Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
Explanation
Consequences for policy breaches are the subject: reviewers want assurance that the penalties for violating cybersecurity policies are clearly communicated to employees and stakeholders.
Employees and stakeholders should understand both personal consequences (e.g., disciplinary actions, termination) and organizational impacts (e.g., data breaches, financial losses, reputational damage, regulatory penalties) of non-compliance with security policies.
Evidence could include a documented disciplinary policy specific to cybersecurity violations, acknowledgment forms signed by employees, training materials that outline consequences, or communications that reinforce the importance of compliance and the potential impacts of violations.
Implementation Example
Explain the consequences of cybersecurity policy violations, both to individual users and the organization as a whole
ID: PR.AT-01.216
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
- Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

