How to build security awareness & training to NIST standards
Most security and IT professionals understand the importance of workforce security awareness and training for organizational cybersecurity. This is an important first step, but it still leaves many wondering exactly how to run a training program, the best ways to educate employees and even the most important cybersecurity topics to cover.
Leaning on an established framework to build and mature your security awareness and training program can help. That’s where NIST comes in.
In this post, we’ll examine NIST’s cybersecurity training resources and guidelines and explore how you can use Infosec IQ to not only follow NIST recommendations, but also prepare your workforce for the cybersecurity threats they face.
What is NIST?
The National Institute of Standards and Technology (NIST) is an agency within the United States Department of Commerce. NIST serves as the U.S. national laboratory, promoting innovation and industrial competitiveness in numerous industries by setting measurement standards, performing research and building organizational frameworks — including frameworks to help organizations structure and mature their security awareness and training programs.
NIST cybersecurity training guidelines
NIST maintains a series of publications dedicated to cybersecurity training and employee awareness.
NIST Framework for Improving Critical Infrastructure Cybersecurity
The NIST cybersecurity framework is a voluntary set of standards, guidelines and best practices to help organizations manage cybersecurity-related risk.
Protecting your organization with security awareness and training
NIST highlights security awareness and training as a core component of the Protect function of the cybersecurity framework.
“The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.”
NIST recommends awareness and training for an organization’s entire workforce and partners as a necessary defense against cyber attacks.
NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
In Special Publication 800-50, NIST provides two clear objectives for security awareness and training.
“Material should be developed with the following in mind:
What behavior do we want to reinforce? (awareness); and
What skill or skills do we want the audience to learn and apply? (training).”
NIST recommends training that includes educational, awareness-based content as well as skill development to help employees understand the threats they face and take the right action to prevent security incidents.
Security awareness and training topics
NIST Special Publication 800-50 recommends security awareness and training covering the following nine topics:
- Password security
- Safe web browsing
- Social engineering
- Mobile security
- Physical security
- Removable media
- Working remotely
Although each of the core cybersecurity topics can be broken down into detailed sub-topics, this list serves as a foundational training recommendation for all employees.
Reporting and monitoring compliance
NIST Special Publication 800-50 also provides guidance on reporting and monitoring compliance:
“Once the program has been implemented, processes must be put in place to monitor compliance and
effectiveness. An automated tracking system should be designed to capture key information regarding
program activity (e.g., courses, dates, audience, costs, sources).”
With the right tracking and reporting tools, program managers can identify gaps in training and continuously update and improve their training curriculum.
NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations
NIST Special Publication 800-53 provides a catalog of security and privacy controls, recommendations for cybersecurity training and guidance on role-based training.
Industry and role-based training
In Special Publication 800-53, NIST provides guidance on tailoring training based on employee roles and duties.
“Comprehensive role-based training addresses management, operational, and technical roles and
responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such
training can include, for example, policies, procedures, tools, methods, and artifacts for the security and
privacy roles defined.”
NIST also recommends training to address unique regulations, standards and risks associated with each organization’s industry. NIST encourages security awareness managers to take their awareness and training program a step beyond general workforce training by educating each employee on the cybersecurity threats they are most likely to face.
Click here to learn more about building your security awareness and training program.