will be a time-consuming process that may be better suited for a third-party to develop and deliver.
Requirement Listing in Control 17
1. Perform a Skills Gap Analysis
Description: Perform a skills gap analysis to understand the skills and behaviors to which workforce members are not adhering, using this information to build a baseline education roadmap.
Notes: Performing a true skills gap analysis across the organization is going to be a time-consuming process. If you are just starting out on your journey of security awareness training for the organization, it may be best to look for a third party for help.
2. Deliver Training to Fill the Skills Gap
Description: Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
Notes: Delivering the training is just closing the loop from the first section. Delivering the training can be either in-person presentations or automated videos delivered through the web. The size and complexity of your organization will most likely determine which route you will want to go.
3. Implement a Security Awareness Program
Description: Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.
Notes: There are a couple of bullet points to break down with this section. The first is that the training should be delivered on a regular basis. Security awareness, as well as information security as a whole, is not a one-time solution. Second is that employees need to exhibit the behavior and skills based on the training they receive. Showing employees 20 bullet pointed slides on the definitions of phishing isn’t going to cut it. You need to make it fun and engaging then test them on what they learned after they have consumed the information.
4. Update Awareness Content Frequently
Description: Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements.
Notes: The tactics, techniques, and procedures attackers use are changing constantly. The training should reflect new attacks which are gaining popularity. Circling back to the previous section, employees are going to tune out if they are receiving the same training every quarter. Providing new information will help make concepts stick.
5. Train Workforce on Secure Authentication
Description: Train workforce members on the importance of enabling and utilizing secure authentication.
Notes: Some of the most high-profile attacks we’ve seen over the years could have been prevented with secure authentication, which is covered in Control 16. Strong passwords and multi-factor authentication goes a long way in protecting your network.
6. Train Workforce on Identifying Social Engineering Attacks
Description: Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.
Notes: As with secure authentication, many attacks against enterprises have a component of social engineering. “The human is the weakest link in the security chain” is evidenced by how successful social engineering can be. This can be the first line of defense in your security organization and should be taken seriously.
7. Train Workforce on Sensitive Data Handling
Description: Train workforce on how to identify and properly store, transfer, archive and destroy sensitive information.
Notes: Data is what attackers are most commonly after. As defenders, we take extra precautions to make sure that data is stored and transmitted in a secure manner. Having an employee copying sensitive data to an insecure location can undo the millions you’ve invested in security.
8. Train Workforce on Causes of Unintentional Data Exposure
Description: Train workforce members to be aware of causes for unintentional data exposures such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
Notes: Insider threats can be caused by those with the best intentions. In some cases, a data loss prevention or mobile device management tool can prevent data exposure. However, there are going to be instances where a tool cannot detect something like a user putting in the wrong email in a web form. Training is going to be part of the two-pronged approach with data loss prevention to keep private data private.
9. Train Workforce Members on Identifying and Reporting Incidents
Description: Train employees to be able to identify the most common indicators of an incident and be able to report such an incident.
Notes: As is discussed in Control 19, the security team may not be able to identify every incident. In today’s world, it’s better to teach end users to be overly cautious and to over-report rather than under-report security incidents.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.