CIS Control 14 Explained: Security Awareness and Skills Training
CIS Control 14 involves security awareness and skills training – to establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
In this article
The Importance of Control 14
Human actions play a critical role in the success or failure of an enterprise’s security program. It’s often easier for attackers to deceive users into clicking malicious links or email attachments than to exploit network vulnerabilities directly. Users can inadvertently or intentionally cause security incidents by mishandling sensitive data, sending confidential information to the wrong recipients, losing portable devices, using weak passwords or reusing passwords from public sites.
Implementation Groups (IGs)
To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.
For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.
The Safeguards of Control 14
There are nine safeguards in CIS Control 14. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.
Safeguard Number | Safeguard Title | NIST Security Function | StartingImplementation Group |
Safeguard 14.1 | Establish and Maintain a Security Awareness Program | Govern | IG1 |
Safeguard 14.2 | Train Workforce Members to Recognize Social Engineering Attacks | Protect | IG1 |
Safeguard 14.3 | Train Workforce Members on Authentication Best Practices | Protect | IG1 |
Safeguard 14.4 | Train Workforce on Data Handling Best Practices | Protect | IG1 |
Safeguard 14.5 | Train Workforce Members on Causes of Unintentional Data Exposure | Protect | IG1 |
Safeguard 14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents | Detect | IG2 |
Safeguard 14.7 | Train Workforce on How to Identify and Report Missing Security Updates | Protect | IG1 |
Safeguard 14.8 | Train Workforce on the Dangers of Connecting to Insecure Networks | Protect | IG1 |
Safeguard 14.9 | Conduct Role-Specific Security Awareness and Skills Training | Protect | IG2 |