Hey, everyone, welcome back to the core. So in the last video, we wrapped up our discussion on control 16 which is account monitoring and control.
In this video, we're gonna talk about control 17 which is around implementing a security awareness and training program. So implementing a security awareness training program is very critical for an organization we all understand. Or at least we should understand that humans are the weakest element. So we need to allow people at various levels of the organization
to understand how security really affects them and their day to day.
So let's talk about the various sub control. So some control 17 1 is really just starting out with a skills gap analysis, right? Similar tool. If you were assessing yourself for assessing a employees, you're gonna you're gonna look at their skills gap analysis and say Okay, well, what are we missing? Right. We're gonna perform of gap analysis. What's missing here? What are they missing? What needs to be improved?
So the same thing here with a security awareness program, right?
We perform a gap analysis, we say, Okay, we're missing these things, or we noticed that users are clicking a lot of phishing emails. So we know that whatever training we're doing on phishing emails is not effective because everyone still clicking these links. So let's perform the skills gap analysis and identify
what's going on, and then we can work towards actually resolving the issues
Some control. 17 to deliver training to fill the skills gap. Right? So once we've identified whatever the gaps are, we want to make sure we go ahead and fill those with the proper training.
And the whole goal here is to have a positive impact on the employee's behavior. Right. So we want them to have a positive security behavior moving forward.
So control 17 3 implement thes security awareness program. Right. So once you've identified it, you doing developed training that will solve or at least address the skills, the skills gap.
Then you want to create an awareness program for all of the work force members.
Now, one thing to keep in mind is that this needs to be a regular basis, right? Don't just have ah video on security awareness and call that your program and do a one time. You need an actual continuous process in place because you need to evaluate. Is it actually effective? Right.
Sub control 17 4 update the awareness content frequently. So going back to continuously doing it in monitoring it. Once you identify that, yes, certain things are working. And hey, these things need to be improved over here. Go ahead and improve those things. Right. Update those
some control. 17 5 trained workforce on secure authentication. So again, talking about why the employees would want to use secure authentication, why would they want to use things like to factor a multi factor authentication and just showing them how it actually relates to their business? Uh, excuse into their what they're actually doing in the business.
Sub control 17 6 trained workforce on identifying various social engineering attacks. So obviously phishing emails is one, but also just having them be naturally suspicious of people.
So that way, if a quote unquote delivery driver shows up and try to get entry into the building, they can question appropriately and say, Wait a minute here. You don't even look like ups. Right?
Sub control 17 7 to speak. Assure we train the workforce on the handling of sensitive data, right? So once we identify the sense in today that just teach people
what sensitive data they're accessing, and then how they should be handling that
some control. 17 8 Training that workforce on
generalized causes of unintentional data exposure. So just so, they're aware of what actions they might take that could lead to data exposure
and finally, some control. 17 9 trained workforce members on identifying your reporting incidents. So a lot of government organizations say if you see something, say something. So just train your workforce members to do the same thing.
So in this video, we talked about the CIA's control 17 and the next video. We're gonna take a look at how that maps up to the cybersecurity framework.