Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
Explanation
Security awareness training is essential for creating a human firewall against common attacks like phishing, vishing, and pretexting. Employees should be trained to identify suspicious emails, messages, or calls, know how to report security incidents, understand acceptable use of company resources, and perform basic security practices such as using strong passwords, enabling multi-factor authentication, and keeping software updated.
Evidence of fulfillment could include training materials, attendance records, completion certificates, training schedules, post-training assessment results, or screenshots of the learning management system showing security awareness modules and completion rates.
Implementation Example
Train personnel to recognize social engineering attempts and other common attacks, report attacks and suspicious activity, comply with acceptable use policies, and perform basic cyber hygiene tasks (e.g., patching software, choosing passwords, protecting credentials)
ID: PR.AT-01.215
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
- Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

