How to build security awareness & training to NIST standards

Infosec_Sam

Earlier this week, Infosec released a new blog about building a security awareness & training plan around NIST standards. If you're looking to standardize your training program, check it out! Below is a snippet from the blog, or you can check out the full article here »

Most security and IT professionals understand the importance of workforce security awareness and training for organizational cybersecurity. This is an important first step, but it still leaves many wondering exactly how to run a training program, the best ways to educate employees and even the most important cybersecurity topics to cover.

Leaning on an established framework to build and mature your security awareness and training program can help. That’s where NIST comes in.

In this post, we’ll examine NIST’s cybersecurity training resources and guidelines and explore how you can use Infosec IQ to not only follow NIST recommendations, but also prepare your workforce for the cybersecurity threats they face.

What is NIST?

The National Institute of Standards and Technology (NIST) is an agency within the United States Department of Commerce. NIST serves as the U.S. national laboratory, promoting innovation and industrial competitiveness in numerous industries by setting measurement standards, performing research and building organizational frameworks — including frameworks to help organizations structure and mature their security awareness and training programs.

NIST cybersecurity training guidelines

NIST maintains a series of publications dedicated to cybersecurity training and employee awareness.

NIST Framework for Improving Critical Infrastructure Cybersecurity

The NIST cybersecurity framework is a voluntary set of standards, guidelines and best practices to help organizations manage cybersecurity-related risk.

 Protecting your organization with security awareness and training

NIST highlights security awareness and training as a core component of the Protect function of the cybersecurity framework.

 “The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.”

NIST recommends awareness and training for an organization’s entire workforce and partners as a necessary defense against cyber attacks.

NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program

In Special Publication 800-50, NIST provides two clear objectives for security awareness and training.

 “Material should be developed with the following in mind:

 What behavior do we want to reinforce? (awareness); and
 What skill or skills do we want the audience to learn and apply? (training).”

NIST recommends training that includes educational, awareness-based content as well as skill development to help employees understand the threats they face and take the right action to prevent security incidents.

 Security awareness and training topics

NIST Special Publication 800-50 recommends security awareness and training covering the following nine topics:

• Phishing
• Password security
• Safe web browsing
• Social engineering
• Malware
• Mobile security
• Physical security
• Removable media
• Working remotely

Although each of the core cybersecurity topics can be broken down into detailed sub-topics, this list serves as a foundational training recommendation for all employees.

 Reporting and monitoring compliance

NIST Special Publication 800-50 also provides guidance on reporting and monitoring compliance:

 “Once the program has been implemented, processes must be put in place to monitor compliance and
 effectiveness. An automated tracking system should be designed to capture key information regarding
 program activity (e.g., courses, dates, audience, costs, sources).”

With the right tracking and reporting tools, program managers can identify gaps in training and continuously update and improve their training curriculum.

NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations

NIST Special Publication 800-53 provides a catalog of security and privacy controls, recommendations for cybersecurity training and guidance on role-based training.

 Industry and role-based training

In Special Publication 800-53, NIST provides guidance on tailoring training based on employee roles and duties.

 “Comprehensive role-based training addresses management, operational, and technical roles and
 responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such
 training can include, for example, policies, procedures, tools, methods, and artifacts for the security and
 privacy roles defined.”

NIST also recommends training to address unique regulations, standards and risks associated with each organization’s industry. NIST encourages security awareness managers to take their awareness and training program a step beyond general workforce training by educating each employee on the cybersecurity threats they are most likely to face.

Click here to learn more about building your security awareness and training program.

jeremy_dfir

I have been asked over and over again to recommend how existing processes can become compatible with what NIST documents.
It seems NIST is the golden standard when it comes to various security processes. Very helpful post...

Johnhe0414

Great information - thanks for posting

scaredoftests

Thank you!!

UnixGuy

I do a lot of NIST assessments in my job. Security & awareness is a tiny component of NIST, and from experience clients tend to have one or two training modules covering all the of the following:

• Phishing
• Password security
• Safe web browsing
• Social engineering
• Malware
• Mobile security
• Physical security
• Removable media
• Working remotely

Ideally an "Information Security" training covering everything. and a separate phishing training module. Sometimes a privacy training module...

jeremy_dfir

Offtopic, but PCI-DSS penetration test guidelines also focus on Social Engineering, Phishing....