Cybersecurity awareness objectives are established and maintained
Context and Guidance: Objectives for cybersecurity awareness activities are based on awareness needs that define the messages that need to be communicated regarding cybersecurity to staff and other internal and external stakeholders. For some topics, awareness needs may be consistent across the function’s entire population; for others, different stakeholders may have different awareness needs. All of these groups should be identified and their awareness needs documented. Sources of awareness needs include: • cybersecurity requirements that specify how assets are to be protected and sustained; organisational policies that attempt to enforce and reinforce acceptable behaviors or implement necessary controls across the enterprise, such as keeping payroll data confidential • vulnerabilities under watch or that are being actively managed • laws and regulations to which the organisation is subject because of its industry, geographical location, or type of business • maintaining security while using specific types of technology that pose increased cyber risk, such as email and mobile devices Awareness needs are temporal and may change as a result of changes in technology, policy, strategy, and risks being managed. A routine process to maintain and update awareness needs should be put in place.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-2a, WORKFORCE-2b, WORKFORCE-2c, WORKFORCE-2d, WORKFORCE-2e, WORKFORCE-2f, WORKFORCE-2g.