Many organizations now wish to demonstrate compliance with Center for Internet Security (CIS) and SOC2 information security recommendations and requirements. Proving this compliance is a big plus to prospective customers and partners in the present business environment. In this blog I will outline this guidance as it applies to Information security training and awareness programs.
Section 14 of the Center for Internet Security Critical Security Controls (CIS CSC) V8 covers security awareness and skills training. Safeguard 14.1 mandates that the organization establish and maintain a security awareness program that educates personnel on how to interact with enterprise assets and data in a secure manner. This training should be provided for all organizational personnel as new hires and at least annually. In addition, the content of the program should be reviewed and updated at least annually.
Safeguard 14.1 also meets portions of SOC2 COSO principles CC1.4 and CC2.1. CC1.4 calls for the organization to demonstrate a commitment to develop competent individuals in alignment with objectives. Specifically, trust service criteria call for the organization to provide continuing education to personnel to ensure that skill sets and technical competencies are maintained. As to CC2.1, this safeguard meets two of the trust service criteria: the organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal controls, and the organization communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.
Safeguards 14.2 through 14.8 all detail specific areas personnel should be trained in. They include:
- 2: Training personnel to recognize social engineering attacks. This training is particularly important in the present threat environment, since many of the most successful exploits currently begin with and are enabled by some kind of social engineering attack.
- 3: Training personnel on authentication best practices such as MFA, password composition and credential management.
- 4: Training personnel on data handling best practices. This not only includes training on how to properly store, transfer, archive and destroy data, it also includes training personnel on proper workplace security such as clear desk/clear screen, work area security and printer security.
- 5: Training personnel about the causes of unintentional data exposure such as losing or improperly securing portable end user devices or publishing data to unintended audiences.
- 6: Training personnel to recognize and properly report potential security incidents.
- 7: Training personnel on how to identify and report if their equipment is missing security updates.
- 8: Training personnel on the dangers of connecting to and transmitting enterprise data over insecure networks. This includes training home workers in how to securely configure their home network infrastructure.
Safeguard 14.9 concerns providing role-specific security awareness and skills training for personnel with jobs that give them great access to or power over the network such as system administrators, security personnel, help desk personnel and web developers. This safeguard also partly meets trust service criteria in CC2.1. Specifically, communicating responsibilities with personnel responsible for designing, developing, implementing, operating, maintaining or monitoring system controls.
Ensuring that your organization has an information security and awareness training program in place, and that it at least meets the criteria above, will ensure your organization has a good, basic program in place that is compliant, and that can be built upon as new security problems appear and organizational security requirements change.