Security Awareness Skills Training Policy Template for CIS Control 14

The actions of employees, contractors, and other users play a critical part in the success or failure of an enterprise’s security program. It is sometimes easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise than to find a network exploit to do it directly. Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites. No security program can effectively address cyber risk without a means to address this fundamental human vulnerability.

This policy template is meant to supplement the CIS Controls v8. The policy statements included within this document can be used by all CIS Implementation Groups (IGs) but are specifically geared toward Safeguards in Implementation Group 1 (IG1).