CIS Control 17: Implement a Security Awareness and Training Program
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
17.1: Perform a Skills Gap Analysis
- Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
17.2: Deliver Training to Fill the Skills Gap
- Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
17.3: Implement a Security Awareness Program
- Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.
17.4: Update Awareness Content Frequently
- Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements.
17.5: Train Workforce on Secure Authentication
- Train workforce members on the importance of enabling and utilizing secure authentication.
17.6: Train Workforce on Identifying Social Engineering Attacks
- Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
17.7: Train Workforce on Sensitive Data Handling
- Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
17.8: Train Workforce on Causes of Unintentional Data Exposure
- Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
17.9: Train Workforce Members on Identifying and Reporting Incidents
- Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.
Figure: System Entity Relationship Diagram

- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises