CIS Controls v8.1 Security Awareness Skills Training Policy Template

The Center for Internet Security^® (CIS^®) recommends several policies that an enterprise should have in place. This Security Awareness Training Policy is meant as a foundational guide for enterprises that need help drafting their own policy. Enterprises are encouraged to use this policy template in whole or in part. With that said, there are multiple decision points and areas that must be tailored to an enterprise’s specific needs, such as the best way to deliver training and educate your users, and which specific topics to cover. In CIS Controls v8.1, Control 14 states:

To support this Safeguard, it is important for an enterprise to develop a robust security awareness training program. An effective security awareness training program should not just be a canned, once-a-year training video coupled with regular phishing testing. While annual training is needed, there should also be more frequent, topical messages and notifications about security. This might include messages about: strong password-use that coincides with a media report of password dump, the rise of phishing during tax time, or increased awareness of malicious package delivery emails during the holidays. This document supports the development of a process for managing enterprise assets and the implementation of Safeguards in this CIS Control.