CIS Control 17: Implement a Security Awareness and Training Program ======================================================= For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs. **Why is this CIS Control Critical?** It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: system developers and programmers (who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle); IT operations professionals (who may not recognize the security implications of IT artifacts and logs); end users (who may be susceptible to social engineering schemes such as phishing); security analysts (who struggle to keep up with an explosion of new information); and executives and system owners (who struggle to quantify the role that cybersecurity plays in overall operational/mission risk, and have no reasonable way to make relevant investment decisions). Attackers are very conscious of these issues and use them to plan their exploitations by, for example: carefully crafting phishing messages that look like routine and expected traffic to an unwary user; exploiting the gaps or seams between policy and technology (e.g., policies that have no technical enforcement); working within the time window of patching or log review; using nominally non-security-critical systems as jump points or bots. No cyber defense approach can effectively address cyber risk without a means to address this fundamental vulnerability. Conversely, empowering people with good cyber defense habits can significantly increase readiness. .. toctree:: :maxdepth: 1 :name: toc-control-17 17.1: Perform a Skills Gap Analysis 17.2: Deliver Training to Fill the Skills Gap 17.3: Implement a Security Awareness Program 17.4: Update Awareness Content Frequently 17.5: Train Workforce on Secure Authentication 17.6: Train Workforce on Identifying Social Engineering Attacks 17.7: Train Workforce on Sensitive Data Handling 17.8: Train Workforce on Causes of Unintentional Data Exposure 17.9: Train Workforce Members on Identifying and Reporting Incidents .. history .. authors .. license