Cybersecurity awareness activities occur, at least in an ad hoc manner
Context and Guidance: Conduct activities to improve personnel’s understanding of cyber risks, cybersecurity-related laws and regulations to which the organisation is subject, and cybersecurity policies, procedures, and requirements. Topics can be general, for all personnel (such as event reporting), or specifically for certain roles (such as social engineering risks that affect financial services staff). All cybersecurity employees should be aware of the cybersecurity program strategy (PROGRAM-1a), so briefings about it should be included in awareness activities. Some awareness communications may be necessary with business partners, such as how PII is handled and how compliance with standards is achieved. Cybersecurity awareness activities might include cybersecurity-focused emails from acknowledged experts, quarterly refreshers, lunch and learn sessions, posters, and a dedicated intranet site where news about current cybersecurity events and relevant articles, memos, alerts, etc. are posted. These are examples of cybersecurity awareness topics: email phishing and other social engineering tactics; recognising indicators of insider threats; event and incident identification; classification and handling of data; acceptable use policies; identity management, including cloud accounts; account authorities; remote connectivity; and mobile device security.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-2a, WORKFORCE-2b, WORKFORCE-2c, WORKFORCE-2d, WORKFORCE-2e, WORKFORCE-2f, WORKFORCE-2g.