CIS Control 14 Explained: Security Awareness and Skills Training

CIS Control 14 involves security awareness and skills training – to establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

The Importance of Control 14

Human actions play a critical role in the success or failure of an enterprise’s security program. It’s often easier for attackers to deceive users into clicking malicious links or email attachments than to exploit network vulnerabilities directly. Users can inadvertently or intentionally cause security incidents by mishandling sensitive data, sending confidential information to the wrong recipients, losing portable devices, using weak passwords or reusing passwords from public sites.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 14

There are nine safeguards in CIS Control 14. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 14.1Establish and Maintain a Security Awareness ProgramGovernIG1
Safeguard 14.2Train Workforce Members to Recognize Social Engineering AttacksProtectIG1
Safeguard 14.3Train Workforce Members on Authentication Best PracticesProtectIG1
Safeguard 14.4Train Workforce on Data Handling Best PracticesProtectIG1
Safeguard 14.5Train Workforce Members on Causes of Unintentional Data ExposureProtectIG1
Safeguard 14.6Train Workforce Members on Recognizing and Reporting Security IncidentsDetectIG2
Safeguard 14.7Train Workforce on How to Identify and Report Missing Security UpdatesProtectIG1
Safeguard 14.8Train Workforce on the Dangers of Connecting to Insecure NetworksProtectIG1
Safeguard 14.9Conduct Role-Specific Security Awareness and Skills TrainingProtectIG2