CIS Control 14: Security Awareness and Skill Training

Users who do not have the appropriate security awareness training are considered a weak link in the security of an enterprise. These untrained users are easier to exploit than finding a flaw or vulnerability in the equipment that an enterprise uses to secure its network. Attackers could convince unsuspecting users to unintentionally provide access to the enterprise network or expose sensitive information. Proper training should be provided to users in order to decrease the risk of a security incident.

Key Takeaways for Control 14

An enterprise should provide users with frequent security awareness training to increase its overall security posture. The information provided by the security awareness training should be relevant and provide insights into recent security incidents. Training should also reiterate the necessity of using strong passwords, spotting and reporting phishing attacks, as well as properly handling personal information.

Security awareness training should include frequent phishing tests. Phishing tests allow users to learn from their mistakes and utilize their training to spot actual phishing attacks. These phishing tests should be specially crafted for different departments within an enterprise. Specially crafted phishing tests are harder to detect and demonstrate the value of security awareness training.

Safeguards for Control 14

14.1) Establish and Maintain a Security Awareness Program

Description: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Govern. Success with this control means that every user will have access to regular training to ensure they interact with data in a secure manner. Regular training will help reduce potential security incidents.

14.2) Train Workforce Members to Recognize Social Engineering Attacks

Description: Train workforce members to recognize social engineering attacks such as phishing, pre-texting, and tailgating.

Notes: The security function associated with this safeguard is Protect. Success with this control will provide an enterprise with trained users who can spot social engineering attacks.

14.3) Train Workforce Members on Authentication Best Practices

Description: Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.

Notes: The security function associated with this safeguard is Protect. Success with this control will provide an enterprise with users that utilize strong passwords and proper credential management.

14.4) Train Workforce on Data Handling Best Practices

Description: Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, as well as storing data and assets securely.

Notes: The security function associated with this safeguard is Protect. Success with this control ensures the proper handling of sensitive data. Sensitive data should be secured and not accessible to unauthorized users.

14.5) Train Workforce Members on Causes of Unintentional Data Exposure

Description: Train workforce members to be aware of causes for unintentional data exposure. Example topics include misdelivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with knowledge about the causes of unintentional data exposure. Training reinforces knowledge and keeps users alert for potential issues.

14.6) Train Workforce Members on Recognizing and Reporting Security Incidents

Description: Train workforce members to be able to recognize a potential incident and be able to report such an incident.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with the training to recognize security incidents. This allows for timely reporting of security incidents.

14.7) Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Description: Train the workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.

Notes: The security function associated with this safeguard is Protect. Success with this control means that users are always using patched systems. Any out-of-date systems will be reported to IT personnel to fix.

14.8) Train the Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Description: Train workforce members on the dangers of connecting to and transmitting data over insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.

Notes: The security function associated with this safeguard is Protect. Success with this control will ensure users understand the dangers of an insecure network. Successful training provides users with the necessary information to secure their home network.

14.9) Conduct Role-Specific Security Awareness and Skills Training

Description: Conduct role-specific security awareness and skills training. Examples of implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles.

Notes: The security function associated with this safeguard is Protect. Success with this control provides users with the necessary security awareness training for their roles. OWASP Top 10 provides users who do web development with the knowledge of the common vulnerabilities with web applications.

See how simple and effective security controls can create a framework that helps you protect your enterprise and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery