NIST CSF Series #8: Protect – Awareness and Training

Protect - Awareness and Training

Function:   Protect  (PR)
Category:  Awareness and Training  (AT)

“The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.”


PR.AT-1:  All users are informed and trained

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access.  The content may include a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents.

Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories, logon screen messages, conducting awareness events, and/or using a 3rd party program with videos/tests for users.  Practical exercises may include social engineering, simulating adverse impact of opening email attachments or running spear phishing attacks.

 Audit Considerations

Auditors may examine acceptable use policy and/or training materials to ensure content is adequate.  Documentation and/or training reports that ensure users are trained in accordance with policy may also be requested. 

Applicable CIS Critical Controls:

CIS Control 17 –  Security Skills Assessment and Appropriate Training to Fill Gaps

It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an organization.  Empowering employees with good cyber defense habits can significantly increase readiness.

This CIS control has multiple controls, both in security team skills and awareness training.  Specific to this Framework category, 17.3 and 17.4 of the CIS Control 17 apply.  These include implementing a security awareness program and validating/improving the program through periodic tests and assessments.


PR.AT-2:  Privileged users understand roles & responsibilities

Security awareness training should have appropriate content based on the assigned roles and responsibilities of individuals.  In particular, enterprise architects, system developers, software developers, procurement officials, system administrators, and other specific roles, may have additional awareness training needs that go beyond basic user awareness training.  Privileged users should be identified and provided additional training based on their responsibilities.

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures.

Audit Considerations

Auditors may ask for a written process that shows how the organization identifies privileged users, if those users’ roles are defined, and if they receive training based on their responsibilities.  Training material and/or user agreements to ensure those with elevated privileges are taught, and understand, security roles and responsibilities associated with elevated privileges.

Applicable CIS Critical Controls:

CIS Control 17 –  Security Skills Assessment and Appropriate Training to Fill Gaps

It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an organization.  Empowering employees with good cyber defense habits can significantly increase readiness.

This CIS control has multiple controls, both in security team skills and awareness training.  Specific to this Framework category, 17.3 and 17.4 of the CIS Control 17 apply.  These include implementing a security awareness program and validating/improving the program through periodic tests and assessments.

 


PR.AT-3:  Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities.

Third-party providers include, for example, contractors and service providers that provide system development, technology services, outsourced applications, and network and security management.  Policies and procedures should govern credential management, privileges, and on-boarding/off-boarding of third-party providers.  Third-party providers should acknowledge their responsibility to protect the confidentiality and integrity of data that they may have access to.

External information system services are implemented outside of the organizations boundaries.  Service providers that are processing, storing, or transmitting NSHE information should meet the same security requirements for handling information as NSHE institutions and units.  The responsibility for managing risks from the use of external information system services remains with the authorizing officials from the institution or unit.

Audit Considerations

Auditors may review third-party contract and agreements to ensure that security roles and responsibilities are clearly defined.  The vendor management program should ensure third parties are complying with cybersecurity responsibilities defined in contracts and agreements, so an auditor may want to review evidence that NSHE Institutions and Units are ensuring this compliance.

Applicable CIS Critical Controls:

CIS Control 5 – Controlled Use of Administrative Privileges

At times, third-party providers are given administrative privileges to conduct the functions and responsibilities assigned to them.  An organization should monitor privileged functions for anomalous behavior just as they would for internal users.  The use of non-administrative accounts should be considered and require escalation to a privileged account as necessary to perform the required task.

CIS Control 16 –  Account Monitoring and Control

Accounts provided for third-party providers may follow the same or stricter account policies as required for internal users.  Monitoring account usage, especially of third-party providers, is necessary to detect abuses or potential compromise of the external provider that is then leveraged to attack internal systems.

CIS Control 17 –  Security Skills Assessment and Appropriate Training to Fill Gaps

It is important that third-party providers who will be accessing, developing, or managing NSHE systems understand their roles and responsibilities.   Requiring proof that they engage in regular security awareness training may be a viable option in assuring consistency with policies and procedures governing access and use of NSHE/Institution data.

 


PR.AT-4:  Senior executives understand roles & responsibilities 

As with all other roles and responsibilities, senior level executives often have authorization responsibilities when it comes to the security program.  They too, should be engaged in information security awareness programs especially as it relates to their own data access.

Audit Considerations

Just as with other roles and responsibilities, auditors may look for specific identification and training based on the senior executive role.

Applicable CIS Critical Controls:

CIS Control 17 –  Security Skills Assessment and Appropriate Training to Fill Gaps

It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an organization.  This includes the engagement of senior executives and identifying their role and responsibility in an overall information security program.  Empowering employees with good cyber defense habits can significantly increase readiness and often needs executive level sponsorship.


PR.AT-5:  Physical and information security personnel understand roles & responsibilities.

This continues the approach in identifying roles and responsibilties for physical and information security personnel.  In addition to policies and procedures that identify the specific responsibilties of these roles, training for information security personnel must be planned for and executed.  Identifying skills gaps and providing training for security teams is an essential part of a security program.

Audit Considerations

Auditors will look for policies and procedures that identify the responsibilities of information security personnel as well as who is responsible for physical security of information systems if not the same group.  Additionally, is there a program in place to identify skill gaps and provide for training to meet security training requirements associated with critical roles.

Applicable CIS Critical Controls:

CIS Control 17 –  Security Skills Assessment and Appropriate Training to Fill Gaps

This CIS control has multiple controls, both in security team skills and awareness training.  In addition to security awareness training, the ability to assess gaps in security skill sets should be addressed.